Virus alerts coming thru

[KC9RQI]

I recently upgraded my network to an UniFi UDM Pro and I’m seeing alerts every 2 mins. come thru on the Pi-Star. Originally I thought it could be an old ver, but now that I’ve upgraded to the latest, but no luck.

Example of virus ... one every 2 mins!

FD32F981-CABB-496A-A00C-B27E4F6C0D60.jpeg (106.77 KiB) Viewed 2797 times

Anyone else seen something like this?

[K5MRE]

Interesting.

Drop to SSH and run this to see if you can catch what PID/Program it's coming from.

Code: Select all

sudo -s
while `true`; do netstat -anp | grep 9007; sleep 1; done

You shouldn't see any output unless it catches the connection.

Control-C to break.

Edit:

BTW, that destination IP is one of the openquad IRC servers.

Looking through the config files, pistar-keeper, starnetserver, and ircddbgateway use openquad. I don't run either, so not sure how they're using it. Running a strings on the binary, I can see where it's triggering a nick change, which is what's popping that alert into your IDS/IPS. So it likely thinks it's a command and control server since it's not running on the standard irc port.

[AF6VN]

I recently upgraded my network to an UniFi UDM Pro

The obvious (to me) route is to see if that unit has some configuration page(s) that might be set to allow the traffic.

[KC9RQI]

Traffic is coming thru as I’m allowing it. I put it i it’s own VLAN with a Firewall rule to isolate it from the rest of the network. Going to do some more digging, just didn’t know if anyone had seen similar.

[K5MRE]

Since it's a false positive, go into the controller, and under Threat Management you can edit the whitelist.

Whitelist the following and it should stop.

Name: rr.openquad.net
Address: 167.71.182.245

Name: rr.openquad.net
Address: 140.82.6.227

Name: rr.openquad.net
Address: 107.191.121.105

Name: rr.openquad.net
Address: 104.131.81.32