Uncommanded uploads [Solved]

Uncommanded uploads [Solved]

Postby rodgoslin » May 27th, '17, 18:44

A few weeks ago, I noticed that there seemed to be a unusual amount of uploading. I tend to monitor upload/download levels with Gnome-System-Monitor due to poor speed levels. Turning off all logical sources of upload/download seemed to make little difference to the traffic levels. I can normally expect from my ADSL connection downloads of up to 700KB/s and uploads of up to 100KB/s. However, due to the ADSL system, high levels of upload seem to have a disproportionate effect on download speeds. Uploading at 100KB/s will drop downloading from 700KB/s to about 40 KB/s! After a while the apparently uncommanded uploads rose to 100KB/s and downloading was virtually impossible. I was unable to ascertain the reason for this behaviour. Disconnecting from the modem/router and reconnecting at a later time, without any action on my part, uploads would begin again, with a delay of anything from about half a minute up to five minutes, but the end result was the same. The same thing happened a couple of years or so, back. On this occasion, disabling the machines operation as an FTP server seemed to solve the problem, the source of which I never discovered. At that time, mainly due to a disk crash which resulted in quite a lot of data being lost, I updated another PC as a stand by machine, and arranged a more effective back-up system.
Getting back to the current problem, I brought up my standby machine to the same state as my normal machine, by file transfer using an independent HDD drive. So now I had two completely identical machines, even to the hardware. The old with the uncommanded upload problem and the standby machine which works fine. Finally, since the old machine, no matter how long I left it unconnected, would always go back to uncommanded uploads, I turned it off.
My usual response to such, is to clear and re-format the OS drive and rebuild from scratch, but with Mga6 looming that didn't seem to be a good idea. I would have brought in up on the forum, but that went down at about the same time. With Mga6rc now available, I shall probably do that, but the problem niggles.
I would like to know the how, the why and the where the problem comes from. It's the sort of thing that I'd expect from MS Windows, but not Linux. Having a working machine, I can leave it to see if anyone can come up with an explanation, before taking down the other, malfunctioning, machine. Soon, I hope, since the malfunctioning machine has a more comfortable chair!
Last edited by rodgoslin on Jun 5th, '17, 03:07, edited 2 times in total.
rodgoslin
 
Posts: 492
Joined: Nov 19th, '11, 01:31

Re: Uncommanded uploads

Postby doktor5000 » May 27th, '17, 22:09

It might help if you could format such a wall of text with some paragraphs or so, to encourage others to actually read through it.

Regarding your actual issue, you would have to check on your boxes what they are actually transferring, using something like iftop or nethogs and then going further from there.
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17629
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: Uncommanded uploads

Postby rodgoslin » May 28th, '17, 01:09

Thank you for your usual prompt reply. I must apologise for the grammatical gaffe.
To the point, I installed iftop and nethogs. Unfortunately nethogs refused to run, on either machine, with an error "Creating socket failed while establishing local IP - Are you root?", which I was. Iftop worked, so ran it on the faulty machine. I had noticed, before that the longer the machine was off line, the longer the effect took to manifest itself. . It did eventually manifest itself. Or at least an effect similar to that seen earlier. The host indicated in iftop was 5ec0c70c.skybroadband.com, and the traffic speed, while being less than had been seen, was still around 80KB/sec. Having, presumably ascertained the who, leaves me with the why, the what and the where. I hope this helps. I have, BTW, no connection or account with Sky systems, in any sense.
rodgoslin
 
Posts: 492
Joined: Nov 19th, '11, 01:31

Re: Uncommanded uploads

Postby doktor5000 » May 28th, '17, 15:30

For nethogs IIRC you need to specify the interface, it won't use the first/primary interface by default, because it's not eth0 anymore.

rodgoslin wrote:The host indicated in iftop was 5ec0c70c.skybroadband.com, and the traffic speed, while being less than had been seen, was still around 80KB/sec.

So what were you actually seeing in iftop, your whole description is pretty vague. Were you seeing traffic FROM your box TO 5ec0c70c.skybroadband.com ?
What source port on your machine - or maybe you could simply post the whole excerpt from iftop?
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17629
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: Uncommanded uploads

Postby rodgoslin » May 28th, '17, 22:48

As my original post indicated, the primary problem was in uploading only, without anything (apparently) running, which would have initiated such an upload.
My (netgear) modem/router, has an option in Advanced>Security, for blocking access. Adding the skybroadband address to this stopped the upload. However iftop indicated that there was a second site, (host86-149-238-61.range 86-149.btcentralplus.com) which is also involved in uploads. So added this to the entry in the modem/router config. This stopped the uploads for a while, but they started again, later. I noticed that the IP address was different to the first instance, so changed the string in the modem/router blocking to btcentralpus.com, without the IP address, and the rest. This seems to have stopped the uncommanded uploads. Or at least it has for the past couple of hours, or so. If it works, it is a solution, but not a particularly satisfactory one. I still have no idea of the why, the where and the what of the uncommanded uploads. Why is stuff being uploaded, what is being uploaded and where is it being uploaded. I note that btcentralplus still figures in the entries in iftop, but that now, there is no traffic indicated for that address. I shall be monitoring the machine for a while, but as I said, it's not a particularly reliable solution.
You mention that in running nethogs, you have to specify the interface. Could you explain how this is done? Nothing that I've been able to find indicates how this is done.
rodgoslin
 
Posts: 492
Joined: Nov 19th, '11, 01:31

Re: Uncommanded uploads

Postby doktor5000 » May 29th, '17, 14:24

What you did is not a solution, it is merely hiding the actual problem.

In nethogs you need to pass the interface as an argument. E.g. if your ethernet interface is eno1, then you need to run
Code: Select all
nethogs eno1

It's in the man page too, in synopsis: https://linux.die.net/man/8/nethogs
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17629
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: Uncommanded uploads

Postby rodgoslin » May 29th, '17, 21:30

I entirely agree with you. It is not solving the problem. Although blocking the address did stop the uploads, it has not solved the problem. After a number of hours without the problem, it is back, but from a different address (lightspeed.gnvlsc.spcglobal.net). Blocking this seems not to have any effect, and another, of an IP address only has also come up. This is not sustainable. Apart from crippling my normal use of the machine, that level of traffic will use my entire monthly allowance in less than half that time. The machine is now firmly turned off. Unless someone comes up with a solution, the only avenue seemingly open, is the re-format the whole machine and start again from scratch.
As to the nethogs problem, I did come up with the same answer as yourself, but this does not work, either. As root, entering the command line, in my case, "nethogs enp4s0", simply returns the same error message
rodgoslin
 
Posts: 492
Joined: Nov 19th, '11, 01:31

Re: Uncommanded uploads

Postby doktor5000 » May 30th, '17, 00:42

Well, you already identified the remote host via iftop, which should also give you the port. You can relate this to netstat -anop or lsof -iP or something like
Code: Select all
tcpdump -i enp4s0 host insert_somehostname_or_ip_adress_here or port insertporthere
and get the process on your box. Then look at that process and how it is started e.g. via pstree -pas PID
As you didn't post any actual output can't really help you further than that.
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17629
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: Uncommanded uploads

Postby rodgoslin » May 30th, '17, 02:38

I'll give that a try, in the evening. I'm not quite sure what actual output I could have posted, apart from the output of iftop, which was chaotic and constantly changing. Rather oddly, the display from iftop, on this machine was short and largely predictable from the local processes, but that from the faulty machine was very much larger. A analogy might have been "like wasps around a honey jar"
rodgoslin
 
Posts: 492
Joined: Nov 19th, '11, 01:31

Re: Uncommanded uploads

Postby wintpe » May 31st, '17, 11:48

Rod

without being to alarmist.

have you used torrent to download something , recently, as it might still be sharing it.

as doctor mensions in his list of things to try use lsof -i |grep string

lsof will list all processes and what ports they are connecting to, or sockets/files that are open

the -i refers to ip connections, without the -i it will display what files the processes are opening

to see what processes/files are sharing with that site, (string is the site or something unique about that upload)

since you have a nat based router its unlikly that someone is establishing a connection with you from the outside as these are by default deny.

unless that is you have added a rule to that router to allow connections in. (just noticed this post again viewtopic.php?f=25&t=11683, which implys you might have been doing something round here, if you have could i suggest you reset the router back to defaults, if you are concerned that you might be letting people in)

so either you have installed something that is cloud connected and sharing, or started something like a torrent service, emule,

etc that is sharing with a peering server and allowing people to get what you are participating in.

as a side note, if you do want to share services with the outside world, there is a standard approach to this of separating your sharing machines from your internal machines via a firewall, with an extra zone called a dmz.
for example you internal network would be 192.168.1.x (quite common) and your dmz would be 192.168.2.x, and the firewall heavily restricts traffic on the 192.168.2.x network to absolutely the minimum required. to do it with port forwards in your broadband router is no longer safe, IMHO.


regards peter
Redhat 6 Certified Engineer (RHCE)
Sometimes my posts will sound short, or snappy, however its realy not my intention to offend, so accept my apologies in advance.
wintpe
 
Posts: 1204
Joined: May 22nd, '11, 17:08
Location: Rayleigh,, Essex , UK

Re: Uncommanded uploads

Postby rodgoslin » Jun 4th, '17, 05:06

Peter. Sorry about the delay in replying to your post. I've just installed mga6rc on a machine to check how things work, or do not work on it.Your note on torrents raised a query. There's nothing visible on the machine to indicate that a bittorrent client was running, and several re-boots later things had not changed.lsof -i didn't seem to indicate anything odd. The machine has only three torrent clients installed. Transmission (twice), and ktorrent. The last I've not used for years, but it's installed by default, and I've never bothered to delete it. On a whim, I tried ps -ax |grep ktorrent , and there it was. A rogue application, how it got started, I've no idea. Closing it down, and instantly the high level of uploads dropped to zero. I'd take it off, but I have problems, as you've seen in other posts, with seeding from Transmission. The port 51413 which Transmission uses is reportedly closed, even though the port is forwarded at the router. It might be an idea to move to ktorrent, if it's ability to upload vast quantities of data (in a controlled fashion) really works
rodgoslin
 
Posts: 492
Joined: Nov 19th, '11, 01:31

Re: Uncommanded uploads

Postby rodgoslin » Jun 4th, '17, 05:30

Now, here's something strange, relative to my earlier post. The machine running normally, with no undue uploads. I started ktorrent. The Gnome-System-Monitor was running at the same time with the display showing up/down loading rates. The bouncing cursor showed that ktorrent was loading, for a suspiciously long time before disappearing. i.e, ktorrent had not loaded. But the system monitor immediately indicated a high level of upload. Finding and killing the ktorrent pid, the uploads ceased. I then started ktorrent from the command line. The same thing happened, but this time there were a number of identical error messages, before the command line prompt returned. As before, a process had been started, but there was no physical manifestation of the application visible on the machine. I'm thinking of un-installing ktorrent and then re-installing it to see if the problem persists. If it works, it'll be quite a weight off my mind.
rodgoslin
 
Posts: 492
Joined: Nov 19th, '11, 01:31

Re: Uncommanded uploads

Postby Ken-Bergen » Jun 4th, '17, 06:21

rodgoslin wrote:but this time there were a number of identical error messages, before the command line prompt returned.
Are the error massages the "I'd have to kill you if I told you" kind? :?:
Ken
Ken-Bergen
 
Posts: 1019
Joined: Mar 30th, '11, 02:45
Location: Chilliwack, BC, Canada

Re: Uncommanded uploads

Postby rodgoslin » Jun 4th, '17, 18:28

No. It was a bit late and on the problem machine which was not running. Now I'm on that and here are the offending details :-

Code: Select all
[rod@down ~]$ ktorrent
Warning: Object::connect: No such slot kt::PlainChartDrawer::RenderToImage()
Warning: Object::connect: No such slot kt::PlainChartDrawer::RenderToImage()
Warning: Object::connect: No such slot kt::PlainChartDrawer::RenderToImage()
Warning: Object::connect: No such slot kt::PlainChartDrawer::RenderToImage()
Warning: Object::connect: No such slot kt::PlainChartDrawer::RenderToImage()
[rod@down ~]$ ps -ax | grep ktorrent
 9207 pts/2    Sl     0:00 ktorrent
 9260 pts/2    S+     0:00 grep --color ktorrent
[rod@down ~]$ kill 9207
[rod@down ~]$ ps -ax | grep ktorrent
11182 pts/2    S+     0:00 grep --color ktorrent
You have new mail in /var/spool/mail/rod
[rod@down ~]$


I've sussed out the how and the why. Ktorrent was a default install on build, and therefore was at the top of the association list. Since I only opened torrent files from a bittorrent client (Transmission) and never used Ktorrent, it was not invoked. At some unknown time a torrent file in File Manager had got clicked on, and since there was no visible indication of any result. apart from the pid, lost among hundreds more (and the anomalous uploads, not immediately noted), it went unnoted and undetected. I'm mooting un-installing Ktorrent and have taken it off the list of associations, for the present.
Thanks, everyone for your interest and the helpful suggestions. See you at the next disaster. Which might be Mga6, and getting it to my customisation. Konqueror and SMB mounts may be just the start.

Rod
rodgoslin
 
Posts: 492
Joined: Nov 19th, '11, 01:31

Re: Uncommanded uploads

Postby doktor5000 » Jun 4th, '17, 22:58

Please mark the thread accordingly by editing the topic of the first post and prefix it by [SOLVED], thanks
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17629
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany


Return to Networking

Who is online

Users browsing this forum: No registered users and 1 guest

cron