[dehef]

A weird thing occurred to my installation a month ago. I was on previous ubuntu version (17).

According to a wireshark scan, there was a strange UDP continous stream, even with all applications closed. My computer was reaching several IP in Europe. The text of the stream was encrypted, I was just seeing "...token..." or thing like that.

I formatted and installed Ubuntu 18, the network is clean now.

I'm pretty sure I add some kind of malware, I have no idea what it was, it's very suspicious.

[isostatic]

sudo netstat -planut would have shown what process was sending udp (and any other connections)

If I run up an iperf stream from one AWS server to another and run that command, one line that's out is this:

  udp        0      0 172.26.4.22:44142      52.56.147.150:5001      ESTABLISHED 20114/iperf

[viraptor]

If the process actually tries to be stealthy you won't see open UDP sockets like this. If the data is only sent out, or the all is using polling, the socket can be created and destroyed as needed.

A better approach could be systemtap which has a whole system visibility.

[isostatic]

Presumably it would show up in a netstat, but only while the packet was being written to the network stack?

  open(SOCK)
  // now visible 
  write(SOCK, contents)
  close(SOCK)
  // no longer visible

[lathiat]

It would have been pretty easy to track down what was doing that at the time, using netstat and similar.