• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Weird Traffic from FOG Server

    Scheduled Pinned Locked Moved
    General Problems
    4
    9
    674
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cwgcad
      last edited by

      Since upgrading to 1.5.9 our FOG Server has been sending traffic that is being picked up by our firewall as “CoinMiner.C_4 (trojan)” it says that the destination is 10.2.254.102, 54614. I was wondering if anyone has had this happen to them.

      Tom ElliottT george1421G 2 Replies Last reply Reply Quote 0
      • Tom ElliottT
        Tom Elliott @cwgcad
        last edited by

        @cwgcad we used to have a mining system in fos but it needed to be enabled and configured. We have since stopped doing this. For quite some time really. I highly doubt this is something fog did but maybe a firewall rule was put in place for a specific port number? Did you run a multicast task by chance?

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

        C 1 Reply Last reply Reply Quote 0
        • C
          cwgcad @Tom Elliott
          last edited by

          @tom-elliott no I didn’t run anything at all yesterday, From 5PM - 7:30PM when I shut the server down I kept getting emails from the firewall every minute detecting and blocking the same traffic. I didn’t have this issue with 1.5.8 but as soon as I had upgraded to 1.5.9 it started happening. I don’t want to accuse FOG of anything and it is possible that it is a false positive.

          I have been searching online as to how I can identify which process is sending this request I haven’t found anything. I have found lots of stuff but nothing that ties a process to the request. With the knowledge you have, is there anyway I could find this out?

          1 Reply Last reply Reply Quote 0
          • S
            Sebastian Roth Moderator
            last edited by Sebastian Roth

            @cwgcad Does your firewall also tell you which source the packets come from?

            If you shutdown the FOG server and keep seeing the blocks it’s very likely not the FOG server sending the requests.

            Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

            Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

            C 1 Reply Last reply Reply Quote 0
            • george1421G
              george1421 Moderator @cwgcad
              last edited by george1421

              @cwgcad said in Weird Traffic from FOG Server:

              10.2.254.102

              So the source address is your FOG server and the destination address is the IP address above? If so is that IP address valid for your network?

              In your firewall log does it list the FOG server and its source port? Can you catch it while the traffic is happening? If you can and you know the source port run this command on linux sudo netstat -nap | grep :199 Replace 199 with the suspect sending port. Lets see if we can find the process that is sending the traffic.

              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

              C 1 Reply Last reply Reply Quote 1
              • C
                cwgcad @Sebastian Roth
                last edited by

                @sebastian-roth I do get the source IP which is the FOG Server. I had started the server up again a bit ago and it started sending more requests. I stopped the httpd service and they stopped. I just started the service again for sanity check and so far it hasn’t sent any but I have seen the server go hours without anything and then send them continuously for 1 - 2 hours. So I will wait for emails and report back, I should see something within the next 24 hours if I’m going to at all.

                1 Reply Last reply Reply Quote 0
                • C
                  cwgcad @george1421
                  last edited by cwgcad

                  @george1421 Thanks! I will try this the next time it happens

                  So I was able to catch one and this is what I got back. It’s on port 80 which would be httpd

                  sudo netstat -nap | grep :49412
tcp6       0      0 10.2.25.80:80           10.2.254.100:49412      TIME_WAIT   -

                  which gives me no more info than the firewall alert does

                  2d685b55-daf1-49e1-9c55-65396efdb1a3-image.png

                  Also it seems to use a different port all the time

                  sudo netstat -nap | grep 10.2.254.100
tcp6       0      0 10.2.25.80:80           10.2.254.100:49501      TIME_WAIT   -                   
tcp6       0      0 10.2.25.80:80           10.2.254.100:49500      TIME_WAIT   -                   
tcp6       0      0 10.2.25.80:80           10.2.254.100:49498      TIME_WAIT   -                   
tcp6       0      0 10.2.25.80:80           10.2.254.100:49497      TIME_WAIT   -                   
tcp6       0      0 10.2.25.80:80           10.2.254.100:49504      TIME_WAIT   -                   
tcp6       0      0 10.2.25.80:80           10.2.254.100:49499      TIME_WAIT   -
                  george1421G 1 Reply Last reply Reply Quote 0
                  • george1421G
                    george1421 Moderator @cwgcad
                    last edited by george1421

                    @cwgcad So who are the actors here?

                    I assume that 10.2.25.80 is your fog server. What is device 10.2.254.100 (I’m thinking a client computer with the fog client service running)?

                    Make sure you have NTP setup on your fog server so the time is accurate according to your network. I’m almost thinking that the FOG server is responding to a query at that time and its response appears virus like.

                    The idea is to coordinate the time of the firewall log capture with the apache web server access log at the time of the incident. /var/log/httpd for RHEL based systems and /var/log/apache2 for debian based. There should be an access and error log in that directory we need to coordinate the access log to see if we have a query in from that external host just before the firewall detected the virus like response.

                    I’m thinking this is a false positive but lets not go there yet. We also can use tcpdump on the fog server to get a packet capture of this traffic for analysis. tcpdump would be outside of anything and should capture the packets that is triggering your firewall. If it is a false positive you can submit the packet capture to your firewall company for them to review.

                    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                    1 Reply Last reply Reply Quote 0
                    • S
                      Sebastian Roth Moderator
                      last edited by

                      @cwgcad As George said this looks like a response packet. With source port 80 this must be the case I would think. So please figure out what the other IP is!

                      Matching the alerts with httpd log in the FOG server is a great idea.

                      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                      1 Reply Last reply Reply Quote 0
                      • 1 / 1
                      • First post
                        Last post

                      302

                      Online

                      11.7k

                      Users

                      17.1k

                      Topics

                      154.7k

                      Posts
                      Copyright © 2012-2024 FOG Project