Antsle Forum

Welcome to our Antsle community! This forum is to connect all Antsle users to post experiences, make user-generated content available for the entire community and more. 

Please note: This forum is about discussing one specific issue at a time. No generalizations. No judgments. Please check the Forum Rules before posting. If you have specific questions about your Antsle and expect a response from our team directly, please continue to use the appropriate channels (email: [email protected]) so every inquiry is tracked. 

Please or Register to create posts and topics.

Antsle device reaching out to Blocked IPs

All -

I'm trying to understand why my Antsle would be reaching out to these IP addresses every minute:

Source
<Antsle IP>:1024
Destination Blocked
61.98.143.199:41906
178.150.178.111:41025
220.127.12.188:34683
83.226.29.193:40793
193.57.40.5:37404
5.58.173.89:43533
203.218.17.99:46133
78.84.251.191:42046
193.57.40.82:443

Little help?

Thanks

ThatOneGuy

Hi ThatOneGuy:

Thanks for sharing this potential bug.

I'll report this bug for our developers.

 

I haven't checked all those IPs, but 2 of them:

203.218.17.99 goes to netvigator.com (Looks like a Hong Kong ISP?)

and

178.150.178.111 goes to triolan.net (a Ukranian site?)

 

Maybe you should check the processes running on your antsle...

One of my VMs is running IPFS so perhaps the connections from that VM get confused as coming from the antsle??? I'll term that process on the server and see what happens. Further, what steps would I take to check the processes on the antsle?? What would/should I look for?

Thanks

 

Hi ThatOneGuy:

When we checked the IP's listed above, they appear to be in various countries and they were flagged as malicious or suspicious using IPVoid.

https://www.ipvoid.com/ip-blacklist-check/

When we checked out own antsles, we didn't see this communication.  The traffic we did see was going anthill.antsle.com and some NTP servers used for updating the time.

So it appears that perhaps the VM or edgeLinux has been hacked.  Is the traffic going toward the internal network (such as 10.1.1.x) or private network (such as 192.168.1.x)?

I saw the same. Traffic is from the inside to the outside. Also, since I termed IPFS the logs have been quiet. I'm thinking more along the lines of the IPFS process reaching out to those less than desirable IPs and the antsle getting mixed in the log files at the edge. However I'm still confused about how a VM with an IP would get mismatched with the antsle IP....

Really appreciate the insight.

ThatOneGuy