Skynet OUTBOUND SOURCE?

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

JT Strickland

Very Senior Member
I am getting a lot of outbound blocks lately. This is the first time that I've had that many, and I can't tell which client it's coming from. The log shows my real WAN IP instead of the local network IP like it has in the past, no MAC or anything else that I can see.

Can anyone tell me how to find out? This bothers me some since I don't know who is phoning the bad guys.
 

dave14305

Part of the Furniture
That usually means it’s coming from the router itself, not a LAN client. What destination ports?
 
Last edited:

JT Strickland

Very Senior Member
That usually means it’s coming from the router itself, not a LAN client. What destination ports?
I think it is 8080 (DPT=8080). Wow, do you think I've picked up a bug? That seems unusual.
Thanks for the help.
 

JT Strickland

Very Senior Member
Might be from the speedtests to a particular server IP.
Hmmm.... Alienvault says it is US based, courtland dot sardistel dot com, owned by ASW30277 DFW-DATACENTER
I don't have any servers selected for SpdMerlin, just random. I wonder if it might be coming from chronyd possibly? I don't have a clue where it is coming from.
The Bogey don't have a real scarey face, though. Or at least one of them. Some of the other outbounds that are blocked are coming from my wife's iphone.
 

dave14305

Part of the Furniture
Hmmm.... Alienvault says it is US based, courtland dot sardistel dot com, owned by ASW30277 DFW-DATACENTER
I don't have any servers selected for SpdMerlin, just random. I wonder if it might be coming from chronyd possibly? I don't have a clue where it is coming from.
The Bogey don't have a real scarey face, though. Or at least one of them. Some of the other outbounds that are blocked are coming from my wife's iphone.
Chrony wouldn’t be using port 8080. I’m still inclined to think it’s the speedtest. Are you in ‘Bama?

 

bluepoint

Very Senior Member
Hmmm.... Alienvault says it is US based, courtland dot sardistel dot com, owned by ASW30277 DFW-DATACENTER
I don't have any servers selected for SpdMerlin, just random. I wonder if it might be coming from chronyd possibly? I don't have a clue where it is coming from.
The Bogey don't have a real scarey face, though. Or at least one of them. Some of the other outbounds that are blocked are coming from my wife's iphone.
Port 8080 sometimes is used for a web server when the owner doesn't want it to be obvious. Any script set to access a web server?
 

JT Strickland

Very Senior Member
Chrony wouldn’t be using port 8080. I’m still inclined to think it’s the speedtest. Are you in ‘Bama?

No, but next door in MS, so that could be it. I wonder why skynet is blocking it? Alienvault don't like it, and there were about 700 hits I think. I wouldn't imagine that SpdMerlin would try that many times. I have had several instances where SpdMerlin didn't run, or didn't show any results before, and it puzzled me, but no one could answer why. But I wasn't getting any outbound blocks then.
 

JT Strickland

Very Senior Member
Port 8080 sometimes is used for a web server when the owner doesn't want it to be obvious. Any script set to access a web server?
I don't know that any of the ones that I use access a web server, but I could be mistaken. I use Syncthing which maybe could, and I use Surfshark VPN apps at the client level, but don't have anything going strictly through the router currently. It just started in the last few days. I rarely had any outbound blocks except for wife's fireTV and Iphone. I don't have any scripts running other than those in my signature.
 

JT Strickland

Very Senior Member
Chrony wouldn’t be using port 8080. I’m still inclined to think it’s the speedtest. Are you in ‘Bama?

I think you've got it. Skynet blocked it three times at 16:42 at the time of my regularly scheduled speedtest, but recorded it properly according to the log.
I don't think I've dug deep enough to find the real bogey yet. I quit on the first one apparently, and he seems like a good guy.

The other top contender is Roanoke wikipedia facebook colony according to alien vault, and it don't look real scarey either.
Skynet stats shows 261 blocked outbounds now, and showed over 2k yesterday, so maybe the whitelist has been edited or something.
Whjile I'm accustomed to seeing 0 outbound, they don't look too rough so far.
Thanks again, folks.
 

JT Strickland

Very Senior Member
I am still puzzled by this, @dave14305 . Apparently Skynet is still blocking this site and has been for about 1700 recent attempts, one of which I was trying to set up an account at a online + B&M retailer but kept getting an error message and was unable to. I cleared my browser cache and cookies and it didn't help. Then I figured out it was being blocked. The blocked times correspond to the skynet logs for the same IP. Maybe it is my isp routing through there or something, I don't know enough about it but to guess, and that might be dangerous.

Alienvault and whois say there's been no abuse registered with this IP, and I'm going to do something I haven't done yet and whitelist this sucker, if I can figure out how, unless someone can tell me why I shouldn't. I don't have a good grasp on Alienvault yet, either, but it don't have anything unkind to say about it best as I can tell.
thanks again for the help.
jts

EDIT: My bad, it was ublock origin that was blocking me, not skynet. Now I feel like about two inches tall. I still don't understand what the deal is with this IP, but I ain't whitelisting it.
Sorry for the bother.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top