• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login
    1. Home
    2. cwgcad
    C
    • Profile
    • Following 0
    • Followers 0
    • Topics 1
    • Posts 4
    • Best 0
    • Controversial 0
    • Groups 0

    cwgcad

    @cwgcad

    0
    Reputation
    1
    Profile views
    4
    Posts
    0
    Followers
    0
    Following
    Joined Last Online
    cwgcad Unfollow Follow

    Latest posts made by cwgcad

    • RE: Weird Traffic from FOG Server

      @george1421 Thanks! I will try this the next time it happens

      So I was able to catch one and this is what I got back. It’s on port 80 which would be httpd

      sudo netstat -nap | grep :49412
tcp6       0      0 10.2.25.80:80           10.2.254.100:49412      TIME_WAIT   -

      which gives me no more info than the firewall alert does

      2d685b55-daf1-49e1-9c55-65396efdb1a3-image.png

      Also it seems to use a different port all the time

      sudo netstat -nap | grep 10.2.254.100
tcp6       0      0 10.2.25.80:80           10.2.254.100:49501      TIME_WAIT   -                   
tcp6       0      0 10.2.25.80:80           10.2.254.100:49500      TIME_WAIT   -                   
tcp6       0      0 10.2.25.80:80           10.2.254.100:49498      TIME_WAIT   -                   
tcp6       0      0 10.2.25.80:80           10.2.254.100:49497      TIME_WAIT   -                   
tcp6       0      0 10.2.25.80:80           10.2.254.100:49504      TIME_WAIT   -                   
tcp6       0      0 10.2.25.80:80           10.2.254.100:49499      TIME_WAIT   -
      posted in General Problems
      C
      cwgcad
    • RE: Weird Traffic from FOG Server

      @sebastian-roth I do get the source IP which is the FOG Server. I had started the server up again a bit ago and it started sending more requests. I stopped the httpd service and they stopped. I just started the service again for sanity check and so far it hasn’t sent any but I have seen the server go hours without anything and then send them continuously for 1 - 2 hours. So I will wait for emails and report back, I should see something within the next 24 hours if I’m going to at all.

      posted in General Problems
      C
      cwgcad
    • RE: Weird Traffic from FOG Server

      @tom-elliott no I didn’t run anything at all yesterday, From 5PM - 7:30PM when I shut the server down I kept getting emails from the firewall every minute detecting and blocking the same traffic. I didn’t have this issue with 1.5.8 but as soon as I had upgraded to 1.5.9 it started happening. I don’t want to accuse FOG of anything and it is possible that it is a false positive.

      I have been searching online as to how I can identify which process is sending this request I haven’t found anything. I have found lots of stuff but nothing that ties a process to the request. With the knowledge you have, is there anyway I could find this out?

      posted in General Problems
      C
      cwgcad
    • Weird Traffic from FOG Server

      Since upgrading to 1.5.9 our FOG Server has been sending traffic that is being picked up by our firewall as “CoinMiner.C_4 (trojan)” it says that the destination is 10.2.254.102, 54614. I was wondering if anyone has had this happen to them.

      posted in General Problems
      C
      cwgcad