- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-26-2021 03:07 AM
I have a PA3020 with 7.0.5-h2 PAN-os version. I noticed that it have a lot of DNS traffic sent to strange IP address.
when I running
show system resources command.
I found strange process nginx and two syslog-ng there. Is it normal, how to get rid of them ?
2797 nobody 20 0 53388 5712 3344 S 0.0 0.1 8:19.70 nginx
6804 nobody 20 0 107m 12m 6472 S 0.0 0.3 2:11.43 appweb3
6811 nobody 20 0 104m 10m 6704 S 0.0 0.3 2:06.39 appweb3
3282 20 0 16156 1308 472 S 0.0 0.0 0:00.00 syslog-ng
3283 20 0 16556 2988 1716 S 0.0 0.1 0:02.53 syslog-ng
3861 20 0 12468 4920 3016 S 0.0 0.1 64:36.48 packet_path_pin
6804 nobody 20 0 107m 12m 6472 S 0.0 0.3 2:11.43 appweb3
6811 nobody 20 0 104m 10m 6704 S 0.0 0.3 2:06.39 appweb3
09-26-2021 06:56 PM
Hi Banny,
If you want to know your end host is accessing malicious domains, please upgrade your firewall.
As per your firewall info, you are running an old version of PAN-OS. If you upgrade your firewall, the latest version supports DNS malicious domain traffic using EDL or DNS security license.
And now pls use all security profiles and logs verify whether your firewall is hacked or not
09-27-2021 02:04 AM
@banny6 As previously said, you are not using supported PanOS version, which is likely probe to bugs and vulnerabilities. Apart from that nginx and syslog-ng are standard process required for the running of the firewall.
09-27-2021 10:10 AM
Ok.
I think those are normal after the info I verified in my firewall, and I can see similar outputs, but I am not facing any issue with the firewall and Can you provide more info or complete logs
> show system resources and
> show running resource-monitoring
09-27-2021 01:52 PM - edited 09-27-2021 02:39 PM
Thanks. Here are the process info.
I found PA-3020 box sent DNS traffic to two rogue DNS servers which I didn't configure them at all. the rogue DNS traffic just less than 1M size. in the traffic session, even I clear it. this DNS session will re-connection again.
> show system resources | match syslog
1584 20 0 1888 640 528 S 0.0 0.0 1:24.62 syslogd
3282 20 0 16156 1308 472 S 0.0 0.0 0:00.00 syslog-ng
3283 20 0 16556 2988 1716 S 0.0 0.1 0:02.59 syslog-ng
> show system resources | match nginx
2410 20 0 38040 5984 4604 S 0.0 0.2 0:00.03 nginx
2797 nobody 20 0 53388 5760 3348 S 0.0 0.1 8:42.71 nginx
> show system resources | match app
1774 0 -20 48836 13m 4052 S 0.0 0.4 82:14.46 masterd_apps
6800 nobody 20 0 155m 50m 9080 S 0.0 1.3 78:49.51 appweb3
6804 nobody 20 0 107m 12m 6440 S 0.0 0.3 2:31.24 appweb3
6811 nobody 20 0 104m 10m 6656 S 0.0 0.3 2:25.38 appweb3
> show system resources | match packet
3861 20 0 12468 4920 3016 S 0.0 0.1 66:10.54 packet_path_pin
09-27-2021 02:36 PM - edited 09-27-2021 02:37 PM
There are two DNS netstat UDP session always existed there.
udp 0 0 192.168.1.250:49978 terror.inconifre:domain ESTABLISHED
udp 0 0 192.168.1.250:38490 hosted-by.leasew:domain ESTABLISHED
192.168.1.250 is my PA-3020 interface IP address, from web GUI, if reset this DNS session, it will spawn new DNS session automatically. but I never configure that two DNS server.
not sure which process launch this rogue DNS session.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!