Blocked UDP_OUT to different output ports using named

Post Reply
dedidata
Junior Member
Posts: 2
Joined: 31 Jul 2019, 05:48

Blocked UDP_OUT to different output ports using named

Post by dedidata »

Hi,
recently I get emails like the following email, There are blocked UDP_OUT with different ports to some IP addresses which those are blocked
How can I trace where is the problem and which accounts do such connections?
It seems there are some scripts which try to connect to the output, but I couldn't find which accounts do this
Appreciate for any help

Title: lfd on XXXXXX.com: UID 25 (named) Tracking Hit

Time:
UID: 25 (named)
Hits: 11

Sample of port hits:
Jul 31 09:14:39 [MY_HOST_NAME] kernel: Firewall: *UDP_OUT Blocked* IN= OUT=ens33 SRC=[MY_SERVER_IP_ADDRESS] DST=62.210.185.4 LEN=136 TOS=0x00 PREC=0x00 TTL=64 ID=28515 PROTO=UDP SPT=53 DPT=35242 LEN=116 UID=25 GID=25
Jul 31 09:14:39 [MY_HOST_NAME] kernel: Firewall: *UDP_OUT Blocked* IN= OUT=ens33 SRC=[MY_SERVER_IP_ADDRESS] DST=62.210.185.4 LEN=127 TOS=0x00 PREC=0x00 TTL=64 ID=28516 PROTO=UDP SPT=53 DPT=49241 LEN=107 UID=25 GID=25
Jul 31 09:14:39 [MY_HOST_NAME] kernel: Firewall: *UDP_OUT Blocked* IN= OUT=ens33 SRC=[MY_SERVER_IP_ADDRESS] DST=62.210.185.4 LEN=86 TOS=0x00 PREC=0x00 TTL=64 ID=28518 PROTO=UDP SPT=53 DPT=32958 LEN=66 UID=25 GID=25
Jul 31 09:14:40 [MY_HOST_NAME] kernel: Firewall: *UDP_OUT Blocked* IN= OUT=ens33 SRC=[MY_SERVER_IP_ADDRESS] DST=62.210.185.4 LEN=116 TOS=0x00 PREC=0x00 TTL=64 ID=29144 PROTO=UDP SPT=53 DPT=44928 LEN=96 UID=25 GID=25
Jul 31 09:14:40 [MY_HOST_NAME] kernel: Firewall: *UDP_OUT Blocked* IN= OUT=ens33 SRC=[MY_SERVER_IP_ADDRESS] DST=62.210.185.4 LEN=155 TOS=0x00 PREC=0x00 TTL=64 ID=29148 PROTO=UDP SPT=53 DPT=35336 LEN=135 UID=25 GID=25
Jul 31 09:14:40 [MY_HOST_NAME] kernel: Firewall: *UDP_OUT Blocked* IN= OUT=ens33 SRC=[MY_SERVER_IP_ADDRESS] DST=62.210.185.4 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=29151 PROTO=UDP SPT=53 DPT=56728 LEN=92 UID=25 GID=25
Jul 31 09:14:40 [MY_HOST_NAME] kernel: Firewall: *UDP_OUT Blocked* IN= OUT=ens33 SRC=[MY_SERVER_IP_ADDRESS] DST=62.210.185.4 LEN=125 TOS=0x00 PREC=0x00 TTL=64 ID=29152 PROTO=UDP SPT=53 DPT=46322 LEN=105 UID=25 GID=25
Jul 31 09:14:40 [MY_HOST_NAME] kernel: Firewall: *UDP_OUT Blocked* IN= OUT=ens33 SRC=[MY_SERVER_IP_ADDRESS] DST=62.210.185.4 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=29153 PROTO=UDP SPT=53 DPT=51263 LEN=92 UID=25 GID=25
Jul 31 09:14:43 [MY_HOST_NAME] kernel: Firewall: *UDP_OUT Blocked* IN= OUT=ens33 SRC=[MY_SERVER_IP_ADDRESS] DST=62.210.185.4 LEN=116 TOS=0x00 PREC=0x00 TTL=64 ID=29932 PROTO=UDP SPT=53 DPT=36550 LEN=96 UID=25 GID=25
Jul 31 09:14:46 [MY_HOST_NAME] kernel: Firewall: *UDP_OUT Blocked* IN= OUT=ens33 SRC=[MY_SERVER_IP_ADDRESS] DST=192.151.152.98 LEN=127 TOS=0x00 PREC=0x00 TTL=64 ID=24172 PROTO=UDP SPT=53 DPT=39776 LEN=107 UID=25 GID=25
Jul 31 09:14:47 [MY_HOST_NAME] kernel: Firewall: *UDP_OUT Blocked* IN= OUT=ens33 SRC=[MY_SERVER_IP_ADDRESS] DST=62.210.185.4 LEN=116 TOS=0x00 PREC=0x00 TTL=64 ID=30665 PROTO=UDP SPT=53 DPT=41455 LEN=96 UID=25 GID=25
Top
Post Reply

Return to “General Discussion (csf)”