how to find which process send these UDP packages ?

sevk · 2024-04-02 05:46:33

every 10 min in log , how to find it ?

[Tue Apr  2 13:42:09 2024] IN= OUT=enp3s0 SRC=192.168.1.27 DST=111.230.189.174 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=26670 PROTO=UDP SPT=48415 DPT=123 LEN=56 
[Tue Apr  2 13:42:09 2024] IN= OUT=enp3s0 SRC=192.168.1.27 DST=193.182.111.12 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=41013 PROTO=UDP SPT=58538 DPT=123 LEN=56 
[Tue Apr  2 13:42:09 2024] IN= OUT=enp3s0 SRC=192.168.1.27 DST=52.231.114.183 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=11720 PROTO=UDP SPT=36595 DPT=123 LEN=56 
[Tue Apr  2 13:42:09 2024] IN= OUT=enp3s0 SRC=192.168.1.27 DST=108.61.73.243 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=48497 PROTO=UDP SPT=52458 DPT=123 LEN=56 
[Tue Apr  2 13:42:09 2024] IN= OUT=enp3s0 SRC=192.168.1.27 DST=108.61.73.244 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=48061 PROTO=UDP SPT=36891 DPT=123 LEN=56 
[Tue Apr  2 13:42:09 2024] IN= OUT=enp3s0 SRC=192.168.1.27 DST=129.250.35.250 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=4202 PROTO=UDP SPT=35338 DPT=123 LEN=56 
[Tue Apr  2 13:42:09 2024] IN= OUT=enp3s0 SRC=192.168.1.27 DST=65.100.46.166 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=42748 PROTO=UDP SPT=39821 DPT=123 LEN=56 
[Tue Apr  2 13:42:09 2024] IN= OUT=enp3s0 SRC=192.168.1.27 DST=129.250.35.251 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=24619 PROTO=UDP SPT=35890 DPT=123 LEN=56 
[Tue Apr  2 13:42:09 2024] IN= OUT=enp3s0 SRC=192.168.1.27 DST=139.143.5.31 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=25664 PROTO=UDP SPT=58972 DPT=123 LEN=56 
[Tue Apr  2 13:42:09 2024] IN= OUT=enp3s0 SRC=192.168.1.27 DST=193.57.144.50 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=35588 PROTO=UDP SPT=39445 DPT=123 LEN=56 
[Tue Apr  2 13:42:09 2024] IN= OUT=enp3s0 SRC=192.168.1.27 DST=213.5.132.231 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=22459 PROTO=UDP SPT=58323 DPT=123 LEN=56

edacval · 2024-04-02 06:44:03

Looks like an typical NTP client workflow. Try Opensnitch to be sure.

sevk · 2024-04-07 01:44:17

kk@kkar4 ~ sudo systemctl status opensnitchd
opensnitchd.service - Application firewall OpenSnitch
     Loaded: loaded (/usr/lib/systemd/system/opensnitchd.service; enabled; preset: disabled)
     Active: activating (auto-restart) (Result: exit-code) since Sun 2024-04-07 09:41:25 CST; 18s ago
       Docs: https://github.com/evilsocket/opensnitch/wiki
    Process: 1728697 ExecStart=/usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules (code=exited, status=1/FAILURE)
   Main PID: 1728697 (code=exited, status=1/FAILURE)
        CPU: 88ms


kk@kkar4 log tail -f opensnitchd.log
[2024-04-07 01:42:26]  ERR  Module not found (opensnitch.o) in any of the paths.
You may need to install the corresponding package
[2024-04-07 01:42:26]  ERR  [eBPF]: Module not found (opensnitch.o) in any of the paths.
You may need to install the corresponding package
[2024-04-07 01:42:26]  WAR  error starting ebpf monitor method: Module not found (opensnitch.o) in any of the paths.
You may need to install the corresponding package
[2024-04-07 01:42:26]  WAR  Unable to set new process monitor (ebpf) method from disk: Module not found (opensnitch.o) in any of the paths.
You may need to install the corresponding package
[2024-04-07 01:42:26]  WAR  Is opensnitchd already running?
[2024-04-07 01:42:26]  !!!  Error creating queue #0: Error -1 unbinding existing q handler from AF_INET protocol family: invalid argument

seth · 2024-04-07 06:59:10

Did you install https://archlinux.org/packages/extra/x86_64/opensnitch/ or did you try to somehow manually install it?
That being said:

 nmap -Pn 193.182.111.12
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-07 08:57 CEST
Nmap scan report for ntp1.flashdance.cx (193.182.111.12)
Host is up (0.048s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE  SERVICE
13/tcp  open   daytime
37/tcp  open   time
113/tcp closed ident

sevk · 2024-04-17 03:15:01

 
sudo pikaur -Syu  opensnitch-ebpf-module opensnitch

not work , then I remove ebpf :

sudo pikaur -Rs opensnitch-ebpf-module

not work , then I reinstall opensnitch :

sudo pacman -S opensnitch

get ERR:

[2024-04-07 01:42:26] ERR Module not found (opensnitch.o) in any of the paths.
You may need to install the corresponding package

Last edited by sevk (2024-04-17 03:16:44)

seth · 2024-04-17 06:25:13

https://aur.archlinux.org/packages/open … ent-923084

tail n10000 /etc/opensnitchd/*.json

sevk · 2024-07-31 05:59:56

I found that the win7 system in the virtual machine vbox sent these packages, I tried to connect these servers with the ntpdate command, found that are not ntp server, does the windows ntp server not support ntpdate command?

The two agreements are different?

Or are these servers all hackers' zombie machines?

Last edited by sevk (2024-07-31 06:03:11)

seth · 2024-07-31 06:58:05

Or are these servers all hackers' zombie machines?

Please don't paraphrase, https://bbs.archlinux.org/viewtopic.php?id=57855
What "server" (IP) and what port are the concerned packages directed for?
Did you nmap, whois and geoiplookup it?

193.182.111.12 has port 37 open,

ntpdate -qd 193.182.111.12

gets the time from there, and the server belongs to the swedish flashdance network, not microsoft.

Arch Linux

#1 2024-04-02 05:46:33

how to find which process send these UDP packages ?

#2 2024-04-02 06:44:03

Re: how to find which process send these UDP packages ?

#3 2024-04-07 01:44:17

Re: how to find which process send these UDP packages ?

#4 2024-04-07 06:59:10

Re: how to find which process send these UDP packages ?

#5 2024-04-17 03:15:01

Re: how to find which process send these UDP packages ?

#6 2024-04-17 06:25:13

Re: how to find which process send these UDP packages ?

#7 2024-07-31 05:59:56

Re: how to find which process send these UDP packages ?

#8 2024-07-31 06:58:05

Re: how to find which process send these UDP packages ?

Board footer