Multiple connections to/from visit.keznews.com

Jayrads

By Jayrads
in Security

Recommended Posts

Jayrads Noob

Jayrads

Posted
Posted (edited)

Hey all,

 

Just wondering if I should be concerned with this. Yesterday, I noticed that my UnRAID server (6.11.3) was maxing out my upload bandwidth. This went on for a few hours until I rebooted my server. After digging into it a bit, I noticed a lot of connections to what DNS says is visit.keznews.com. The IP address is 46.8.8.100 which appears to host 48,000 + domains. Not really helpful. I ran iftop and netstat commands and found a bunch of connections (both from my GUI port and also via SSH). These connections are always connected.

 

I shut down all of my dockers and VM's so it doesn't look like it's coming from one of those. This leads me to believe it's a plugin.

 

Attached is screenshot of the output from iftop, netstat and a list of my currently installed plugins. Are there any other commands I can run to figure out what's causing this traffic and should I be concerned?

 

Thank you,

 

Jarred

 

 

iftop_output.png

netstat_output.png

plugin_list_1.png

plugin_list_2.png

Edited by Jayrads
Added UnRAID version
Link to comment
  • 1 month later...
pidg30n Noob

pidg30n

Posted
Posted

Yeah, that is quite concerning. Sad also that you had no replies.

Set yourself up with a pfsense. Stop trusting that machine for now.

Add snort, and subscribe to some snort rule sets. Tune your security.
Add pfblockerng, and subscribe to some lists there too.
Get the maxmind subscription and geoip block eastern Europe, China and Russia. That site is in the Czech republic. 

Maybe consider migrating your vms off, and wiping the server so it is fresh. Update the BIOS.
Things like that have a tendency to poison anything vulnerable on your network. Although, the brazen nature of saturating your full upload bandwidth kinda tells you it's a n00b. More pro hackers would prefer to stay mostly in the background unnoticed. 

Link to comment
itimpi Grand Master

itimpi

Posted
Posted

None of the plugins listed are known to have a problem.   You could try rebooting in Safe Mode which avoids loading all plugins to see if that helps.

 

Is your server directly exposed to the internet in any way? 

 

You are likely to get better informed feedback if you attach your system’s diagnostics zip file to your next post in this thread.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing