Suspicious activity of the Ubuntu gateway

J

juffinhalli2013-06-30 01:31:33

linux

juffinhalli, 2013-06-30 01:31:33

Suspicious activity of the Ubuntu gateway - where to dig

Good night, hackers!

Given:
Home x86 router running Ubuntu 12.04 LTS
The gateway has a caching dns server dnsmasq
All dns requests, including the server itself, go through dnsmasq
Each request is logged.
Installed i2p-router, collectd, transmission are disabled in their settings and, after a reboot, they are not seen in active processes (htop)
Problem: The
DNS server is noticeably loaded with requests from an unknown application on the server itself (LAN cable is physically disconnected.). Log fragment
Question:
How to find a local process that is constantly bombarding the dns server with requests.

Thank you very much in advance.

Update: using the exception method, we managed to find out that the requests came from Iptraf, he tried to find out the readable names of everyone who tried to connect to the server via UDP

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

S

shadowalone, 2013-06-30
@shadowalone

Judging by what you can see from the log - the main part of the PTR requests - perhaps some of your servms is trying to resolve the addresses from which it is accessed in the names of the reverse zone.
for example, attempts to log in via ssh, mail delivery, etc. etc.
disable services one by one, it will be clear - but this is an extreme case.
look at netstat - what connections are there.

J

joneleth, 2013-06-30
@joneleth

A couple of dozen requests in 5 minutes - “bombs”? I would just forget if I were you.
seclists.org/tcpdump/2010/q4/2