Something weird!

[wh7qq]

I recently ran "ifconfig" from my desktop terminal and was curious to discover an entry for "ham0" My initial response was unprintable..."What the **** is this ****? Further explorations yielded an IP address for ham0 that went back to the UK Ministry of Defence! I have no idea how this got installed on my desktop but I eventually figured that it related to software known as "logmein-hamachi" which is some kind of a vpn service. I removed it surgically with "apt-get remove --purge logmein-hamachi".

If UK MOD is looking at me, they are going to be sound asleep from total boredom before long. Not sure how this got past the firewalls on my 66U and 56U routers but I sure as hell never installed it.

 

[ColinTaylor]

It looks to me like the software uses 25.0.0.0 as its virtual private network so it's nothing to do with the MOD. Maybe you should take it up with Ubuntu (assuming that's what you're using).

 

[wh7qq]

It looks to me like the software uses 25.0.0.0 as its virtual private network so it's nothing to do with the MOD. Maybe you should take it up with Ubuntu (assuming that's what you're using).

Here is the actual ifconfig output:

ham0 Link encap:Ethernet HWaddr 7a:79:19:02:cd:fa
inet addr:25.2.205.250 Bcast:25.255.255.255 Mask:255.0.0.0
inet6 addr: fe80::7879:19ff:fe02:cdfa/64 Scope:Link
inet6 addr: 2620:9b::1902:cdfa/96 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1404 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:183 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:36069 (36.0 KB)

And the "whois" output for 25.2.205.250:

inetnum: 25.0.0.0 - 25.255.255.255
netname: UK-MOD-19850128
descr: DINSA, Ministry of Defence
country: GB
org: ORG-DMoD1-RIPE
admin-c: MN1891-RIPE
tech-c: MN1891-RIPE
status: LEGACY
remarks: For information on "status:" attribute read https://www.ripe.net/data-tools/db/faq/faq-status-values-legacy-resources
mnt-by: UK-MOD-MNT
mnt-domains: UK-MOD-MNT
mnt-routes: UK-MOD-MNT
source: RIPE # Filtered

Please explain "so it's nothing to do with the MOD". I'd like to know what is going on here and how this got on my desktop. I have put it up on the Mint forums. BTW, nobody on my network does online gaming including minecraft.

 

[Nullity]

I think you need to do much more trouble-shooting before assuming that you have been hacked by a government.

According to your ifconfig, "25.2.205.250" is your IP. Although I am unfamiliar with VPNs, I think you are sending no information outside of your network. Also, the complete lack of RX packets seem to say that this interface is misconfigured/non-functioning.

If this is happening everytime you boot, then you need to check your network startup configs, like NetworkManager, wicd, systemd, etc.

Have you verified with a packet sniffer, like tcpdump or Wireshark, that this "ham0" interface is transmitting data to the internet? You could also use the aforementioned tools to see what sort of data is being transmitted.




It seems like you have/had some VPN client (LogMeIn Hamachi) installed, and this was it's non-functioning interface, that was to be used if you were to run the VPN client. The IP does not seem to be a public IP, it would have been an internal VPN IP, meaning it has nothing to do with the MOD.


Best of luck towards solving this problem. The internet can sometimes be a scary place.

 

[wh7qq]

"apt-get remove --purge logmein-hamachi" seems to have rid me of "ham0" through several boots. No way to go back and examine the 36Kb that was sent to see where it went. "find" discovered a crash.log in a directory since removed that indicates there was one unsuccessful attempt to run it on 2/15/15. There has been some chatter about this online, most from prior to 2012 but it would appear that Hamachi was using UK MOD IPs for their vpns. I'm usually pretty vigilant about downloads. As far as software, if it isn't in the official repos, it doesn't get installed. I probably won't ever know unless something can't run without it and complains.