NetBus and port 12346

RoadHazard · Jul 4, 2016

According to the 'Fing' app, one of my jails has the NetBus trojan at port 12346. Is this a false alarm or something I should worry about?

It's reporting this on a jail that's running Transmission via VPN and nothing else. A quick ps -aux shows this:

Code:

root@transmission_1:/ # ps -aux                                                                                                    
USER   PID %CPU %MEM    VSZ   RSS TT  STAT STARTED    TIME COMMAND                                                                 
root 99630  0.0  0.0  12080  1580 ??  IsJ   9:06AM 0:00.00 /usr/sbin/syslogd -s                                                    
root 99663  0.0  0.0  18296  3792 ??  SsJ   9:06AM 0:00.03 /usr/local/sbin/openvpn --cd /usr/local/etc/openvpn --daemon openvpn --co
root 99689  0.0  0.0  14184  1536 ??  IsJ   9:06AM 0:00.00 /usr/sbin/cron -s                                                       
root 99929  0.0  0.2 154820 38376 ??  IJ    9:06AM 0:02.31 /usr/pbi/transmission-amd64/bin/python2.7 /usr/pbi/transmission-amd64/con
root  1969  0.0  0.0  17568  3000  1  Is+J  9:07AM 0:00.01 /bin/csh                                                                
root  2151  0.0  0.0  17568  3008  0  SsJ   9:11AM 0:00.01 /bin/csh                                                                
root  2171  0.0  0.0  16296  1784  0  R+J   9:11AM 0:00.00 ps -aux                                                                 
root@transmission_1:/ #

diedrichg · Jul 4, 2016

Transmission takes all of 5 minutes to set back up. Just destroy the jail and start over.

DrKK · Jul 5, 2016

Can we see a

Code:

sockstat -4

please on the jail in question?

RoadHazard · Jul 6, 2016

Yes, indeed.

Code:

root@transmission_1:/ # sockstat -4                                           
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS     
transmission transmissi65712 9 udp4 *:64319               *:*                 
transmission transmissi65712 10 tcp4 *:9091               *:*                 
transmission transmissi65712 11 tcp4 *:51413              *:*                 
transmission transmissi65712 13 udp4 *:51413              *:*                 
transmission transmissi65712 16 udp4 10.119.1.6:58982     10.119.1.5:5351     
transmission transmissi65712 22 tcp4 192.168.1.55:9091    192.168.1.182:51029 
root     python2.7  99929 3  tcp4   192.168.1.55:12346    *:*                 
root     openvpn    99663 5  udp4   *:12054               *:*                 
root     syslogd    99630 7  udp4   *:514                 *:*                 
?        ?          ?     ?  tcp4   192.168.1.55:12346    192.168.1.89:24933  
root@transmission_1:/ #

FYI, 192.168.1.55 is the jail in question, running Transmission thru OpenVPN. And .182 is a neighboring jail running Sonarr, although :51029 is not its assigned port.

DrKK · Jul 6, 2016

RoadHazard said:

Well the last line here is interesting. It shows that a computer at 192.168.1.89 initiated a connection to some daemon listening on 12346. You can see the line #9 shows that you have a daemon listening on port 12346.

What box is 192.168.1.89? What's on that box? The jail in question is the thing running 12346. I thought the netbus trojan was a strictly Windows thing?

Important Announcement for the TrueNAS Community.

NetBus and port 12346

RoadHazard

Explorer

diedrichg

Wizard

DrKK

FreeNAS Generalissimo

RoadHazard

Explorer

DrKK

FreeNAS Generalissimo

Similar threads