Ubuntu 22.04 developed a data leak from about 19/05/23?

I am using a data limited ISP so data usage matters.

From about 19/05/23 22.04 (Jammy) seem to have started using 100M of data every (very approximate) hour.

I have rig with several flavours of Ubuntu and I have noticed this problem extends to 20.04 (Focal) too although I don't know when it started for this one. My setup is multiple OS with a common home mount point.

I know there are several unattended uploads of data that occur so I have tried to switch these off with the following: -

#!/bin/bash

sudo systemctl status clamav-freshclam.service
sudo systemctl stop clamav-freshclam.service
sudo systemctl status cron
sudo systemctl stop cron
sudo snap refresh --hold
sudo systemctl disable --now systemd-timesyncd

This did not stop it.

I have now just added the following too - but without the former stuff and I think the CRON controller is still activating anacron? I am currently trying both together.

sudo systemctl stop anacron.timer

Note: That anacron reports for the first run it ran (1) (which I expect) and then (0) after that which is also correct but data is still be consumed. I don't know the problem is these scripts either but suspect it due to the regular data loss of 100M ish.

When it first occurred I completely re-installed 22.04 (jammy) as I have seen something similar before 01/12/22 and it fixed it. This time it doesn't.

I know this is sort of incomplete but I wanted to make the report before I run out of data. :-(

Edit:

Thanks for the quick reply. I am sorry I don't know a lot about this and my strategy was to try and turn things off in turn to find the problem. I couldn't think of way to somehow detect a process that is accessing the network for a short time. Yes, leaving stuff turned off is not a wise idea.

I took a look in cat /var/log/apt/history and it reports the first update but not the second or third so its not that.

I have just noted that with the following set the problem persists as I have just lost another 100M.

sudo systemctl stop clamav-freshclam.service
sudo systemctl stop cron
sudo systemctl stop anacron.timer

In this case the log reports that anacron was not started.

I can boot the rig and just monitor the data with vnstat -v with no additional processes added and it still does it.

snap list --all gives the following: -

Name               Version                     Rev    Tracking         Publisher   Notes
bare               1.0                         5      latest/stable    canonical✓  base
core               16-2.58.2                   14784  latest/stable    canonical✓  core,disabled
core               16-2.58.3                   14946  latest/stable    canonical✓  core
core18             20230320                    2721   latest/stable    canonical✓  base,disabled
core18             20230426                    2745   latest/stable    canonical✓  base
core20             20230404                    1879   latest/stable    canonical✓  base,disabled
core20             20230503                    1891   latest/stable    canonical✓  base
core22             20230503                    634    latest/stable    canonical✓  base
gnome-3-28-1804    3.28.0-19-g98f9e67.98f9e67  198    latest/stable    canonical✓  -
gnome-3-28-1804    3.28.0-19-g98f9e67.98f9e67  194    latest/stable    canonical✓  disabled
gnome-3-34-1804    0+git.3556cb3               90     latest/stable/…  canonical✓  disabled
gnome-3-34-1804    0+git.3556cb3               93     latest/stable/…  canonical✓  -
gnome-3-38-2004    0+git.6f39565               140    latest/stable    canonical✓  -
gnome-3-38-2004    0+git.6f39565               137    latest/stable    canonical✓  disabled
gnome-42-2204      0+git.587e965               102    latest/stable    canonical✓  -
gtk-common-themes  0.1-81-g442e511             1535   latest/stable/…  canonical✓  -
gtk-common-themes  0.1-79-ga83e90c             1534   latest/stable/…  canonical✓  disabled
snap-store         41.3-71-g709398e            959    latest/stable/…  canonical✓  -
snap-store         41.3-66-gfe1e325            638    latest/stable/…  canonical✓  disabled

I am not sure what I can do with this?

I am currently running from 20.04 (Focal) as its the first time I have tried a different OS from 22.04(Jammy) where I first noticed the problem.

Any idea where to go next?

I think I have this resolved thanks to Sebastian's suggestion to run nethogs. Thanks Sebastian. Do I need to tick some like boxes somewhere?

The problem seems to be the DrxxBxx (well known cloud storage firm) daemon which I have now disabled and things are back to normal but without my cloud memory synchronisation.

I don't know why it was doing this though but I don't use it much and am happy to just use it from its web interface. I am pretty certain I was testing with the synchronisation turned off and anyway this tends to be immediate when it engages. If it is not related to synchronisation I can't imagine what else it might be doing. I have checked the web based account and I couldn't find evidence that security had been breached but I am not an expert.

I couldn't work out how to take the daemon off completely but the icon menu does allow you to stop it and you can set a configuration tickbox before you do this to stop it restarting on the next boot.

When I re-installed 22.04 I did not load a new version of the daemon but used the one I installed last time. There does seem to be two versions of the daemon available for 22.04 from their web interface but I have not tried either yet to see if it fixes the problem. I would also need to do this for the other OS I use. (18.04, 20.04 & 22.04).

You can use a tool called nethogs to monitor bandwidth usage easily. Just install it using apt.

It can show throughput per second as well as cumulative traffic per process. Cycle through the different display modes by pressing m. Let it run for a while to see which processes generate the most traffic.