[BlueOnyx:21958] Re: BO5209 - increased outbound UDP traffic

[Ken Hohhof]

This message was originally HTML formatted.  View in a HTML capable client to see the original version.\r\n\r\nWhat is the from port? If you're not being used for a DNS or NTP amplification attack, sounds like a site or the server is compromised. Any Drupal sites?

---- Original Message ----
From: "John" 
Sent: 4/21/2018 9:50:14 AM
To: blueonyx at blueonyx.it
Subject: [BlueOnyx:21957] BO5209 - increased outbound UDP traffic



Hello all,




On Tuesday night I began to see an increase in UDP traffic on 3 5209 boxes.  I shut down 2 of the 3 as they were development boxes, but one has a live site.  All 3 were producing about 600k outbound traffic continuously.  Normal outbound traffic averages about 30k.




I checked my log files and didn't find anything too far out of norms.  I did a TCPDump and saw hundreds of records of UDP to different ports.




I have been searching for the last few days for a solution, but wanted to check here before I did something foolish as I have done so many times in the past.




So any recommendations would be greatly appreciated.




Thanks,




John 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20180421/e8e18e94/attachment.html>