OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: firewall on May 11, 2019, 12:46:45 am

Title: Unknown (& Errant) Outbound SSH?
Post by: firewall on May 11, 2019, 12:46:45 am
Running OPNsense 19.1.7 on a 6-port QOTOM I7 miniPC.  Numerous services to list, so I'll spare you unless you think there's one that may be causing this "problem".

In viewing firewall live log this afternoon I noticed numerous outbound connections with src WAN IP to many different (routed; e.g. 32.242.109.124) IPs at dst port 22.  On the surface it looked like an internal machine was scanning on behalf of C&C but then non-routed IPs (e.g. 0.195.6.134) started showing up with same config.

So, I don't think I've been pwned but I'd still like to figure out the source....particularly if this traffic is making it to the (routable) destinations. 

See attached screenshot from States Dump.  Masked block is my WAN address & there are hundreds of destinations not shown.

Any tips on how I might troubleshoot this?

EDIT: Thanks for moving this post over from 19.7 Dev Series!  :)