Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: ufw, how to trouble shoot virus related issue

  1. #1
    Join Date
    Aug 2010
    Beans
    28

    ufw, how to trouble shoot virus related issue

    One of my computers are cause issues on some pages. Everything is ok when I get a new IP but eventually I start seeing blocks. I use UFW and can see the logs but I have no idea what to look for. Something is spamming outbound traffic on my system and going out thru my linux box.
    The log files are too big to do anything with them.
    Here is a tail of 100 lines
    Code:
    root@ubuntuspawn:~# tail -100 /var/log/ufw.log.1 
    Feb  3 00:10:37 ubuntuspawn kernel: [276434.037456] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:a4:38:cc:ef:9c:8e:08:00 SRC=192.168.0.111 DST=8.8.8.8 LEN=77 TOS=0x00 PREC=0x00 TTL=63 ID=24474 PROTO=UDP SPT=60323 DPT=53 LEN=57 
    Feb  3 00:10:37 ubuntuspawn kernel: [276434.044808] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:a4:38:cc:ef:9c:8e:08:00 SRC=192.168.0.111 DST=8.8.8.8 LEN=78 TOS=0x00 PREC=0x00 TTL=63 ID=24475 PROTO=UDP SPT=5746 DPT=53 LEN=58 
    Feb  3 00:10:37 ubuntuspawn kernel: [276434.049699] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:a4:38:cc:ef:9c:8e:08:00 SRC=192.168.0.111 DST=8.8.8.8 LEN=75 TOS=0x00 PREC=0x00 TTL=63 ID=24476 PROTO=UDP SPT=32478 DPT=53 LEN=55 
    Feb  3 00:10:37 ubuntuspawn kernel: [276434.061283] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:a4:38:cc:ef:9c:8e:08:00 SRC=192.168.0.111 DST=96.16.138.215 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=24477 DF PROTO=TCP SPT=19426 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 
    Feb  3 00:10:37 ubuntuspawn kernel: [276434.065266] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:a4:38:cc:ef:9c:8e:08:00 SRC=192.168.0.111 DST=52.204.133.249 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=24478 DF PROTO=TCP SPT=38617 DPT=443 WINDOW=32768 RES=0x00 SYN URGP=0 
    Feb  3 00:10:37 ubuntuspawn kernel: [276434.077009] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:a4:38:cc:ef:9c:8e:08:00 SRC=192.168.0.111 DST=96.16.138.215 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=24482 DF PROTO=TCP SPT=17427 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 
    Feb  3 00:10:37 ubuntuspawn kernel: [276434.089946] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:a4:38:cc:ef:9c:8e:08:00 SRC=192.168.0.111 DST=13.249.122.27 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=24486 DF PROTO=TCP SPT=42553 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:37 ubuntuspawn kernel: [276434.354012] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=192.168.1.254 LEN=59 TOS=0x00 PREC=0x00 TTL=127 ID=24022 PROTO=UDP SPT=50960 DPT=53 LEN=39 
    Feb  3 00:10:37 ubuntuspawn kernel: [276434.394889] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=94.130.187.179 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24023 DF PROTO=TCP SPT=23443 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:37 ubuntuspawn kernel: [276434.761991] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=94.130.187.179 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24032 DF PROTO=TCP SPT=23444 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:38 ubuntuspawn kernel: [276435.122529] [UFW AUDIT] IN= OUT=enp2s0 SRC=75.43.55.62 DST=54.186.158.160 LEN=89 TOS=0x00 PREC=0x00 TTL=64 ID=6769 DF PROTO=TCP SPT=58618 DPT=443 WINDOW=342 RES=0x00 ACK PSH URGP=0 
    Feb  3 00:10:38 ubuntuspawn kernel: [276435.204657] [UFW AUDIT] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:e0:22:04:8b:57:61:08:00 SRC=54.186.158.160 DST=75.43.55.62 LEN=52 TOS=0x00 PREC=0x00 TTL=230 ID=31150 DF PROTO=TCP SPT=443 DPT=58618 WINDOW=119 RES=0x00 ACK URGP=0 
    Feb  3 00:10:39 ubuntuspawn kernel: [276436.004022] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=192.168.1.254 LEN=63 TOS=0x00 PREC=0x00 TTL=127 ID=24046 PROTO=UDP SPT=62479 DPT=53 LEN=43 
    Feb  3 00:10:39 ubuntuspawn kernel: [276436.391051] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=217.182.249.242 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24048 DF PROTO=TCP SPT=23445 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:40 ubuntuspawn kernel: [276437.035079] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=217.182.249.242 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24064 DF PROTO=TCP SPT=23446 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:40 ubuntuspawn kernel: [276437.214054] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:54:c9:df:27:6f:ad:08:00 SRC=192.168.0.104 DST=8.8.8.8 LEN=61 TOS=0x00 PREC=0x00 TTL=63 ID=37414 DF PROTO=UDP SPT=1101 DPT=53 LEN=41 
    Feb  3 00:10:40 ubuntuspawn kernel: [276437.242666] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:54:c9:df:27:6f:ad:08:00 SRC=192.168.0.104 DST=64.233.177.94 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=33580 DF PROTO=TCP SPT=49236 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 
    Feb  3 00:10:40 ubuntuspawn kernel: [276437.355259] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=192.168.1.254 LEN=56 TOS=0x00 PREC=0x00 TTL=127 ID=24074 PROTO=UDP SPT=50579 DPT=53 LEN=36 
    Feb  3 00:10:40 ubuntuspawn kernel: [276437.419042] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=94.130.187.179 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24076 DF PROTO=TCP SPT=23447 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:40 ubuntuspawn kernel: [276437.786719] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=94.130.187.179 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24081 DF PROTO=TCP SPT=23448 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:41 ubuntuspawn kernel: [276437.962645] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=217.182.249.242 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24090 DF PROTO=TCP SPT=23449 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:41 ubuntuspawn kernel: [276438.291228] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=188.6.112.187 LEN=132 TOS=0x00 PREC=0x00 TTL=127 ID=24102 PROTO=UDP SPT=6881 DPT=29492 LEN=112 
    Feb  3 00:10:42 ubuntuspawn kernel: [276439.656589] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=209.7.62.140 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24129 DF PROTO=TCP SPT=23450 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:43 ubuntuspawn kernel: [276439.884343] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=192.168.1.254 LEN=64 TOS=0x00 PREC=0x00 TTL=127 ID=24132 PROTO=UDP SPT=55002 DPT=53 LEN=44 
    Feb  3 00:10:43 ubuntuspawn kernel: [276440.021653] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=54.36.120.162 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24135 DF PROTO=TCP SPT=23451 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:43 ubuntuspawn kernel: [276440.414910] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:d0:50:99:60:b7:15:08:00 SRC=192.168.0.27 DST=8.8.8.8 LEN=70 TOS=0x00 PREC=0x00 TTL=127 ID=8020 PROTO=UDP SPT=58559 DPT=53 LEN=50 
    Feb  3 00:10:43 ubuntuspawn kernel: [276440.489256] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:d0:50:99:60:b7:15:08:00 SRC=192.168.0.27 DST=73.202.166.115 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=8021 DF PROTO=TCP SPT=54803 DPT=5322 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:44 ubuntuspawn kernel: [276440.878713] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=54.36.120.162 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24141 DF PROTO=TCP SPT=23452 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:44 ubuntuspawn kernel: [276441.197422] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=192.168.1.254 LEN=62 TOS=0x00 PREC=0x00 TTL=127 ID=24147 PROTO=UDP SPT=65142 DPT=53 LEN=42 
    Feb  3 00:10:44 ubuntuspawn kernel: [276441.336637] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=128.65.195.35 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24150 DF PROTO=TCP SPT=23453 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:44 ubuntuspawn kernel: [276441.827043] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=128.65.195.35 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24163 DF PROTO=TCP SPT=23454 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:45 ubuntuspawn kernel: [276441.862200] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=54.36.120.162 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24164 DF PROTO=TCP SPT=23455 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:45 ubuntuspawn kernel: [276442.656419] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=209.7.62.140 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24182 DF PROTO=TCP SPT=23450 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:46 ubuntuspawn kernel: [276443.291634] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=74.70.73.203 LEN=132 TOS=0x00 PREC=0x00 TTL=127 ID=24204 PROTO=UDP SPT=6881 DPT=6881 LEN=112 
    Feb  3 00:10:46 ubuntuspawn kernel: [276443.763689] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=192.168.1.254 LEN=59 TOS=0x00 PREC=0x00 TTL=127 ID=24229 PROTO=UDP SPT=65243 DPT=53 LEN=39 
    Feb  3 00:10:46 ubuntuspawn kernel: [276443.764410] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=192.168.1.254 LEN=61 TOS=0x00 PREC=0x00 TTL=127 ID=24230 PROTO=UDP SPT=50067 DPT=53 LEN=41 
    Feb  3 00:10:47 ubuntuspawn kernel: [276443.856768] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=198.105.244.130 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24231 DF PROTO=TCP SPT=23456 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:47 ubuntuspawn kernel: [276443.895016] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=151.80.207.192 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24233 DF PROTO=TCP SPT=23457 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:47 ubuntuspawn kernel: [276444.034577] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=192.168.1.254 LEN=68 TOS=0x00 PREC=0x00 TTL=127 ID=24242 PROTO=UDP SPT=50399 DPT=53 LEN=48 
    Feb  3 00:10:47 ubuntuspawn kernel: [276444.102696] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=54.36.28.65 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24243 DF PROTO=TCP SPT=23458 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:47 ubuntuspawn kernel: [276444.269592] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=147.135.137.146 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24247 DF PROTO=TCP SPT=23459 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:47 ubuntuspawn kernel: [276444.623257] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=54.36.28.65 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24254 DF PROTO=TCP SPT=23460 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:48 ubuntuspawn kernel: [276445.064731] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=192.168.1.254 LEN=72 TOS=0x00 PREC=0x00 TTL=127 ID=24268 PROTO=UDP SPT=62525 DPT=53 LEN=52 
    Feb  3 00:10:48 ubuntuspawn kernel: [276445.315724] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=83.166.138.28 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24269 DF PROTO=TCP SPT=23461 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:48 ubuntuspawn kernel: [276445.418790] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=147.135.137.146 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24273 DF PROTO=TCP SPT=23462 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:48 ubuntuspawn kernel: [276445.695354] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=54.36.28.65 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24288 DF PROTO=TCP SPT=23463 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:49 ubuntuspawn kernel: [276446.194754] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=192.168.1.254 LEN=55 TOS=0x00 PREC=0x00 TTL=127 ID=24313 PROTO=UDP SPT=52242 DPT=53 LEN=35 
    Feb  3 00:10:49 ubuntuspawn kernel: [276446.284685] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=192.168.1.254 LEN=72 TOS=0x00 PREC=0x00 TTL=127 ID=24314 PROTO=UDP SPT=55373 DPT=53 LEN=52 
    Feb  3 00:10:49 ubuntuspawn kernel: [276446.336410] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=104.27.158.46 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24315 DF PROTO=TCP SPT=23464 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:49 ubuntuspawn kernel: [276446.377071] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=83.166.138.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24318 DF PROTO=TCP SPT=23465 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:50 ubuntuspawn kernel: [276447.186788] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=192.168.1.254 LEN=65 TOS=0x00 PREC=0x00 TTL=127 ID=24364 PROTO=UDP SPT=56024 DPT=53 LEN=45 
    Feb  3 00:10:50 ubuntuspawn kernel: [276447.285207] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=104.239.207.44 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24368 DF PROTO=TCP SPT=23466 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:50 ubuntuspawn kernel: [276447.412024] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=192.168.1.254 LEN=58 TOS=0x00 PREC=0x00 TTL=127 ID=24369 PROTO=UDP SPT=56938 DPT=53 LEN=38 
    Feb  3 00:10:50 ubuntuspawn kernel: [276447.630246] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=83.166.137.121 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24371 DF PROTO=TCP SPT=23467 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:50 ubuntuspawn kernel: [276447.654934] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=104.27.158.46 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24372 DF PROTO=TCP SPT=23468 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:51 ubuntuspawn kernel: [276447.986488] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:e0:22:04:8b:57:61:08:00 SRC=82.213.242.166 DST=75.43.55.62 LEN=131 TOS=0x00 PREC=0x00 TTL=113 ID=23376 PROTO=UDP SPT=38004 DPT=6881 LEN=111 
    Feb  3 00:10:51 ubuntuspawn kernel: [276448.146341] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=83.166.137.121 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24386 DF PROTO=TCP SPT=23469 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:51 ubuntuspawn kernel: [276448.291946] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=177.41.139.234 LEN=132 TOS=0x00 PREC=0x00 TTL=127 ID=24390 PROTO=UDP SPT=6881 DPT=55756 LEN=112 
    Feb  3 00:10:51 ubuntuspawn kernel: [276448.649883] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=209.7.62.140 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=24398 DF PROTO=TCP SPT=23450 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:52 ubuntuspawn kernel: [276449.388006] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=192.168.1.254 LEN=67 TOS=0x00 PREC=0x00 TTL=127 ID=24412 PROTO=UDP SPT=58250 DPT=53 LEN=47 
    Feb  3 00:10:52 ubuntuspawn kernel: [276449.643320] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=91.216.107.204 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24413 DF PROTO=TCP SPT=23470 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:52 ubuntuspawn kernel: [276449.684527] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=209.7.62.140 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24414 DF PROTO=TCP SPT=23471 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:53 ubuntuspawn kernel: [276450.282997] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=104.239.207.44 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24423 DF PROTO=TCP SPT=23466 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:53 ubuntuspawn kernel: [276450.492432] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=91.216.107.204 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24425 DF PROTO=TCP SPT=23472 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:54 ubuntuspawn kernel: [276451.113785] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:e0:22:04:8b:57:61:08:00 SRC=188.65.90.179 DST=75.43.55.62 LEN=122 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=6881 DPT=45415 LEN=102 
    Feb  3 00:10:54 ubuntuspawn kernel: [276451.738160] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=192.168.1.254 LEN=62 TOS=0x00 PREC=0x00 TTL=127 ID=24469 PROTO=UDP SPT=50736 DPT=53 LEN=42 
    Feb  3 00:10:55 ubuntuspawn kernel: [276451.883896] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=83.166.138.38 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24472 DF PROTO=TCP SPT=23473 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:55 ubuntuspawn kernel: [276452.525826] [UFW AUDIT] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=68.180.134.8 LEN=247 TOS=0x00 PREC=0x00 TTL=127 ID=24495 DF PROTO=TCP SPT=18751 DPT=443 WINDOW=36500 RES=0x00 ACK PSH URGP=0 
    Feb  3 00:10:55 ubuntuspawn kernel: [276452.682176] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=209.7.62.140 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24511 DF PROTO=TCP SPT=23471 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:56 ubuntuspawn kernel: [276452.883460] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=192.168.1.254 LEN=59 TOS=0x00 PREC=0x00 TTL=127 ID=24514 PROTO=UDP SPT=60609 DPT=53 LEN=39 
    Feb  3 00:10:56 ubuntuspawn kernel: [276453.022960] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=83.166.138.38 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24516 DF PROTO=TCP SPT=23474 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:56 ubuntuspawn kernel: [276453.292315] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=118.35.204.133 LEN=132 TOS=0x00 PREC=0x00 TTL=127 ID=24535 PROTO=UDP SPT=6881 DPT=41057 LEN=112 
    Feb  3 00:10:56 ubuntuspawn kernel: [276453.487225] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=192.168.1.254 LEN=58 TOS=0x00 PREC=0x00 TTL=127 ID=24538 PROTO=UDP SPT=55571 DPT=53 LEN=38 
    Feb  3 00:10:56 ubuntuspawn kernel: [276453.666432] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=83.166.138.38 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24539 DF PROTO=TCP SPT=23475 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:57 ubuntuspawn kernel: [276454.087784] [UFW AUDIT] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:e0:22:04:8b:57:61:08:00 SRC=95.42.100.101 DST=75.43.55.62 LEN=134 TOS=0x00 PREC=0x00 TTL=114 ID=29595 PROTO=UDP SPT=43942 DPT=45415 LEN=114 
    Feb  3 00:10:57 ubuntuspawn kernel: [276454.087824] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:e0:22:04:8b:57:61:08:00 SRC=95.42.100.101 DST=75.43.55.62 LEN=134 TOS=0x00 PREC=0x00 TTL=114 ID=29595 PROTO=UDP SPT=43942 DPT=45415 LEN=114 
    Feb  3 00:10:57 ubuntuspawn kernel: [276454.324422] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=192.168.1.254 LEN=57 TOS=0x00 PREC=0x00 TTL=127 ID=24582 PROTO=UDP SPT=61978 DPT=53 LEN=37 
    Feb  3 00:10:57 ubuntuspawn kernel: [276454.695213] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=91.121.39.166 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24598 DF PROTO=TCP SPT=23476 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:57 ubuntuspawn kernel: [276454.764401] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=192.168.1.254 LEN=71 TOS=0x00 PREC=0x00 TTL=127 ID=24599 PROTO=UDP SPT=64118 DPT=53 LEN=51 
    Feb  3 00:10:58 ubuntuspawn kernel: [276454.892811] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=128.65.195.35 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24603 DF PROTO=TCP SPT=23477 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:58 ubuntuspawn kernel: [276455.288008] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:44:d9:e7:f9:ea:6e:08:00 SRC=192.168.0.10 DST=192.168.1.25 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=18091 DF PROTO=TCP SPT=52415 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 
    Feb  3 00:10:58 ubuntuspawn kernel: [276455.406149] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=83.166.137.121 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24611 DF PROTO=TCP SPT=23478 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:59 ubuntuspawn kernel: [276456.280504] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=104.239.207.44 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=24619 DF PROTO=TCP SPT=23466 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:10:59 ubuntuspawn kernel: [276456.283840] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:44:d9:e7:f9:ea:6e:08:00 SRC=192.168.0.10 DST=192.168.1.25 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=18092 DF PROTO=TCP SPT=52415 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 
    Feb  3 00:10:59 ubuntuspawn kernel: [276456.477472] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=192.168.1.254 LEN=53 TOS=0x00 PREC=0x00 TTL=127 ID=24620 PROTO=UDP SPT=56948 DPT=53 LEN=33 
    Feb  3 00:10:59 ubuntuspawn kernel: [276456.813658] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=91.121.39.166 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24630 DF PROTO=TCP SPT=23479 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:11:01 ubuntuspawn kernel: [276458.283892] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:44:d9:e7:f9:ea:6e:08:00 SRC=192.168.0.10 DST=192.168.1.25 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=18093 DF PROTO=TCP SPT=52415 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 
    Feb  3 00:11:01 ubuntuspawn kernel: [276458.292784] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=94.63.57.1 LEN=132 TOS=0x00 PREC=0x00 TTL=127 ID=24655 PROTO=UDP SPT=6881 DPT=28624 LEN=112 
    Feb  3 00:11:01 ubuntuspawn kernel: [276458.459761] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=91.121.39.166 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24658 DF PROTO=TCP SPT=23480 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:11:01 ubuntuspawn kernel: [276458.680633] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=209.7.62.140 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=24662 DF PROTO=TCP SPT=23471 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:11:02 ubuntuspawn kernel: [276459.183758] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:e0:22:04:8b:57:61:08:00 SRC=95.135.51.7 DST=75.43.55.62 LEN=145 TOS=0x00 PREC=0x00 TTL=106 ID=14240 PROTO=UDP SPT=1031 DPT=45415 LEN=125 
    Feb  3 00:11:02 ubuntuspawn kernel: [276459.792825] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=192.168.1.254 LEN=66 TOS=0x00 PREC=0x00 TTL=127 ID=24707 PROTO=UDP SPT=58332 DPT=53 LEN=46 
    Feb  3 00:11:03 ubuntuspawn kernel: [276459.860196] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=213.186.33.40 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24708 DF PROTO=TCP SPT=23481 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:11:03 ubuntuspawn kernel: [276459.984801] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=192.168.1.254 LEN=59 TOS=0x00 PREC=0x00 TTL=127 ID=24714 PROTO=UDP SPT=64664 DPT=53 LEN=39 
    Feb  3 00:11:03 ubuntuspawn kernel: [276460.132380] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=213.111.3.248 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24716 DF PROTO=TCP SPT=23482 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:11:03 ubuntuspawn kernel: [276460.328237] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=192.168.1.254 LEN=61 TOS=0x00 PREC=0x00 TTL=127 ID=24721 PROTO=UDP SPT=52330 DPT=53 LEN=41 
    Feb  3 00:11:03 ubuntuspawn kernel: [276460.373312] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=213.111.3.248 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24722 DF PROTO=TCP SPT=23483 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:11:03 ubuntuspawn kernel: [276460.471600] [UFW ALLOW] IN=enp3s5 OUT=enp2s0 MAC=00:07:e9:0f:e6:30:00:07:e9:0f:e5:de:08:00 SRC=192.168.0.25 DST=213.186.33.40 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24723 DF PROTO=TCP SPT=23484 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 
    Feb  3 00:11:03 ubuntuspawn kernel: [276460.830674] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:e0:22:04:8b:57:61:08:00 SRC=185.211.245.168 DST=75.43.55.62 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=9981 PROTO=TCP SPT=43687 DPT=44444 WINDOW=1024 RES=0x00 SYN URGP=0 
    Feb  3 00:11:04 ubuntuspawn kernel: [276461.280674] [UFW AUDIT] IN= OUT=enp2s0 SRC=75.43.55.62 DST=192.168.1.254 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=26871 DF PROTO=UDP SPT=50803 DPT=53 LEN=50

    Can any help me with this?

    Best I can tell this 8192 is a camera app that keeps sending out data. I do not have a camera on this computer? I did a net stat but nothing has it open.
    Last edited by howefield; February 12th, 2019 at 04:54 PM. Reason: posts merged.

  2. #2
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    6,715
    Distro
    Xubuntu 19.04 Disco Dingo

    Re: ufw, how to trouble shoot virus related issue

    Have a look with tcpdump for a while to see what donain names are being queried, for starters:
    Code:
    sudo tcpdump
    and have a look at what process that's making the outgoing connection attempts:
    Code:
    sudo ss -tp
    This may give you an idea what's happening.

  3. #3
    Join Date
    Aug 2010
    Beans
    28

    Re: ufw, how to trouble shoot virus related issue

    Thx so much for helping, I hate being alone at these things. I guess that log was old but using your advice.

    TCPIP dump must be a continues dump so I grabbed part of it.
    Code:
    Thx so much for helping, I hate being alone at these things. I guess that log was old but using your advice.
    
    TCPIP dump must be a continues dump so I grabbed part of it.
    
    Code:
    30865:12331585, ack 16150, win 497, options [nop,nop,TS val 942051000 ecr 1014679833], length 720
    20:38:34.548040 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12331585:12334281, ack 16150, win 497, options [nop,nop,TS val 942051000 ecr 1014679833], length 2696
    20:38:34.548988 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12334281:12336977, ack 16150, win 497, options [nop,nop,TS val 942051001 ecr 1014679833], length 2696
    20:38:34.549931 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12336977:12339673, ack 16150, win 497, options [nop,nop,TS val 942051002 ecr 1014679833], length 2696
    20:38:34.550914 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12339673:12342369, ack 16150, win 497, options [nop,nop,TS val 942051003 ecr 1014679833], length 2696
    20:38:34.551816 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12342369:12345065, ack 16150, win 497, options [nop,nop,TS val 942051004 ecr 1014679833], length 2696
    20:38:34.552757 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12345065:12347761, ack 16150, win 497, options [nop,nop,TS val 942051005 ecr 1014679833], length 2696
    20:38:34.553697 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12347761:12350457, ack 16150, win 497, options [nop,nop,TS val 942051006 ecr 1014679842], length 2696
    20:38:34.554640 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12350457:12353153, ack 16150, win 497, options [nop,nop,TS val 942051007 ecr 1014679842], length 2696
    20:38:34.555581 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12353153:12355849, ack 16150, win 497, options [nop,nop,TS val 942051008 ecr 1014679842], length 2696
    20:38:34.556267 STP 802.1d, Config, Flags [none], bridge-id 0fa0.4c:12:65:64:39:52.8001, length 43
    20:38:34.556519 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12355849:12358545, ack 16150, win 497, options [nop,nop,TS val 942051009 ecr 1014679853], length 2696
    20:38:34.556560 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12221049, win 4053, options [nop,nop,TS val 1014679861 ecr 942050948], length 0
    20:38:34.556572 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12223745, win 4011, options [nop,nop,TS val 1014679861 ecr 942050949], length 0
    20:38:34.556579 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12226441, win 3969, options [nop,nop,TS val 1014679861 ecr 942050950], length 0
    20:38:34.556585 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12229137, win 3927, options [nop,nop,TS val 1014679861 ecr 942050950], length 0
    20:38:34.556592 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12231833, win 3885, options [nop,nop,TS val 1014679861 ecr 942050951], length 0
    20:38:34.556602 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12234529, win 3843, options [nop,nop,TS val 1014679861 ecr 942050952], length 0
    20:38:34.557220 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12358545:12361241, ack 16150, win 497, options [nop,nop,TS val 942051010 ecr 1014679853], length 2696
    20:38:34.557916 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12361241:12363937, ack 16150, win 497, options [nop,nop,TS val 942051010 ecr 1014679853], length 2696
    20:38:34.557984 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12253401, win 4053, options [nop,nop,TS val 1014679866 ecr 942050957], length 0
    20:38:34.557998 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12256097, win 4011, options [nop,nop,TS val 1014679866 ecr 942050957], length 0
    20:38:34.558005 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12258793, win 3969, options [nop,nop,TS val 1014679867 ecr 942050958], length 0
    20:38:34.558012 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12261489, win 3927, options [nop,nop,TS val 1014679867 ecr 942050965], length 0
    20:38:34.558019 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12264185, win 3885, options [nop,nop,TS val 1014679867 ecr 942050965], length 0
    20:38:34.558613 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12363937:12366633, ack 16150, win 497, options [nop,nop,TS val 942051011 ecr 1014679853], length 2696
    20:38:34.559310 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12366633:12369329, ack 16150, win 497, options [nop,nop,TS val 942051012 ecr 1014679853], length 2696
    20:38:34.560008 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12369329:12372025, ack 16150, win 497, options [nop,nop,TS val 942051012 ecr 1014679853], length 2696
    20:38:34.560744 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12372025:12374721, ack 16150, win 497, options [nop,nop,TS val 942051013 ecr 1014679853], length 2696
    20:38:34.561438 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12374721:12377417, ack 16150, win 497, options [nop,nop,TS val 942051014 ecr 1014679853], length 2696
    20:38:34.562135 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12377417:12380113, ack 16150, win 497, options [nop,nop,TS val 942051015 ecr 1014679853], length 2696
    20:38:34.562832 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12380113:12382809, ack 16150, win 497, options [nop,nop,TS val 942051015 ecr 1014679853], length 2696
    20:38:34.563528 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12382809:12385505, ack 16150, win 497, options [nop,nop,TS val 942051016 ecr 1014679853], length 2696
    20:38:34.563803 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12266881, win 4053, options [nop,nop,TS val 1014679878 ecr 942050965], length 0
    20:38:34.564119 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12269577, win 4011, options [nop,nop,TS val 1014679878 ecr 942050966], length 0
    20:38:34.564140 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12272273, win 3969, options [nop,nop,TS val 1014679878 ecr 942050966], length 0
    20:38:34.564218 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12385505:12388201, ack 16150, win 497, options [nop,nop,TS val 942051017 ecr 1014679853], length 2696
    20:38:34.564921 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12388201:12390897, ack 16150, win 497, options [nop,nop,TS val 942051017 ecr 1014679854], length 2696
    20:38:34.565654 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12390897:12393593, ack 16150, win 497, options [nop,nop,TS val 942051018 ecr 1014679854], length 2696
    20:38:34.566355 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12393593:12396289, ack 16150, win 497, options [nop,nop,TS val 942051019 ecr 1014679854], length 2696
    20:38:34.567051 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12396289:12398985, ack 16150, win 497, options [nop,nop,TS val 942051019 ecr 1014679854], length 2696
    20:38:34.567137 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12274969, win 3927, options [nop,nop,TS val 1014679878 ecr 942050976], length 0
    20:38:34.567153 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12277665, win 3885, options [nop,nop,TS val 1014679878 ecr 942050976], length 0
    20:38:34.567160 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12280361, win 3843, options [nop,nop,TS val 1014679878 ecr 942050977], length 0
    20:38:34.567747 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12398985:12401681, ack 16150, win 497, options [nop,nop,TS val 942051020 ecr 1014679854], length 2696
    20:38:34.568444 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12401681:12404377, ack 16150, win 497, options [nop,nop,TS val 942051021 ecr 1014679854], length 2696
    20:38:34.569139 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12404377:12407073, ack 16150, win 497, options [nop,nop,TS val 942051022 ecr 1014679854], length 2696
    20:38:34.569876 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12407073:12409769, ack 16150, win 497, options [nop,nop,TS val 942051022 ecr 1014679854], length 2696
    20:38:34.570573 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12409769:12412465, ack 16150, win 497, options [nop,nop,TS val 942051023 ecr 1014679854], length 2696
    20:38:34.571269 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12412465:12415161, ack 16150, win 497, options [nop,nop,TS val 942051024 ecr 1014679854], length 2696
    20:38:34.572009 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12415161:12417857, ack 16150, win 497, options [nop,nop,TS val 942051024 ecr 1014679854], length 2696
    20:38:34.572704 IP 173.194.142.76.https > x.x.x.x.63056: Flags [.], seq 12417857:12420553, ack 16150, win 497, options [nop,nop,TS val 942051025 ecr 1014679854], length 2696
    20:38:34.573353 IP 173.194.142.76.https > x.x.x.x.63056: Flags [P.], seq 12420553:12421865, ack 16150, win 497, options [nop,nop,TS val 942051026 ecr 1014679854], length 1312
    20:38:34.573476 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12283057, win 4053, options [nop,nop,TS val 1014679889 ecr 942050978], length 0
    20:38:34.573487 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12285753, win 4011, options [nop,nop,TS val 1014679891 ecr 942050978], length 0
    20:38:34.573494 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12288449, win 3969, options [nop,nop,TS val 1014679891 ecr 942050979], length 0
    20:38:34.583742 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12291145, win 3927, options [nop,nop,TS val 1014679891 ecr 942050979], length 0
    20:38:34.583773 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12293841, win 3885, options [nop,nop,TS val 1014679891 ecr 942050979], length 0
    20:38:34.583780 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12296537, win 3843, options [nop,nop,TS val 1014679891 ecr 942050980], length 0
    20:38:34.583787 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12299233, win 3801, options [nop,nop,TS val 1014679891 ecr 942050981], length 0
    20:38:34.583794 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12301929, win 3759, options [nop,nop,TS val 1014679891 ecr 942050981], length 0
    20:38:34.583965 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12304625, win 3716, options [nop,nop,TS val 1014679891 ecr 942050982], length 0
    20:38:34.583977 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12307321, win 3674, options [nop,nop,TS val 1014679891 ecr 942050983], length 0
    20:38:34.583989 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12310017, win 3632, options [nop,nop,TS val 1014679891 ecr 942050983], length 0
    20:38:34.607577 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12312713, win 4053, options [nop,nop,TS val 1014679900 ecr 942050984], length 0
    20:38:34.607616 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12315409, win 4011, options [nop,nop,TS val 1014679901 ecr 942050984], length 0
    20:38:34.607630 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12318105, win 3969, options [nop,nop,TS val 1014679901 ecr 942050984], length 0
    20:38:34.607642 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12320801, win 3927, options [nop,nop,TS val 1014679901 ecr 942050985], length 0
    20:38:34.607654 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12322777, win 3896, options [nop,nop,TS val 1014679901 ecr 942050986], length 0
    20:38:34.614417 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12325473, win 4074, options [nop,nop,TS val 1014679906 ecr 942050998], length 0
    20:38:34.614454 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12328169, win 4032, options [nop,nop,TS val 1014679906 ecr 942050998], length 0
    20:38:34.614467 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12330865, win 3990, options [nop,nop,TS val 1014679906 ecr 942050999], length 0
    20:38:34.614479 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12332933, win 3958, options [nop,nop,TS val 1014679907 ecr 942051000], length 0
    20:38:34.614491 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12335629, win 3916, options [nop,nop,TS val 1014679908 ecr 942051000], length 0
    20:38:34.614503 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12338325, win 3874, options [nop,nop,TS val 1014679908 ecr 942051001], length 0
    20:38:34.614515 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12341021, win 3832, options [nop,nop,TS val 1014679909 ecr 942051002], length 0
    20:38:34.615657 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12367981, win 4053, options [nop,nop,TS val 1014679930 ecr 942051011], length 0
    20:38:34.615690 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12370677, win 4011, options [nop,nop,TS val 1014679930 ecr 942051012], length 0
    20:38:34.615703 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12373373, win 3969, options [nop,nop,TS val 1014679930 ecr 942051012], length 0
    20:38:34.615715 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12376069, win 3927, options [nop,nop,TS val 1014679930 ecr 942051013], length 0
    20:38:34.615727 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12378765, win 3885, options [nop,nop,TS val 1014679930 ecr 942051014], length 0
    20:38:34.615740 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12381461, win 3843, options [nop,nop,TS val 1014679930 ecr 942051015], length 0
    20:38:34.615752 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12384157, win 3801, options [nop,nop,TS val 1014679930 ecr 942051015], length 0
    20:38:34.616304 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12408421, win 4074, options [nop,nop,TS val 1014679934 ecr 942051022], length 0
    20:38:34.616314 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12411117, win 4032, options [nop,nop,TS val 1014679934 ecr 942051022], length 0
    20:38:34.616320 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12413813, win 3990, options [nop,nop,TS val 1014679934 ecr 942051023], length 0
    20:38:34.616327 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12416509, win 3948, options [nop,nop,TS val 1014679934 ecr 942051024], length 0
    20:38:34.616333 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12419205, win 3906, options [nop,nop,TS val 1014679934 ecr 942051024], length 0
    20:38:34.617392 IP x.x.x.x.63056 > 173.194.142.76.https: Flags [.], ack 12421865, win 3864, options [nop,nop,TS val 1014679934 ecr 942051025], length 0
    20:38:34.651218 4c:12:65:64:39:52 (oui Unknown) > Broadcast, ethertype Unknown (0x7373), length 121:
            0x0000:  1211 0000 0043 891d 833f fb6f 19e4 7782  .....C...?.o..w.
            0x0010:  704e e3eb 85a3 56c9 2ca6 61c7 dcc7 cd89  pN....V.,.a.....
            0x0020:  2202 3a8d af3d 0000 0201 8003 064c 1265  ".:..=.......L.e
            0x0030:  6439 5204 0104 0701 011b 0100 0806 4c12  d9R...........L.
            0x0040:  6564 3952 0901 020e 1800 0000 0000 0000  ed9R............
            0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
            0x0060:  0019 0854 929f c373 195e ab              ...T...s.^.
    20:38:34.651276 4c:12:65:64:39:52 (oui Unknown) > Broadcast, ethertype Unknown (0x7373), length 121:
            0x0000:  1211 0000 0043 891d 833f fb6f 19e4 7782  .....C...?.o..w.
            0x0010:  704e e3eb 85a3 56c9 2ca6 61c7 dcc7 cd89  pN....V.,.a.....
            0x0020:  2202 3a8d af3d 0000 0201 8003 064c 1265  ".:..=.......L.e
            0x0030:  6439 5204 0104 0701 011b 0100 0806 4c12  d9R...........L.
            0x0040:  6564 3952 0901 020e 1800 0000 0000 0000  ed9R............
            0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
            0x0060:  0019 0854 929f c373 195e ab              ...T...s.^.
    20:38:34.684600 IP x.x.x.x.49954 > yv-in-f155.1e100.net.https: Flags [F.], seq 1, ack 1, win 1032, options [nop,nop,TS val 1014680000 ecr 3645099245], length 0
    20:38:34.694681 IP x.x.x.x.49576 > 108.177.122.157.https: Flags [F.], seq 1, ack 1, win 1032, options [nop,nop,TS val 1014680013 ecr 1671740901], length 0
    20:38:34.699680 IP yv-in-f155.1e100.net.https > x.x.x.x.49954: Flags [.], ack 2, win 304, options [nop,nop,TS val 3645106508 ecr 1014680000], length 0
    20:38:34.704666 IP x.x.x.x.31644 > 108.177.122.157.https: Flags [F.], seq 1, ack 1, win 1032, options [nop,nop,TS val 1014680021 ecr 3556429725], length 0
    20:38:34.711050 IP x.x.x.x.51535 > ec2-52-200-150-61.compute-1.amazonaws.com.https: Flags [.], ack 433, win 16317, length 0
    20:38:34.711811 IP 108.177.122.157.https > x.x.x.x.49576: Flags [.], ack 2, win 245, options [nop,nop,TS val 1671747427 ecr 1014680013], length 0
    20:38:34.719061 IP 108.177.122.157.https > x.x.x.x.31644: Flags [.], ack 2, win 245, options [nop,nop,TS val 3556436180 ecr 1014680021], length 0
    20:38:34.736164 IP x.x.x.x.57528 > yb-in-f105.1e100.net.https: Flags [F.], seq 1, ack 1, win 1032, options [nop,nop,TS val 1014680028 ecr 2647698668], length 0
    20:38:34.736203 IP x.x.x.x.15893 > 108.177.122.136.https: Flags [F.], seq 1, ack 1, win 1032, options [nop,nop,TS val 1014680044 ecr 1535360260], length 0
    20:38:34.736409 IP x.x.x.x.58019 > 108.177.122.136.https: Flags [F.], seq 1, ack 1, win 1032, options [nop,nop,TS val 1014680054 ecr 378182236], length 0
    20:38:34.744797 IP x.x.x.x.34397 > 108.177.122.190.https: Flags [F.], seq 1, ack 1, win 1032, options [nop,nop,TS val 1014680060 ecr 3827925279], length 0
    20:38:34.750503 IP yb-in-f105.1e100.net.https > x.x.x.x.57528: Flags [.], ack 2, win 253, options [nop,nop,TS val 2647705050 ecr 1014680028], length 0
    20:38:34.750561 IP 108.177.122.136.https > x.x.x.x.15893: Flags [.], ack 2, win 581, options [nop,nop,TS val 1535367397 ecr 1014680044], length 0
    20:38:34.753509 IP 108.177.122.136.https > x.x.x.x.58019: Flags [.], ack 2, win 272, options [nop,nop,TS val 378188983 ecr 1014680054], length 0
    20:38:34.762413 IP 108.177.122.190.https > x.x.x.x.34397: Flags [.], ack 2, win 1006, options [nop,nop,TS val 3827932013 ecr 1014680060], length 0
    ^C^Z
    ss game me a list here of
    Code:
    sudo: unable to resolve host ubuntuspawn: Connection timed out
    State Recv-Q  Send-Q    Local Address:Port           Peer Address:Port          
    ESTAB 0       0          192.168.0.19:microsoft-ds   192.168.0.25:51253          users:(("smbd",pid=1986,fd=9))
    ESTAB 0       0          192.168.0.19:ssh            192.168.0.25:51629          users:(("sshd",pid=2551,fd=3))
    ESTAB 0       0          192.168.0.19:55512          192.168.0.27:microsoft-ds  
    ESTAB 0       0          192.168.0.19:55510          192.168.0.27:microsoft-ds
    555xx is a bit strange nothing on it from google.

    ss game me a list here of
    Code:
    sudo: unable to resolve host ubuntuspawn: Connection timed out
    State Recv-Q  Send-Q    Local Address:Port           Peer Address:Port          
    ESTAB 0       0          192.168.0.19:microsoft-ds   192.168.0.25:51253          users:(("smbd",pid=1986,fd=9))
    ESTAB 0       0          192.168.0.19:ssh            192.168.0.25:51629          users:(("sshd",pid=2551,fd=3))
    ESTAB 0       0          192.168.0.19:55512          192.168.0.27:microsoft-ds  
    ESTAB 0       0          192.168.0.19:55510          192.168.0.27:microsoft-ds
    555xx is a bit strange nothing on it from google.
    Last edited by ulao3; February 10th, 2019 at 10:40 PM.

  4. #4
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    6,715
    Distro
    Xubuntu 19.04 Disco Dingo

    Re: ufw, how to trouble shoot virus related issue

    8192 is just the protocol window - how much buffer space the connection has - ignore it.

    That tcpdump is getting too much noise. Let's just print DNS packets for now, just to see what names it's looking up:
    Code:
    sudo tcpdump port 53
    You can use Ctrl-C to stop it when you have seen enough.

    I don't understand the unable to resolve ubuntuspawn error.
    And I just noticed you have two interfaces on the go. Please can you post the output of
    Code:
    ip addr
    ip route
    ip nei
    so we can figure out what is what. Also, are you deliberately forwarding traffic between the two interfaces?

  5. #5
    Join Date
    Aug 2010
    Beans
    28

    Re: ufw, how to trouble shoot virus related issue

    Ran it for a few seconds still noisy
    Code:
    sudo: unable to resolve host ubuntuspawn: Connection timed out
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on enp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes
    21:30:32.662732 IP x.x.x.x.50493 > google-public-dns-a.google.com.domain: 44036+ TXT? bigroseelephant.club. (38)
    21:30:32.664326 IP x.x.x.x.46708 > google-public-dns-a.google.com.domain: 28594+ PTR? 8.8.8.8.in-addr.arpa. (38)
    21:30:32.681795 IP google-public-dns-a.google.com.domain > x.x.x.x.50493: 44036 NXDomain 0/1/0 (108)
    21:30:32.685753 IP google-public-dns-a.google.com.domain > x.x.x.x.46708: 28594 1/0/0 PTR google-public-dns-a.google.com. (82)
    21:30:32.686161 IP x.x.x.x.35326 > google-public-dns-a.google.com.domain: 62957+ PTR? 101.76.77.99.in-addr.arpa. (43)
    21:30:32.803373 IP google-public-dns-a.google.com.domain > x.x.x.x.35326: 62957 ServFail 0/0/0 (43)
    21:30:32.803597 IP x.x.x.x.44144 > google-public-dns-b.google.com.domain: 62957+ PTR? 101.76.77.99.in-addr.arpa. (43)
    21:30:33.149520 IP x.x.x.x.37206 > google-public-dns-a.google.com.domain: 34538+ PTR? 4.4.8.8.in-addr.arpa. (38)
    21:30:33.168952 IP google-public-dns-a.google.com.domain > x.x.x.x.37206: 34538 1/0/0 PTR google-public-dns-b.google.com. (82)
    21:30:34.587603 IP x.x.x.x.52132 > google-public-dns-a.google.com.domain: 35624+ A? nexus-long-poller-b.intercom.io. (49)
    21:30:34.602147 IP google-public-dns-a.google.com.domain > x.x.x.x.52132: 35624 9/0/0 CNAME nexus-long-poller-b-344586390.us-east-1.elb.amazonaws.com., A 34.193.194.146, A 34.192.127.15, A 34.196.191.86, A 34.193.71.28, A 18.235.108.156, A 3.94.41.121, A 34.192.212.175, A 52.22.204.216 (248)
    21:30:34.619298 IP x.x.x.x.35039 > google-public-dns-a.google.com.domain: 53773+ A? aqua.hac.lp1.d4c.nintendo.net. (47)
    21:30:34.642739 IP google-public-dns-a.google.com.domain > x.x.x.x.35039: 53773 3/0/0 CNAME aqua.hac.lp1.d4c.nintendo.net.edgekey.net., CNAME e4835.g.akamaiedge.net., A 96.16.138.215 (148)
    21:30:35.463119 IP x.x.x.x.46750 > google-public-dns-a.google.com.domain: 55332+ A? identity.mparticle.com. (40)
    21:30:35.480685 IP x.x.x.x.51106 > google-public-dns-a.google.com.domain: 57599+ A? www.facebook.com. (34)
    21:30:35.482003 IP google-public-dns-a.google.com.domain > x.x.x.x.46750: 55332 5/0/0 CNAME mparticle.map.fastly.net., A 151.101.2.133, A 151.101.66.133, A 151.101.130.133, A 151.101.194.133 (142)
    21:30:35.496529 IP google-public-dns-a.google.com.domain > x.x.x.x.51106: 57599 2/0/0 CNAME star-mini.c10r.facebook.com., A 31.13.65.36 (79)
    21:30:35.758254 IP x.x.x.x.57272 > google-public-dns-a.google.com.domain: 64903+ A? star-mini.c10r.facebook.com. (45)
    21:30:35.779072 IP google-public-dns-a.google.com.domain > x.x.x.x.57272: 64903 1/0/0 A 31.13.93.35 (61)
    21:30:35.782576 IP x.x.x.x.61178 > google-public-dns-a.google.com.domain: 9575+ AAAA? star-mini.c10r.facebook.com. (45)
    21:30:35.801468 IP google-public-dns-a.google.com.domain > x.x.x.x.61178: 9575 1/0/0 AAAA 2a03:2880:f134:183:face:b00c:0:25de (73)
    That host issue is my intranet I'm pretty sure. Something I messed up. I prolly tried to assign it to the wrong nic.

    So my linux box is my home server, everone is behind 192.168.0.19 (nic en93s5) and my out facing nic is enp2s0. I use the ufw to intercept and to nat masquerading.

    ip addr
    Code:
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host
           valid_lft forever preferred_lft forever
    2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 00:26:18:92:60:c7 brd ff:ff:ff:ff:ff:ff
        inet x.x.x.x/22 brd x.x.x.x  scope global enp2s0
           valid_lft forever preferred_lft forever
        inet6 2600:1700:1950:6140:226:18ff:fe92:60c7/64 scope global dynamic mngtmpaddr
           valid_lft 3588sec preferred_lft 3588sec
        inet6 fe80::226:18ff:fe92:60c7/64 scope link
           valid_lft forever preferred_lft forever
    3: enp3s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 00:07:e9:0f:e6:30 brd ff:ff:ff:ff:ff:ff
        inet 192.168.0.19/24 brd 192.168.0.255 scope global enp3s5
           valid_lft forever preferred_lft forever
        inet6 fe80::207:e9ff:fe0f:e630/64 scope link
           valid_lft forever preferred_lft forever
    ip route
    Code:
    default via 99.77.76.1 dev enp2s0
    99.77.76.0/22 dev enp2s0 proto kernel scope link src x.x.x.x
    192.168.0.0/24 dev enp3s5 proto kernel scope link src 192.168.0.19
    ip nei
    Code:
    192.168.0.103 dev enp3s5 lladdr 00:04:4b:5d:e6:79 REACHABLE
    192.168.0.104 dev enp3s5 lladdr 54:c9:df:27:6f:ad REACHABLE
    192.168.0.105 dev enp3s5  FAILED
    192.168.0.107 dev enp3s5 lladdr cc:95:d7:d9:2a:ed REACHABLE
    192.168.0.110 dev enp3s5 lladdr f4:81:39:ad:50:86 STALE
    192.168.0.10 dev enp3s5 lladdr 44:d9:e7:f9:ea:6e REACHABLE
    192.168.0.111 dev enp3s5 lladdr a4:38:cc:ef:9c:8e DELAY
    192.168.0.12 dev enp3s5 lladdr 80:19:34:cf:43:ce REACHABLE
    192.168.0.119 dev enp3s5 lladdr 00:1c:bf:65:a5:95 REACHABLE
    192.168.0.21 dev enp3s5 lladdr d0:50:99:34:fd:06 REACHABLE
    192.168.1.254 dev enp2s0 lladdr 4c:12:65:64:39:50 STALE
    192.168.0.124 dev enp3s5 lladdr 48:2c:a0:6b:41:6d REACHABLE
    99.77.76.1 dev enp2s0 lladdr 4c:12:65:64:39:50 REACHABLE
    192.168.0.25 dev enp3s5 lladdr 00:07:e9:0f:e5:de REACHABLE
    192.168.0.27 dev enp3s5 lladdr d0:50:99:60:b7:15 REACHABLE
    192.168.0.31 dev enp3s5 lladdr 54:be:f7:39:a0:91 REACHABLE
    192.168.0.101 dev enp3s5 lladdr 64:bc:0c:50:ff:9d STALE
    192.168.0.102 dev enp3s5 lladdr ac:22:0b:46:16:ca STALE
    fe80::4e12:65ff:fe64:3950 dev enp2s0 lladdr 4c:12:65:64:39:50 router STALE
    Last edited by ulao3; February 11th, 2019 at 01:28 AM.

  6. #6
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    6,715
    Distro
    Xubuntu 19.04 Disco Dingo

    Re: ufw, how to trouble shoot virus related issue

    Well, I can't see anything obviously bad there. I see lots of browsing going on, but that's what you're using it for.
    What is it that worries you? Is it just the occasional dropped incoming packet?

  7. #7
    Join Date
    Aug 2010
    Beans
    28

    Re: ufw, how to trouble shoot virus related issue

    Well to put a long story short.

    if I go to usps.com I get this.
    Access Denied

    You don't have permission to access "http://www.usps.com/" on this server. Reference #18.9d76d317.1549836871.37a04296

    If I change my IP it works for a few days and back to that message again. It also happens to:
    https://www.homedepot.com/
    https://www.carnival.com/
    and may more sites.

    I think mostly cert sites. They really kick in the pants is that sometimes times computers can see these sites where others can not. Yet getting a new IP invariably fixes it.

    Is there some way to trace the path to a url? I can ping the mentioned domains and get an ip.

    Pinging carnival.com [184.84.243.99] with 32 bytes of data:
    Reply from 184.84.243.99: bytes=32 time=61ms TTL=47
    Reply from 184.84.243.99: bytes=32 time=61ms TTL=47
    Reply from 184.84.243.99: bytes=32 time=60ms TTL=47
    Reply from 184.84.243.99: bytes=32 time=59ms TTL=47

    but using that ip I get the same message.


    This has been going on for over 2 years now and I'm now with att but their dynamic IP is not dynamic, you get the same IP per account. .. Yeah don't ask, they call it fixed dynamic. Again, don't ask. I was able to get them to give me a static IP and that changed the IP and this issue came back in two days time. I closed the account and re opened a new one to get my dynamic back (the only way to change a fixed dynamic btw) and again, after two days time, back to this. So it is clearly the IP that they are blocking but why?

    FWIT, I google about this daily and today I did a gain, I got this for the first time
    ""
    The issue occurs when Firefox uses different proxy settings or VPN instead of what is set on your Windows computer. Whenever a website figures that there is something wrong with your network or browser cookies, etc, it blocks you.
    ""
    Though it is not just one browser nor one computer nor one OS, so I don't think that is correct.

    also to mention I have tried trace routing it.

    1 <1 ms <1 ms <1 ms UBUNTUSPAWN [192.168.0.19]
    2 <1 ms <1 ms <1 ms 192.168.1.254
    3 10 ms 9 ms 9 ms 104-190-188-1.lightspeed.dybhfl.sbcglobal.net [1
    4.190.188.1]
    4 3 ms 2 ms 2 ms 99.168.25.204
    5 5 ms 5 ms 5 ms 99.134.205.118
    6 4 ms 7 ms 7 ms 12.83.114.9
    7 40 ms 40 ms 40 ms gar26.cgcil.ip.att.net [12.122.99.93]
    8 53 ms 53 ms 53 ms 12.119.137.186
    9 50 ms 50 ms 50 ms 56.105.137.77
    10 * * * Request timed out.
    11 * * * Request timed out.
    12 * * * Request timed out.
    13 *

    but I never did get much out of that.
    Last edited by ulao3; February 10th, 2019 at 11:46 PM.

  8. #8
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    6,715
    Distro
    Xubuntu 19.04 Disco Dingo

    Re: ufw, how to trouble shoot virus related issue

    I take it your hostname is ubuntuspawn?

    Note that carnival.com and www.carnival.com have different IP addresses. Same for homedepot and usps.

    It seems odd that you work for a few days. It makes me think that perhaps one of your users may be doing something that gets you blacklisted after a while. But I can't imagine that a lot of sites would give you the same permission denied message. Perhaps you could try something like this on a blocked site to see what more information you can glean:
    Code:
    curl -v http://www.homedepot.com

  9. #9
    Join Date
    Aug 2010
    Beans
    28

    Re: ufw, how to trouble shoot virus related issue

    yeah it does seem like a computer doing it. Today I noticed the page came up but with in less then a second goes to this access denied thing.

    Its almost like;

    page loads,
    detects an issue,
    refreshes with error.

    but does it on all computers and all os's? Spam like but not possible.

    this was the result of the suggested

    Code:
    forum wont let me post the data
    whatever, posing image.
    Attached Images Attached Images
    Last edited by ulao3; February 11th, 2019 at 09:57 PM.

  10. #10
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    6,715
    Distro
    Xubuntu 19.04 Disco Dingo

    Re: ufw, how to trouble shoot virus related issue

    That's a redirect passing you on to a different URL.
    You need to add a -L to curl to get it to follow redirects.
    That seems to drop into a redirect loop (it does for me).
    It gives up after 50 tries.
    And then I got
    Forbidden

    You don't have permission to access /newreply.php on this server.
    Apache/2.4.7 (Ubuntu) Server at ubuntuforums.org Port 443
    for a few minutes.
    So I guess that usps.com has a misconfigured server, and then you get automatically banned for doing too many requests in too short a time, perhaps.
    Last edited by The Cog; February 11th, 2019 at 10:47 PM.

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •