Jayrads Posted March 10, 2023 Share Posted March 10, 2023 (edited) Hey all, Just wondering if I should be concerned with this. Yesterday, I noticed that my UnRAID server (6.11.3) was maxing out my upload bandwidth. This went on for a few hours until I rebooted my server. After digging into it a bit, I noticed a lot of connections to what DNS says is visit.keznews.com. The IP address is 46.8.8.100 which appears to host 48,000 + domains. Not really helpful. I ran iftop and netstat commands and found a bunch of connections (both from my GUI port and also via SSH). These connections are always connected. I shut down all of my dockers and VM's so it doesn't look like it's coming from one of those. This leads me to believe it's a plugin. Attached is screenshot of the output from iftop, netstat and a list of my currently installed plugins. Are there any other commands I can run to figure out what's causing this traffic and should I be concerned? Thank you, Jarred Edited March 10, 2023 by Jayrads Added UnRAID version Quote Link to comment
pidg30n Posted April 17, 2023 Share Posted April 17, 2023 Yeah, that is quite concerning. Sad also that you had no replies. Set yourself up with a pfsense. Stop trusting that machine for now. Add snort, and subscribe to some snort rule sets. Tune your security. Add pfblockerng, and subscribe to some lists there too. Get the maxmind subscription and geoip block eastern Europe, China and Russia. That site is in the Czech republic. Maybe consider migrating your vms off, and wiping the server so it is fresh. Update the BIOS. Things like that have a tendency to poison anything vulnerable on your network. Although, the brazen nature of saturating your full upload bandwidth kinda tells you it's a n00b. More pro hackers would prefer to stay mostly in the background unnoticed. Quote Link to comment
itimpi Posted April 18, 2023 Share Posted April 18, 2023 None of the plugins listed are known to have a problem. You could try rebooting in Safe Mode which avoids loading all plugins to see if that helps. Is your server directly exposed to the internet in any way? You are likely to get better informed feedback if you attach your system’s diagnostics zip file to your next post in this thread. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.