OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: JohnDoe17 on March 14, 2017, 04:22:35 pm

Title: Which FW process is associated with which outbound connection
Post by: JohnDoe17 on March 14, 2017, 04:22:35 pm

Does anyone know of a reason why the *FW* might be making connections to the following Twitter-controlled IPs:
104.244.42.194 and 104.244.42.2 on port 443?  It is happening pretty much constantly...

Is there a command I can run on the FW that will link those outbound connections to a process?  lsof doesn't seem to be present and I can't figure out the right netstat command to do it...

If the FW is somehow participating in a DDoS, I want to know!

Title: Re: Which FW process is associated with which outbound connection
Post by: chemlud on March 14, 2017, 04:53:52 pm

...have here an opnsense box (no clients currently on LAN), coupled via WAN to another router. Only traffic I see is DNS (sometimes to Microsoft nameservers within an IP-range blocked due to telemetry....). Nuffin else :-)

Will have a look for the domains opnsense is trying to resolve...

Done:

Captured 100 DNS packages from WAN of the opnsense (again: no clients on LAN, OPT etc.), here some of the thing the box is trying to resolve:

1   2017-03-14 15:52:52.013467   10.0.2.4   23.61.199.131   DNS   121   Standard query 0xe400 A co4.telecommand.telemetry.microsoft.com.akadns.net OPT

2   2017-03-14 15:52:52.013629   10.0.2.4   193.108.88.128   DNS   96   Standard query 0xcb85 A i.s1.social.ms.akadns.net OPT

30   2017-03-14 15:52:52.031014   10.0.2.4   95.100.168.130   DNS   114   Standard query 0x5dea A modern.watson.data.microsoft.com.akadns.net OPT

37   2017-03-14 15:52:52.035629   10.0.2.4   95.100.168.130   DNS   111   Standard query 0xfba1 A diagnostics.support.microsoft.akadns.net OPT

46   2017-03-14 15:52:52.042214   10.0.2.4   193.108.88.128   DNS   97   Standard query 0xb1b7 A siweb.microsoft.akadns.net OPT

67   2017-03-14 15:52:52.057924   10.0.2.4   4.23.39.155   DNS   100   Standard query 0x197b A t.urs.microsoft.com.nsatc.net OPT

73   2017-03-14 15:52:52.061795   10.0.2.4   184.26.160.131   DNS   122   Standard query 0x9cd7 A asimov-sandbox.vortex.data.microsoft.com.akadns.net OPT

74   2017-03-14 15:52:52.062276   10.0.2.4   213.73.91.35   DNS   84   Standard query 0xc2a3 A telemetry.appex.bing.net

75   2017-03-14 15:52:52.063585   10.0.2.4   4.23.39.155   DNS   106   Standard query 0xdfe4 A statsfe2.ws.microsoft.com.nsatc.net OPT

96   2017-03-14 15:52:52.086428   10.0.2.4   95.100.168.130   DNS   111   Standard query 0x4026 A oca.watson.data.microsoft.com.akadns.net OPT

99   2017-03-14 15:52:52.088605   10.0.2.4   95.100.173.129   DNS   117   Standard query 0xa9c5 A sandbox.settings.data.microsoft.com.akadns.net OPT


...no idea what that means...

Title: Re: Which FW process is associated with which outbound connection
Post by: JohnDoe17 on March 14, 2017, 07:14:02 pm

Well, it looks like the VPN server I had connected to the FW was compromised.  I had the FW configured to be an OpenVPN client to this compromised VPN server.  I disabled the VPN connection on the FW, but the FW still looks like it is spewing SYN packets (DDos) to Twitter IP addresses.

Is it possible the attackers were able to use the VPN tunnel to compromise the FW itself?

I really need a tool that I can use that maps the outbound connection from the FW to a process *on* the FW.

Can anyone help?

Title: Re: Which FW process is associated with which outbound connection
Post by: chemlud on March 15, 2017, 04:59:15 pm

In case the FW is compromised: Would you be better off by exporting your config (it's an .XML, you can check it visually for any kind of "strange" things...), import it to a fresh install and see what happens?