Can I use `netstat` to find adware, spyware, malware or ransomware?

First off I ran netstat -a to list all but it's 1,000 lines of 80+ chars / line and won't fit into a question. So I narrowed it down to netstat -l -e to list connections that are "listening" to my internet connection.

netstat -l -e Output:

$ netstat -l -e
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode
tcp 0 0 dell:domain *:* LISTEN root 22501
udp 0 0 *:mdns *:* Me 6099032
udp 0 0 *:mdns *:* avahi 20093
udp 0 0 *:42320 *:* avahi 20095
udp 0 0 *:55304 *:* nobody 6096007
udp 0 0 dell:domain *:* root 22500
udp 0 0 *:bootpc *:* root 6091056
udp 0 0 *:ipp *:* root 5216701
udp6 0 0 [::]:mdns [::]:* Me 6099033
udp6 0 0 [::]:mdns [::]:* avahi 20094
udp6 0 0 [::]:57704 [::]:* avahi 20096
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 24329 /run/user/1000/systemd/private
unix 2 [ ACC ] SEQPACKET LISTENING 12608 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 30872 @/tmp/.ICE-unix/2585
unix 2 [ ACC ] STREAM LISTENING 26927 /run/user/1000/keyring/control
unix 2 [ ACC ] STREAM LISTENING 30821 /run/user/1000/keyring/pkcs11
unix 2 [ ACC ] STREAM LISTENING 20701 /sys/fs/cgroup/cgmanager/sock
unix 2 [ ACC ] STREAM LISTENING 30986 /run/user/1000/pulse/native
unix 2 [ ACC ] STREAM LISTENING 1153703 /run/user/1000/pulse/cli
unix 2 [ ACC ] STREAM LISTENING 2303008 @Me-com.canonical.Unity.Master.Scope.files.T174165901748652
unix 2 [ ACC ] STREAM LISTENING 21329 @/tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 2303016 @Me-com.canonical.Unity.Scope.files.T174166293059520
unix 2 [ ACC ] STREAM LISTENING 24726 /var/run/NetworkManager/private-dhcp
unix 2 [ ACC ] STREAM LISTENING 25175 @/tmp/dbus-2IgIS5GS9B
unix 2 [ ACC ] STREAM LISTENING 21330 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 27881 /tmp/ssh-Y2H8jyF8xBOV/agent.2502
unix 2 [ ACC ] STREAM LISTENING 26969 /home/Me/.gnupg/S.gpg-agent
unix 2 [ ACC ] STREAM LISTENING 30873 /tmp/.ICE-unix/2585
unix 2 [ ACC ] STREAM LISTENING 24397 @/tmp/dbus-ciisbyQXHo
unix 2 [ ACC ] STREAM LISTENING 26572 /tmp/.com.google.Chrome.KSH5A2/SingletonSocket
unix 2 [ ACC ] STREAM LISTENING 691516 @/tmp/dbus-BCetHWrk4L
unix 2 [ ACC ] STREAM LISTENING 2303007 @Me-com.canonical.Unity.Master.Scope.applications.T174165894531763
unix 2 [ ACC ] STREAM LISTENING 12591 /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 12596 /run/systemd/fsck.progress
unix 2 [ ACC ] STREAM LISTENING 12609 /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 26932 @/com/ubuntu/upstart-session/1000/2381
unix 2 [ ACC ] STREAM LISTENING 2300330 @Me-com.canonical.Unity.Scope.scopes.T174169866065693
unix 2 [ ACC ] STREAM LISTENING 21636 /run/uuidd/request
unix 2 [ ACC ] STREAM LISTENING 21637 /var/run/avahi-daemon/socket
unix 2 [ ACC ] STREAM LISTENING 21638 /run/snapd.socket
unix 2 [ ACC ] STREAM LISTENING 21639 /run/snapd-snap.socket
unix 2 [ ACC ] STREAM LISTENING 21640 /var/run/cups/cups.sock
unix 2 [ ACC ] STREAM LISTENING 21641 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 21642 /run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 2300329 @Me-com.canonical.Unity.Scope.applications.T17416986049498
unix 2 [ ACC ] STREAM LISTENING 29796 @/tmp/ibus/dbus-NdbJULTU

Note: I've replaced my Linux user ID with "Me" in the listing above.

I'm a little concerned that "Canonical" the manufacturer of "Ubuntu" is listening to my internet in many places. I don't recall big bold adverts of that happening nor ways of turning that "feature" off. I do have crash reporting turned on so maybe that is the reason. A detailed explanation in an answer would be appreciated though.

Are there known spyware / malware agents I can see using netstat?

Additionally can netstat help me track down internet performance blockers and kill a connection or two hundred? For example I see snapd is "listening" and just read it's a performance hog at times. Snapd is installed by default in 16.04 but I've never used it. I'll be researching it further and removing it.


Random snippets of netstat -a

As mentioned using netstat -a generates over 1,000 lines of output that won't fit into a 32KB AU question. Here are some random "snippets" of the full list to give you an idea of what appears.

From the middle

unix 2 [ ] DGRAM 6091044
unix 3 [ ] STREAM CONNECTED 28317
unix 3 [ ] STREAM CONNECTED 26391
unix 3 [ ] STREAM CONNECTED 29087 @/tmp/dbus-ciisbyQXHo
unix 3 [ ] STREAM CONNECTED 7523056
unix 3 [ ] STREAM CONNECTED 41964 @/tmp/dbus-ciisbyQXHo
unix 3 [ ] STREAM CONNECTED 36047
unix 3 [ ] STREAM CONNECTED 31024
unix 3 [ ] STREAM CONNECTED 25186 @/tmp/dbus-2IgIS5GS9B
unix 3 [ ] STREAM CONNECTED 4258027
unix 3 [ ] STREAM CONNECTED 6835290
unix 3 [ ] STREAM CONNECTED 692478 @/tmp/dbus-BCetHWrk4L
unix 3 [ ] STREAM CONNECTED 27314 @/tmp/dbus-2IgIS5GS9B
unix 3 [ ] STREAM CONNECTED 29077 @/tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 1033729 @/tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 42812
unix 3 [ ] STREAM CONNECTED 29806 @/tmp/ibus/dbus-NdbJULTU
unix 3 [ ] STREAM CONNECTED 6952286
unix 3 [ ] STREAM CONNECTED 161597
unix 3 [ ] STREAM CONNECTED 39839
unix 3 [ ] STREAM CONNECTED 33256
unix 2 [ ] DGRAM 33883 

From the bottom

unix 2 [ ] DGRAM 29074
unix 3 [ ] STREAM CONNECTED 55854 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 28997 @/tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 21657 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 28055 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 24441
unix 3 [ ] STREAM CONNECTED 25875 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 23525
unix 3 [ ] STREAM CONNECTED 691504
unix 3 [ ] STREAM CONNECTED 25897 @/tmp/dbus-ciisbyQXHo
unix 3 [ ] STREAM CONNECTED 30179 

Forgive me if this question is rudimentary. I've just begun examining internet "connection stuff" and will look like a complete novice compared to those paid to work in this field.

3

1 Answer

The first time someone runs netstat it's a shocking experience. It seems like every creepy web site on the planet is watching your every move. And the reality is not that far from that perception.

Much of this connectivity is relatively benign. And a few of the connections are actually helpful, such as OS update connections. I would not be at all concerned about "Canonical connections" that are part of the Ubuntu software update model. Further, you will quickly find that trying to kill or block these hundreds of connections is futile.

You'll find that except for blatant port attacks, most of the connections you see via netstat originate from your web browser. You can control this to some degree but bear in mind that the more stuff you block, the more problems you will have when trying to do something useful on your web browser.

uBlock is a browser plugin that will drastically reduce the number of connections you see but will also reduce the functionality of your browser s ability to engage with various sites. Tightening up your environment versus being able to do real work is a constant balancing act.

Welcome to the Network Wild West :)

5

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like