Security Question - UDP Connection Attempts To Firewall

Hi everyone,

I'm seeing this when i run tcpdump -n -i [int] on my firewall.

08:28:50.999054 IP 93.123.3.58.42344 > 72.x.x.x.27333: UDP, length 98
08:28:51.185180 IP 93.123.3.58.42344 > 72.x.x.x.27333: UDP, length 98

This happens all day all the time. However, I do not see any traffic from my IP responding to it nor do I see any other type of suspicious traffic.

My thoughts are the following:

I'm guessing that the IP is some sort of zomby pc trying to establish back a connection. From time to time, I'm seeing these attempts from different IPs as well.

08:35:01.021527 IP 85.98.188.236.10301 > 72.x.x.x.32701: UDP, length 35

08:39:15.916282 IP 218.10.111.106.12200 > 72.x.x.x.8090: S 13902953:13902953(0) win 8192

My roomate's PC had a trojan on it which i noticed by running the command shown earlier. I cleaned the PC and the supicious traffic stopped from firewall except for what displayed above.

I'll create a simple pf block statement to deny these IPs but I was curious to know if the information above indicates some sort compromise on my firewall.

Could someone point me to a good security posting or online article to investigate security breaches. Even a good book to understand these processes on FreeBSD system.

Here's a copy of the current process on my system.
CPE00173fcefd1a-CM001868522afe# ps -aux
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 11 99.0 0.0 0 8 ?? RL Sun08PM 7871:04.35 [idle: cpu
root 0 0.0 0.0 0 0 ?? WLs Sun08PM 0:00.00 [swapper]
root 1 0.0 0.1 1888 272 ?? ILs Sun08PM 0:00.02 /sbin/init
root 2 0.0 0.0 0 8 ?? DL Sun08PM 0:13.88 [g_event]
root 3 0.0 0.0 0 8 ?? DL Sun08PM 0:21.65 [g_up]
root 4 0.0 0.0 0 8 ?? DL Sun08PM 0:31.84 [g_down]
root 5 0.0 0.0 0 8 ?? DL Sun08PM 0:00.00 [xpt_thrd]
root 6 0.0 0.0 0 8 ?? DL Sun08PM 0:00.00 [kqueue ta
root 7 0.0 0.0 0 8 ?? DL Sun08PM 0:00.00 [acpi_task
root 8 0.0 0.0 0 8 ?? DL Sun08PM 0:00.00 [acpi_task
root 9 0.0 0.0 0 8 ?? DL Sun08PM 0:00.00 [acpi_task
root 10 0.0 0.0 0 8 ?? DL Sun08PM 0:00.00 [audit]
root 12 0.0 0.0 0 8 ?? WL Sun08PM 0:00.01 [swi1: net
root 13 0.0 0.0 0 8 ?? WL Sun08PM 6:23.62 [swi4: clo
root 14 0.0 0.0 0 8 ?? WL Sun08PM 0:00.00 [swi3: vm]
root 15 0.0 0.0 0 8 ?? DL Sun08PM 0:15.35 [yarrow]
root 16 0.0 0.0 0 8 ?? WL Sun08PM 0:00.00 [swi2: cam
root 17 0.0 0.0 0 8 ?? WL Sun08PM 0:00.00 [swi5: +]
root 18 0.0 0.0 0 8 ?? DL Sun08PM 0:00.00 [thread ta
root 19 0.0 0.0 0 8 ?? WL Sun08PM 0:00.00 [swi6: Gia
root 20 0.0 0.0 0 8 ?? WL Sun08PM 0:00.00 [swi6: tas
root 21 0.0 0.0 0 8 ?? WL Sun08PM 0:00.00 [irq9: acp
root 22 0.0 0.0 0 8 ?? WL Sun08PM 0:10.55 [irq20: fx
root 23 0.0 0.0 0 8 ?? WL Sun08PM 0:22.98 [irq16: rl
root 24 0.0 0.0 0 8 ?? WL Sun08PM 0:27.33 [irq22: rl
root 25 0.0 0.0 0 8 ?? WL Sun08PM 0:10.03 [irq14: at
root 26 0.0 0.0 0 8 ?? WL Sun08PM 0:00.00 [irq15: at
root 27 0.0 0.0 0 8 ?? WL Sun08PM 0:00.00 [irq19: uh
root 28 0.0 0.0 0 8 ?? DL Sun08PM 0:00.03 [usb0]
root 29 0.0 0.0 0 8 ?? DL Sun08PM 0:00.00 [usbtask-h
root 30 0.0 0.0 0 8 ?? DL Sun08PM 0:00.00 [usbtask-d
root 31 0.0 0.0 0 8 ?? WL Sun08PM 0:00.00 [irq23: uh
root 32 0.0 0.0 0 8 ?? DL Sun08PM 0:00.04 [usb1]
root 33 0.0 0.0 0 8 ?? DL Sun08PM 0:40.73 [acpi_ther
root 34 0.0 0.0 0 8 ?? WL Sun08PM 0:00.00 [irq1: atk
root 35 0.0 0.0 0 8 ?? DL Sun08PM 0:01.53 [fdc0]
root 36 0.0 0.0 0 8 ?? WL Sun08PM 0:00.00 [swi0: sio
root 37 0.0 0.0 0 8 ?? WL Sun08PM 0:00.00 [irq7: ppb
root 38 0.0 0.0 0 16 ?? DL Sun08PM 0:00.00 [sctp_iter
root 39 0.0 0.0 0 8 ?? DL Sun08PM 0:02.67 [pfpurge]
root 40 0.0 0.0 0 8 ?? DL Sun08PM 0:00.59 [pagedaemo
root 41 0.0 0.0 0 8 ?? DL Sun08PM 0:00.00 [vmdaemon]
root 42 0.0 0.0 0 8 ?? DL Sun08PM 0:00.01 [pagezero]
root 43 0.0 0.0 0 8 ?? DL Sun08PM 0:02.18 [bufdaemon
root 44 0.0 0.0 0 8 ?? DL Sun08PM 0:04.73 [vnlru]
root 45 0.0 0.0 0 8 ?? DL Sun08PM 4:39.24 [syncer]
root 46 0.0 0.0 0 8 ?? DL Sun08PM 0:06.73 [softdepfl
root 47 0.0 0.0 0 8 ?? DL Sun08PM 0:26.67 [schedcpu]
root 159 0.0 0.2 1356 588 ?? Is Sun08PM 0:00.00 adjkerntz
root 617 0.0 0.4 3316 992 ?? Is Sun08PM 0:00.01 pflogd: [p
_pflogd 622 0.0 0.4 3316 1072 ?? S Sun08PM 0:12.72 pflogd: [r
root 853 0.0 0.2 1888 420 ?? Is Sun08PM 0:00.00 /sbin/devd
root 903 0.0 0.4 3156 872 ?? Ss Sun08PM 0:06.18 /usr/sbin/
root 1032 0.0 0.8 5616 2100 ?? Is Sun08PM 0:00.03 /usr/sbin/
root 1042 0.0 0.4 3184 980 ?? Is Sun08PM 0:02.23 /usr/sbin/
_dhcp 1283 0.0 0.4 3104 1020 ?? Ss Sun08PM 0:01.19 dhclient:
root 76295 0.0 1.2 8384 2948 ?? Is 8:11AM 0:00.12 sshd: fire
firewalluser 76299 0.0 1.2 8384 2928 ?? S 8:12AM 0:00.10 sshd: fire
root 63396 0.0 0.3 3156 824 v0 Is+ Tue06PM 0:00.01 /usr/libex
root 1086 0.0 0.3 3156 820 v1 Is+ Sun08PM 0:00.00 /usr/libex
root 1087 0.0 0.3 3156 820 v2 Is+ Sun08PM 0:00.00 /usr/libex
root 1088 0.0 0.3 3156 820 v3 Is+ Sun08PM 0:00.00 /usr/libex
root 1089 0.0 0.3 3156 820 v4 Is+ Sun08PM 0:00.00 /usr/libex
root 1090 0.0 0.3 3156 820 v5 Is+ Sun08PM 0:00.00 /usr/libex
root 1091 0.0 0.3 3156 820 v6 Is+ Sun08PM 0:00.00 /usr/libex
root 1092 0.0 0.3 3156 820 v7 Is+ Sun08PM 0:00.00 /usr/libex
root 1258 0.0 0.4 3104 936 p0- I Sun08PM 0:00.01 dhclient:
firewalluser 76301 0.0 0.5 3456 1284 p0 Is 8:12AM 0:00.01 -sh (sh)
root 76303 0.0 0.5 3592 1336 p0 I 8:12AM 0:00.02 su -
root 76304 0.0 0.9 4452 2116 p0 S 8:12AM 0:00.04 -su (csh)
root 76375 0.0 0.3 3220 840 p0 R+ 8:45AM 0:00.00 ps -aux

the sshd connection is me connected remotly to the box.

Thanks for reading.

Joe
 
mamoser6969 said:
I'll create a simple pf block statement to deny these IPs but I was curious to know if the information above indicates some sort compromise on my firewall.
There's nothing indicating that your firewall has been breached.

The simplest solution is to block all incoming connections. If you're not running any services this won't be a problem.

The UDP packets and the TCP to port 8090 look like it's bittorrent traffic. If you have run a bittorrent client but stopped it the other torrent clients in the network will still try to connect. It'll take a while for the other clients to notice your torrent client isn't there anymore.
 
Two things:
  1. Use sysutils/pftop to see connections in realtime. This will show you if the UDP traffic is really locally generated.
  2. Check sockstat -4l to see if there's a local program listening on the UDP ports you're worried about.
 
Thanks for the advice.. I will install pftop and check the output of the sockstat command.

Do you recommend any books for freebsd security?
 
danger@ said:
does it cover MAC by any chance?

Are you asking about the book?

If so, I remember a fleeting mention of MAC. At the time of the writing it was "experimental", and the book focuses on both FBSD and OBSD.

(In other words, I don't recall reading much about MAC there.)
 
Sorry to hijack this thread further, but.. My understanding is MAC (Mandatory Access Controls) are still somewhat considered experimental. They should be ready for prime time with 8.0 and possibly even enabled by default.
 
Back
Top