Hello.
I installed the last version of OpenSUSE and installed Elasticsearch and Kibana on it and nothing else. This Linux server is not ready yet and we never work with it but OpenSUSE uploaded many files and...Something like S-P-Y or...
Some data of captured file are:
17:02:00.298515 IP (tos 0x0, ttl 64, id 46168, offset 0, flags [DF], proto TCP (6), length 64)
elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0xbd0a), seq 300, ack 337, win 229, options [nop,nop,TS val 3546870 ecr 14067419,nop,nop,sack 1 {336:
337}], length 0
17:02:04.934564 ARP, Ethernet (len 6), IPv4 (len 4), Reply elastic.suse is-at 00:0c:29:85:5b:a3 (oui Unknown), length 28
17:02:10.578500 IP (tos 0x0, ttl 64, id 46169, offset 0, flags [DF], proto TCP (6), length 64)
elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0xb300), seq 300, ack 337, win 229, options [nop,nop,TS val 3549440 ecr 14067419,nop,nop,sack 1 {336:
337}], length 0
17:02:20.858681 IP (tos 0x0, ttl 64, id 46170, offset 0, flags [DF], proto TCP (6), length 64)
elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0xa8f6), seq 300, ack 337, win 229, options [nop,nop,TS val 3552010 ecr 14067419,nop,nop,sack 1 {336:
337}], length 0
17:02:23.710156 IP (tos 0x0, ttl 64, id 46171, offset 0, flags [DF], proto TCP (6), length 52)
elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4529 (incorrect -> 0x431a), seq 300, ack 365, win 229, options [nop,nop,TS val 3552723 ecr 14067960], length 0
17:02:33.986522 IP (tos 0x0, ttl 64, id 46172, offset 0, flags [DF], proto TCP (6), length 64)
elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0x99b3), seq 300, ack 365, win 229, options [nop,nop,TS val 3555292 ecr 14067960,nop,nop,sack 1 {364:
365}], length 0
GET /config.rar HTTP/1.1
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
Host: www.s9xk32c.com
Connection: Keep-Alive
17:03:27.852276 IP (tos 0x0, ttl 64, id 1638, offset 0, flags [DF], proto TCP (6), length 52)
elastic.suse.40044 > 91.195.240.82.http: Flags [.], cksum 0x5c91 (incorrect -> 0xa168), seq 218, ack 716, win 240, options [nop,nop,TS val 3568759 ecr 949003374], length 0
17:03:29.656511 IP (tos 0x0, ttl 64, id 46178, offset 0, flags [DF], proto TCP (6), length 64)
elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0x61a2), seq 300, ack 393, win 229, options [nop,nop,TS val 3569210 ecr 14068311,nop,nop,sack 1 {392:
393}], length 0
As you see, its like virus or...but why?
Other information are:
# tcpdump -r capture.cap -vvv | grep "Host:"
reading from file capture.cap, link-type EN10MB (Ethernet)
Host: www.s9xk32c.com
Host: www.s9xk32c.com
Host: www.s9xk32c.com
Host: www.s9xk32c.com
Host: www.s9xk32c.com
Host: www.s9xk32c.com
Host: www.s9xk32c.com
# tcpdump -r capture.cap -vvv | grep "GET"
reading from file capture.cap, link-type EN10MB (Ethernet)
GET /config.rar HTTP/1.1
GET /config.rar HTTP/1.1
GET /config.rar HTTP/1.1
GET /config.rar HTTP/1.1
GET /config.rar HTTP/1.1
GET /config.rar HTTP/1.1
GET /config.rar HTTP/1.1
# systemctl status SuSEfirewall2
SuSEfirewall2.service - SuSEfirewall2 phase 2
Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; enabled)
Active: active (exited) since Sat 2018-12-29 13:03:44 +0330; 22h ago
Main PID: 2070 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/SuSEfirewall2.service
Dec 29 13:03:31 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 29 13:03:31 elastic SuSEfirewall2[2070]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 29 13:03:44 elastic SuSEfirewall2[2070]: Firewall rules successfully set
Dec 29 13:03:44 elastic systemd[1]: Started SuSEfirewall2 phase 2.
# journalctl | grep SuSE*
Dec 11 10:25:33 linux-a725 SuSEfirewall2[1257]: Firewall rules set to CLOSE.
Dec 11 10:25:48 linux-a725 SuSEfirewall2[1726]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 11 10:25:48 linux-a725 SuSEfirewall2[1732]: using default zone 'ext' for interface eth0
Dec 11 10:25:49 linux-a725 SuSEfirewall2[1849]: Firewall rules successfully set
Dec 11 10:28:11 linux-a725 SuSEfirewall2[2293]: Not unloading firewall rules at system shutdown
Dec 15 10:13:36 linux-a725 SuSEfirewall2[1312]: Firewall rules set to CLOSE.
Dec 15 10:13:51 linux-a725 SuSEfirewall2[1770]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 15 10:13:51 linux-a725 SuSEfirewall2[1776]: using default zone 'ext' for interface eth0
Dec 15 10:13:51 linux-a725 SuSEfirewall2[1888]: Firewall rules successfully set
Dec 15 11:30:35 linux-a725 SuSEfirewall2[9698]: Not unloading firewall rules at system shutdown
Dec 15 11:30:53 linux-a725 SuSEfirewall2[1299]: Firewall rules set to CLOSE.
Dec 15 11:31:04 linux-a725 SuSEfirewall2[1808]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 15 11:31:04 linux-a725 SuSEfirewall2[1820]: using default zone 'ext' for interface eth0
Dec 15 11:31:05 linux-a725 SuSEfirewall2[1938]: Firewall rules successfully set
Dec 15 11:49:21 linux-a725 SuSEfirewall2[2933]: Firewall rules unloaded.
Dec 15 11:49:21 linux-a725 SuSEfirewall2[2955]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 15 11:49:21 linux-a725 SuSEfirewall2[2961]: using default zone 'ext' for interface eth0
Dec 15 11:49:22 linux-a725 SuSEfirewall2[3029]: Firewall rules successfully set
.
.
.
Any idea?
Thank you.