Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
16.7 Legacy Series
»
Which FW process is associated with which outbound connection
« previous
next »
Print
Pages: [
1
]
Author
Topic: Which FW process is associated with which outbound connection (Read 8181 times)
JohnDoe17
Newbie
Posts: 40
Karma: 5
Which FW process is associated with which outbound connection
«
on:
March 14, 2017, 04:22:35 pm »
Does anyone know of a reason why the *FW* might be making connections to the following Twitter-controlled IPs:
104.244.42.194 and 104.244.42.2 on port 443? It is happening pretty much constantly...
Is there a command I can run on the FW that will link those outbound connections to a process? lsof doesn't seem to be present and I can't figure out the right netstat command to do it...
If the FW is somehow participating in a DDoS, I want to know!
Logged
chemlud
Hero Member
Posts: 2486
Karma: 112
Re: Which FW process is associated with which outbound connection
«
Reply #1 on:
March 14, 2017, 04:53:52 pm »
...have here an opnsense box (no clients currently on LAN), coupled via WAN to another router. Only traffic I see is DNS (sometimes to Microsoft nameservers within an IP-range blocked due to telemetry....). Nuffin else :-)
Will have a look for the domains opnsense is trying to resolve...
Done:
Captured 100 DNS packages from WAN of the opnsense (again: no clients on LAN, OPT etc.), here some of the thing the box is trying to resolve:
1 2017-03-14 15:52:52.013467 10.0.2.4 23.61.199.131 DNS 121 Standard query 0xe400 A co4.telecommand.telemetry.microsoft.com.akadns.net OPT
2 2017-03-14 15:52:52.013629 10.0.2.4 193.108.88.128 DNS 96 Standard query 0xcb85 A i.s1.social.ms.akadns.net OPT
30 2017-03-14 15:52:52.031014 10.0.2.4 95.100.168.130 DNS 114 Standard query 0x5dea A modern.watson.data.microsoft.com.akadns.net OPT
37 2017-03-14 15:52:52.035629 10.0.2.4 95.100.168.130 DNS 111 Standard query 0xfba1 A diagnostics.support.microsoft.akadns.net OPT
46 2017-03-14 15:52:52.042214 10.0.2.4 193.108.88.128 DNS 97 Standard query 0xb1b7 A siweb.microsoft.akadns.net OPT
67 2017-03-14 15:52:52.057924 10.0.2.4 4.23.39.155 DNS 100 Standard query 0x197b A t.urs.microsoft.com.nsatc.net OPT
73 2017-03-14 15:52:52.061795 10.0.2.4 184.26.160.131 DNS 122 Standard query 0x9cd7 A asimov-sandbox.vortex.data.microsoft.com.akadns.net OPT
74 2017-03-14 15:52:52.062276 10.0.2.4 213.73.91.35 DNS 84 Standard query 0xc2a3 A telemetry.appex.bing.net
75 2017-03-14 15:52:52.063585 10.0.2.4 4.23.39.155 DNS 106 Standard query 0xdfe4 A statsfe2.ws.microsoft.com.nsatc.net OPT
96 2017-03-14 15:52:52.086428 10.0.2.4 95.100.168.130 DNS 111 Standard query 0x4026 A oca.watson.data.microsoft.com.akadns.net OPT
99 2017-03-14 15:52:52.088605 10.0.2.4 95.100.173.129 DNS 117 Standard query 0xa9c5 A sandbox.settings.data.microsoft.com.akadns.net OPT
...no idea what that means...
«
Last Edit: March 14, 2017, 05:16:54 pm by chemlud
»
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
JohnDoe17
Newbie
Posts: 40
Karma: 5
Re: Which FW process is associated with which outbound connection
«
Reply #2 on:
March 14, 2017, 07:14:02 pm »
Well, it looks like the VPN server I had connected to the FW was compromised. I had the FW configured to be an OpenVPN client to this compromised VPN server. I disabled the VPN connection on the FW, but the FW still looks like it is spewing SYN packets (DDos) to Twitter IP addresses.
Is it possible the attackers were able to use the VPN tunnel to compromise the FW itself?
I really need a tool that I can use that maps the outbound connection from the FW to a process *on* the FW.
Can anyone help?
Logged
chemlud
Hero Member
Posts: 2486
Karma: 112
Re: Which FW process is associated with which outbound connection
«
Reply #3 on:
March 15, 2017, 04:59:15 pm »
In case the FW is compromised: Would you be better off by exporting your config (it's an .XML, you can check it visually for any kind of "strange" things...), import it to a fresh install and see what happens?
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
16.7 Legacy Series
»
Which FW process is associated with which outbound connection