Linux botnet removal

1) Am I reading this right?

All the connection which you show us are already closed.

If you used a webbrowser (and visited a webpage with the twitter-link icon in it) then this seems perfectly normal.

That is not to say that you could not be infected somehow, but TIME_WAIT is a state where we once had a link but it is already closed and in the process of being cleaned up.

Closing a TCP connection look like this (simplified):

2) How do determine the processes that are doing this

At the moment these processes are already gone. Try monitoring to find one which is ESTABLISHED, then try to find out which app is using that connection. I got a feeling that this will be your browser.

3) How do I safeguard myself. Are there any good linux antivirus solutions

Standard solutions: Do not run as root. Do use common sense when clicking on items, do keep your OS and applications up to date

What's happening? I can understand twitter spamming, but what about google? Are they clicking on google links for SEO?

On windows I noticed the same when firefox was adding suggestions to my searches. Lots of active links to google. Not just the webpage. And if I visit a webpage with a link to facebook or twitter that can also open an connectoion to their site. (Even if innocent if it only downloads the twitter logo from twitters site).

As for cloudfare: they are a Content delivery network (CND). Almost anything could trigger those, including google and twitter.

5) How do I get rid of them pronto?

Reboot.

Log in (non graphical) and check if no connections.
Next start your graphical environment (and possible auto starting applications). Check again. Fire up your favourite progras, one by one. Check again after each, ...

Recent Questions...