Text only | Text with Images

OPNsense Forum

English Forums => 26.1 Series => Topic started by: Werewolf71 on February 19, 2026, 11:53:32 PM

Title: Potential Bug/Exploit Witnessed During Unsolicited UDP Port Scanning
Post by: Werewolf71 on February 19, 2026, 11:53:32 PM
Versions
OPNsense 26.1.2_5-amd64
FreeBSD 14.3-RELEASE-p8
OpenSSL 3.0.19

It was noticed today when an unknown party performed a UDP port scan on my home's public IP that a node on my private subnet would 'react' and initiate outbound UDP traffic towards the scanning IP address and source port.  See sanitized SYSLOG messages below.  I can provide more log messages, if required.

Sharing this for awareness as in checking the SYSLOG, no other traffic has been witnessed from the scanning IP address before the scan took place.


11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,54,9319,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,46652,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,54,9321,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,15946,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,54,9318,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,28496,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9317,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,64274,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9331,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,56299,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9316,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,37499,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9320,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,25566,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,54,9323,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,41253,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,54,9324,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,15935,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,54,9328,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,30811,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9322,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,37367,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9325,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,35622,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9327,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,24423,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9326,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,51875,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9330,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,52030,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9329,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,53247,49
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,18484,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51536,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,18484,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,61503,51536,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,53287,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51537,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,53287,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,39173,51537,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,35093,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51538,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,35093,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,59266,51538,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,3406,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51539,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,3406,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,45066,51539,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,873,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51540,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,873,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,2356,51540,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,33810,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51541,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,33810,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,54597,51541,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,57291,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51542,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,57291,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,28222,51542,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,50441,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51543,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,50441,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,60136,51543,48
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9334,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,57665,49
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,48008,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51544,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,48008,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,3600,51544,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,42554,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51545,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,42554,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,15340,51545,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,25127,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51546,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,25127,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,60149,51546,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,1807,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51547,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,1807,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,44900,51547,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,64006,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51548,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,64006,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,34174,51548,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,53892,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51549,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,53892,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,42543,51549,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,22058,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51550,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,22058,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,42140,51550,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,38924,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51551,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,38924,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,44999,51551,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,63294,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51552,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,63294,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,19522,51552,48
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9359,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,57665,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9367,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,57665,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9377,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,57665,49
Title: Re: Potential Bug/Exploit Witnessed During Unsolicited UDP Port Scanning
Post by: pfry on February 20, 2026, 02:40:13 AM
The ports don't seem to be well-known, and it doesn't look like anything I'm familiar with. The pattern from your device looks a bit like a trace or scan (climbing destination port). The packets from the remote are a bit odd, as it would have available sessions, but they follow a random pattern somewhat (but not entirely) like the NAT sources from your device.

How are you viewing the logs? Timestamp is missing. Using the GUI, latest is at the top.

Filter leakage seems unlikely. I have different (not pf) filters on my servers and haven't observed any leakage. (I have observed some really wacky behavior from Windows, though...)

The "scanner" IP might help.
Title: Re: Potential Bug/Exploit Witnessed During Unsolicited UDP Port Scanning
Post by: Werewolf71 on February 20, 2026, 03:04:04 AM
Thank you for your interest.  I was viewing the logs from a Graylog SYSLOG instance that is catching the OPNsense logs.  Providing the additional detail that you referenced.

I have set up a full packet capture for the private side of my home network, with hopes of catching the raw packets for inspection, if it happens again.




SCANNER_IP = 45.36.163.80

timestamp   source   message
2026-02-19T15:36:26.000-05:00   OPNsense.lab   11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,54,9319,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,46652,49
2026-02-19T15:36:26.000-05:00   OPNsense.lab   11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,54,9321,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,15946,49
2026-02-19T15:36:26.000-05:00   OPNsense.lab   11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,54,9318,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,28496,49
2026-02-19T15:36:26.000-05:00   OPNsense.lab   11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9317,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,64274,49
2026-02-19T15:36:26.000-05:00   OPNsense.lab   11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9331,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,56299,49
2026-02-19T15:36:26.000-05:00   OPNsense.lab   11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9316,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,37499,49
2026-02-19T15:36:26.000-05:00   OPNsense.lab   11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9320,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,25566,49
2026-02-19T15:36:26.000-05:00   OPNsense.lab   11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,54,9323,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,41253,49
2026-02-19T15:36:26.000-05:00   OPNsense.lab   11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,54,9324,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,15935,49
2026-02-19T15:36:26.000-05:00   OPNsense.lab   11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,54,9328,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,30811,49
2026-02-19T15:36:26.000-05:00   OPNsense.lab   11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9322,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,37367,49
2026-02-19T15:36:26.000-05:00   OPNsense.lab   11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9325,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,35622,49
2026-02-19T15:36:26.000-05:00   OPNsense.lab   11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9327,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,24423,49
2026-02-19T15:36:26.000-05:00   OPNsense.lab   11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9326,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,51875,49
2026-02-19T15:36:26.000-05:00   OPNsense.lab   11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9330,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,52030,49
2026-02-19T15:36:26.000-05:00   OPNsense.lab   11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9329,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,53247,49
2026-02-19T15:36:26.000-05:00   OPNsense.lab   88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,18484,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51536,48
2026-02-19T15:36:26.000-05:00   OPNsense.lab   77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,18484,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,61503,51536,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,53287,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51537,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,53287,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,39173,51537,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,35093,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51538,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,35093,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,59266,51538,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,3406,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51539,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,3406,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,45066,51539,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,873,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51540,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,873,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,2356,51540,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,33810,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51541,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,33810,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,54597,51541,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,57291,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51542,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,57291,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,28222,51542,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,50441,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51543,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,50441,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,60136,51543,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9334,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,57665,49
2026-02-19T15:36:27.000-05:00   OPNsense.lab   88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,48008,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51544,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,48008,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,3600,51544,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,42554,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51545,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,42554,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,15340,51545,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,25127,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51546,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,25127,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,60149,51546,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,1807,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51547,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,1807,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,44900,51547,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,64006,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51548,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,64006,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,34174,51548,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,53892,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51549,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,53892,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,42543,51549,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,22058,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51550,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,22058,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,42140,51550,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,38924,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51551,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,38924,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,44999,51551,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,63294,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51552,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,63294,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,19522,51552,48
2026-02-19T15:36:27.000-05:00   OPNsense.lab   11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9359,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,57665,49
2026-02-19T15:36:27.000-05:00   OPNsense.lab   11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9367,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,57665,49
2026-02-19T15:36:28.000-05:00   OPNsense.lab   11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9377,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,57665,49
2026-02-19T15:36:28.000-05:00   OPNsense.lab   11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9404,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,57665,49
2026-02-19T15:36:29.000-05:00   OPNsense.lab   88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,39400,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,57336,51536,48
2026-02-19T15:36:29.000-05:00   OPNsense.lab   88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,57310,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,61164,51536,48
2026-02-19T15:36:29.000-05:00   OPNsense.lab   77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,57310,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,25406,51536,48
Title: Re: Potential Bug/Exploit Witnessed During Unsolicited UDP Port Scanning
Post by: pfry on February 20, 2026, 03:38:54 AM
Quote from: Werewolf71 on Today at 03:04:04 AM[...]SCANNER_IP = 45.36.163.80[...]

Huh. An ordinary Charter/Spectrum residential IP, apparently. I can't parse "hgpnnc"; looks like a short CLLI, apparently near Winston-Salem (wnslnc)... Highpoint/Greensboro/Piedmont|Pleasant Garden...? Anyway, not likely relevant.

What is your client? If Windows, "netstat -ab" might be helpful, otherwise "netstat -ap", I believe. You might have to catch it in the act.
Title: Re: Potential Bug/Exploit Witnessed During Unsolicited UDP Port Scanning
Post by: Werewolf71 on February 20, 2026, 03:48:55 AM
It was my wife's iPhone that reacted to the UDP port scan, so I am limited in what I can check/verify.

I checked the SYSLOG for her iPhone's traffic before the event, and saw nothing out of the ordinary, except for that moment in time the UDP port scan occurred. 

To me it appears that the UDP port scan started first.  Then somehow something 'leaked' through and touched her iPhone, causing it to react with a small flood of UDP traffic directed back to the scanning node's public IP address.

Things that make you go:  "Hmmmmmmmmmmm"
Text only | Text with Images