This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do I trace a device trying to connect somewhere across the world

TLDR: How can I trace which of my devices, or maybe the router itself, is making constant request to connect to kaspersky servers?  Thanks

Hello.  My network setup is like this. 

VMWARE 10.0.0.2

Sophos Firewall 10.0.0.1 - PC connected on under this subnet for management.

 - Streaming VLAN 172.16.10.1

 - IOT VLAN  172.16.20.1 - where pihole is

 - LOCAL WLAN 172.16.30.1 - where my surface pro is

 - Guest WLAN 172.16.40.1

 - Switches / AP VLAN 10.0.10.1

I uninstalled Kaspersky AV for obvious reasons.  However, I still get queries from my pihole going to kaspersky server every single minute.  I only have kaspersky in my PC and surface pro, which I uninstalled a month a go.  I powered off (power supply switch) my PC, shutdown my surface pro and put it outside wifi range, but I still keep seeing blocked queries in my pihole log.  The offending ip address is 77.74.181.41, which is located in switzerland according to ip2location or russia according to IpInfo.  I put it in my pihole blocklist.

How do I trace which device is making the request?  I tried searching for logs, I even did any-any-any with logging enabled in my firewall, opened the live log and couldn't find it.  My DNS forward is set to pihole.  When I look clients section in my pihole, I only get the gateway, which is 172.16.20.1.



This thread was automatically locked due to age.
Parents
  • You're in the UTM subforum, not XG (or sfos).

    Kaspersky still working well here, no plans to remove it at this time.

    Re tracking, your best bet would be to run tcpdump on the pihole instance. Don't know the exact parameters off hand, but there's a sequence that will monitor for a particular host.  Give this a read https://danielmiessler.com/study/tcpdump/ . If you get no hits then run it on the firewall.

Reply
  • You're in the UTM subforum, not XG (or sfos).

    Kaspersky still working well here, no plans to remove it at this time.

    Re tracking, your best bet would be to run tcpdump on the pihole instance. Don't know the exact parameters off hand, but there's a sequence that will monitor for a particular host.  Give this a read https://danielmiessler.com/study/tcpdump/ . If you get no hits then run it on the firewall.

Children
  • I have UTM firewall. I’m trying to look through my firewall. Even did any-any-any with my firewall and click log traffic, still a no go. I’ll run a tcpdump. Thanks

  • My apologies, your break out of the various vlans looked like a xg setup.  Unrelated, what AP's are you using that support vlans?

    Is there a dns host type definition under network definitions?  If so, my guess is even if the object is unused, utm will still try to resolve it.

    Putting 77.74.181.41 into a browser brings up the forum.kaspersky.com site

  • My goodness!  You solved it.  I have it in my network definition.  I deleted it and the queries stopped.  Thank you very much.  I was getting paranoid.  Anyway I use unifi AP.  It support VLANs but only a max of 4.  The the more vlan you use, the "slower" throughput is.  

  • Glad I could point you to the fix.  Probably a good idea to trim the list periodically of stale entries.

    My current wifi AP consists of a netgear orbi. It's a rather (using the term mildly) dumbed down consumer device but the wifi reaches far and works well - 160mhz ax capable. At the moment it's only serving a few phones/tablets and iot devices. All on the same subnet. Pc's are all wired.

    My eventual goal is to put a switch capable of mac based vlans between it and the rest of the network. This should allow me to segregate traffic once it leaves the AP. On the AP, the various devices will be in different subnets (ie 192.168.1.0/24, 192.168.2.0/24... etc). They'll still be in the same broadcast domain, but will have some level of isolation.

  • Btw, such entries are logged in the system log.  Made a test dns host entry called test.com.  The following showed up in the systemlog.

    2022:04:23-16:55:14 utm dns-resolver[4700]: REF_NetDnsTest created
    2022:04:23-16:55:14 utm dns-resolver[4700]: Adding REF_NetDnsTest
    2022:04:23-16:55:14 utm dns-resolver[4700]: Updating REF_NetDnsTest :: test.com
  • That's why I couldn't find it in my firewall/web filter log.  It's in the system log.  I saw it.

    2022:04:23-02:29:45  dns-resolver[5434]: Adding REF_NetDnsKaspersky
    2022:04:23-02:29:45  ntpd[4614]: ntpd exiting on signal 15 (Terminated)
    2022:04:23-02:29:45  ntpd[4614]: 127.127.1.0 local addr 127.0.0.1 -> <null>
    2022:04:23-02:29:45  ntpd[4614]: 144.172.118.20 local addr 73.71.15.192 -> <null>
    2022:04:23-02:29:45  ntpd[4614]: 65.100.46.164 local addr 73.71.15.192 -> <null>
    2022:04:23-02:29:45  ntpd[4614]: 135.125.255.100 local addr 73.71.15.192 -> <null>
    2022:04:23-02:29:45  ntpd[4614]: 132.163.97.1 local addr 73.71.15.192 -> <null>

  • My unifi is wifi 6e capable also.  Ceiling mount, set and forget.  It's on my 2nd floor ceiling.  It reach even a few feet outside my house.  I only bought it for $169

  • Nice!  This was free, so can't complain Grin

  • Yours is even better.  Free is free man.