Firewall blocking outbound traffic, have I been compromised?
by PsychoHermit from LinuxQuestions.org on (#5QVJH)
Greetings folks,
I'm running ubuntu 21.10 in a default desktop setup. No services running. I'm getting outbound traffic blocked by the firewall and I'm wondering if I've been compromised.
Thanks for looking,
--glenn
Code:Oct 17 18:19:02 PsychoBox kernel: [ 449.171171] [UFW BLOCK] IN= OUT=wlo1 SRC=2600:6c4e:2e7f:f1e0:5e3f:a49b:d4d6:5af9 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=249 TC=0 HOPLIMIT=255 FLOWLBL=344215 PROTO=UDP SPT=5353 DPT=5353 LEN=209
Oct 17 18:19:02 PsychoBox kernel: [ 449.171266] [UFW BLOCK] IN= OUT=wlo1 SRC=192.168.1.111 DST=224.0.0.251 LEN=229 TOS=0x00 PREC=0x00 TTL=255 ID=61402 DF PROTO=UDP SPT=5353 DPT=5353 LEN=209
Oct 17 18:19:02 PsychoBox kernel: [ 449.181749] [UFW BLOCK] IN= OUT=wlo1 SRC=2600:6c4e:2e7f:f1e0:5e3f:a49b:d4d6:5af9 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=82 TC=0 HOPLIMIT=255 FLOWLBL=344215 PROTO=UDP SPT=5353 DPT=5353 LEN=42
Oct 17 18:19:02 PsychoBox kernel: [ 449.181836] [UFW BLOCK] IN= OUT=wlo1 SRC=192.168.1.111 DST=224.0.0.251 LEN=62 TOS=0x00 PREC=0x00 TTL=255 ID=61404 DF PROTO=UDP SPT=5353 DPT=5353 LEN=42
Oct 17 18:19:02 PsychoBox kernel: [ 449.421251] [UFW BLOCK] IN= OUT=wlo1 SRC=2600:6c4e:2e7f:f1e0:5e3f:a49b:d4d6:5af9 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=249 TC=0 HOPLIMIT=255 FLOWLBL=344215 PROTO=UDP SPT=5353 DPT=5353 LEN=209
Oct 17 18:19:02 PsychoBox kernel: [ 449.421339] [UFW BLOCK] IN= OUT=wlo1 SRC=192.168.1.111 DST=224.0.0.251 LEN=229 TOS=0x00 PREC=0x00 TTL=255 ID=61413 DF PROTO=UDP SPT=5353 DPT=5353 LEN=209
Oct 17 18:19:02 PsychoBox kernel: [ 449.671592] [UFW BLOCK] IN= OUT=wlo1 SRC=2600:6c4e:2e7f:f1e0:5e3f:a49b:d4d6:5af9 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=249 TC=0 HOPLIMIT=255 FLOWLBL=344215 PROTO=UDP SPT=5353 DPT=5353 LEN=209
Oct 17 18:19:02 PsychoBox kernel: [ 449.671658] [UFW BLOCK] IN= OUT=wlo1 SRC=192.168.1.111 DST=224.0.0.251 LEN=229 TOS=0x00 PREC=0x00 TTL=255 ID=61461 DF PROTO=UDP SPT=5353 DPT=5353 LEN=209
Oct 17 18:19:02 PsychoBox kernel: [ 449.873158] [UFW BLOCK] IN= OUT=wlo1 SRC=192.168.1.111 DST=224.0.0.251 LEN=346 TOS=0x00 PREC=0x00 TTL=255 ID=61477 DF PROTO=UDP SPT=5353 DPT=5353 LEN=326
Oct 17 18:19:02 PsychoBox kernel: [ 449.873277] [UFW BLOCK] IN= OUT=wlo1 SRC=2600:6c4e:2e7f:f1e0:5e3f:a49b:d4d6:5af9 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=350 TC=0 HOPLIMIT=255 FLOWLBL=344215 PROTO=UDP SPT=5353 DPT=5353 LEN=310
Oct 17 18:19:03 PsychoBox kernel: [ 450.182314] [UFW BLOCK] IN= OUT=wlo1 SRC=2600:6c4e:2e7f:f1e0:5e3f:a49b:d4d6:5af9 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=82 TC=0 HOPLIMIT=255 FLOWLBL=344215 PROTO=UDP SPT=5353 DPT=5353 LEN=42
Oct 17 18:19:03 PsychoBox kernel: [ 450.182412] [UFW BLOCK] IN= OUT=wlo1 SRC=192.168.1.111 DST=224.0.0.251 LEN=62 TOS=0x00 PREC=0x00 TTL=255 ID=61524 DF PROTO=UDP SPT=5353 DPT=5353 LEN=42
Oct 17 18:19:17 PsychoBox kernel: [ 464.187697] [UFW BLOCK] IN= OUT=wlo1 SRC=2600:6c4e:2e7f:f1e0:5e3f:a49b:d4d6:5af9 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=82 TC=0 HOPLIMIT=255 FLOWLBL=344215 PROTO=UDP SPT=5353 DPT=5353 LEN=42
Oct 17 18:19:17 PsychoBox kernel: [ 464.187768] [UFW BLOCK] IN= OUT=wlo1 SRC=192.168.1.111 DST=224.0.0.251 LEN=62 TOS=0x00 PREC=0x00 TTL=255 ID=63448 DF PROTO=UDP SPT=5353 DPT=5353 LEN=42
Oct 17 18:19:17 PsychoBox kernel: [ 464.191166] audit: type=1400 audit(1634519957.080:74): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=2660 comm="snap-confine" capability=39 capname="bpf"
Oct 17 18:19:17 PsychoBox kernel: [ 464.203315] audit: type=1400 audit(1634519957.088:75): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=2660 comm="snap-confine" capability=4 capname="fsetid"
Oct 17 18:19:22 PsychoBox kernel: [ 469.946668] audit: type=1326 audit(1634519962.837:76): auid=1000 uid=1000 gid=1000 ses=4 subj=snap.firefox.firefox pid=2660 comm="GeckoMain" exe="/snap/firefox/631/usr/lib/firefox/firefox" sig=0 arch=c000003e syscall=314 compat=0 ip=0x7f2444ce389d code=0x50000
Oct 17 18:19:36 PsychoBox kernel: [ 483.415069] [UFW BLOCK] IN= OUT=wlo1 SRC=2600:6c4e:2e7f:f1e0:5e3f:a49b:d4d6:5af9 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=166 TC=0 HOPLIMIT=255 FLOWLBL=344215 PROTO=UDP SPT=5353 DPT=5353 LEN=126
Oct 17 18:19:36 PsychoBox kernel: [ 483.415180] [UFW BLOCK] IN= OUT=wlo1 SRC=192.168.1.111 DST=224.0.0.251 LEN=146 TOS=0x00 PREC=0x00 TTL=255 ID=65391 DF PROTO=UDP SPT=5353 DPT=5353 LEN=126
I'm running ubuntu 21.10 in a default desktop setup. No services running. I'm getting outbound traffic blocked by the firewall and I'm wondering if I've been compromised.
Thanks for looking,
--glenn
Code:Oct 17 18:19:02 PsychoBox kernel: [ 449.171171] [UFW BLOCK] IN= OUT=wlo1 SRC=2600:6c4e:2e7f:f1e0:5e3f:a49b:d4d6:5af9 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=249 TC=0 HOPLIMIT=255 FLOWLBL=344215 PROTO=UDP SPT=5353 DPT=5353 LEN=209
Oct 17 18:19:02 PsychoBox kernel: [ 449.171266] [UFW BLOCK] IN= OUT=wlo1 SRC=192.168.1.111 DST=224.0.0.251 LEN=229 TOS=0x00 PREC=0x00 TTL=255 ID=61402 DF PROTO=UDP SPT=5353 DPT=5353 LEN=209
Oct 17 18:19:02 PsychoBox kernel: [ 449.181749] [UFW BLOCK] IN= OUT=wlo1 SRC=2600:6c4e:2e7f:f1e0:5e3f:a49b:d4d6:5af9 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=82 TC=0 HOPLIMIT=255 FLOWLBL=344215 PROTO=UDP SPT=5353 DPT=5353 LEN=42
Oct 17 18:19:02 PsychoBox kernel: [ 449.181836] [UFW BLOCK] IN= OUT=wlo1 SRC=192.168.1.111 DST=224.0.0.251 LEN=62 TOS=0x00 PREC=0x00 TTL=255 ID=61404 DF PROTO=UDP SPT=5353 DPT=5353 LEN=42
Oct 17 18:19:02 PsychoBox kernel: [ 449.421251] [UFW BLOCK] IN= OUT=wlo1 SRC=2600:6c4e:2e7f:f1e0:5e3f:a49b:d4d6:5af9 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=249 TC=0 HOPLIMIT=255 FLOWLBL=344215 PROTO=UDP SPT=5353 DPT=5353 LEN=209
Oct 17 18:19:02 PsychoBox kernel: [ 449.421339] [UFW BLOCK] IN= OUT=wlo1 SRC=192.168.1.111 DST=224.0.0.251 LEN=229 TOS=0x00 PREC=0x00 TTL=255 ID=61413 DF PROTO=UDP SPT=5353 DPT=5353 LEN=209
Oct 17 18:19:02 PsychoBox kernel: [ 449.671592] [UFW BLOCK] IN= OUT=wlo1 SRC=2600:6c4e:2e7f:f1e0:5e3f:a49b:d4d6:5af9 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=249 TC=0 HOPLIMIT=255 FLOWLBL=344215 PROTO=UDP SPT=5353 DPT=5353 LEN=209
Oct 17 18:19:02 PsychoBox kernel: [ 449.671658] [UFW BLOCK] IN= OUT=wlo1 SRC=192.168.1.111 DST=224.0.0.251 LEN=229 TOS=0x00 PREC=0x00 TTL=255 ID=61461 DF PROTO=UDP SPT=5353 DPT=5353 LEN=209
Oct 17 18:19:02 PsychoBox kernel: [ 449.873158] [UFW BLOCK] IN= OUT=wlo1 SRC=192.168.1.111 DST=224.0.0.251 LEN=346 TOS=0x00 PREC=0x00 TTL=255 ID=61477 DF PROTO=UDP SPT=5353 DPT=5353 LEN=326
Oct 17 18:19:02 PsychoBox kernel: [ 449.873277] [UFW BLOCK] IN= OUT=wlo1 SRC=2600:6c4e:2e7f:f1e0:5e3f:a49b:d4d6:5af9 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=350 TC=0 HOPLIMIT=255 FLOWLBL=344215 PROTO=UDP SPT=5353 DPT=5353 LEN=310
Oct 17 18:19:03 PsychoBox kernel: [ 450.182314] [UFW BLOCK] IN= OUT=wlo1 SRC=2600:6c4e:2e7f:f1e0:5e3f:a49b:d4d6:5af9 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=82 TC=0 HOPLIMIT=255 FLOWLBL=344215 PROTO=UDP SPT=5353 DPT=5353 LEN=42
Oct 17 18:19:03 PsychoBox kernel: [ 450.182412] [UFW BLOCK] IN= OUT=wlo1 SRC=192.168.1.111 DST=224.0.0.251 LEN=62 TOS=0x00 PREC=0x00 TTL=255 ID=61524 DF PROTO=UDP SPT=5353 DPT=5353 LEN=42
Oct 17 18:19:17 PsychoBox kernel: [ 464.187697] [UFW BLOCK] IN= OUT=wlo1 SRC=2600:6c4e:2e7f:f1e0:5e3f:a49b:d4d6:5af9 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=82 TC=0 HOPLIMIT=255 FLOWLBL=344215 PROTO=UDP SPT=5353 DPT=5353 LEN=42
Oct 17 18:19:17 PsychoBox kernel: [ 464.187768] [UFW BLOCK] IN= OUT=wlo1 SRC=192.168.1.111 DST=224.0.0.251 LEN=62 TOS=0x00 PREC=0x00 TTL=255 ID=63448 DF PROTO=UDP SPT=5353 DPT=5353 LEN=42
Oct 17 18:19:17 PsychoBox kernel: [ 464.191166] audit: type=1400 audit(1634519957.080:74): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=2660 comm="snap-confine" capability=39 capname="bpf"
Oct 17 18:19:17 PsychoBox kernel: [ 464.203315] audit: type=1400 audit(1634519957.088:75): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=2660 comm="snap-confine" capability=4 capname="fsetid"
Oct 17 18:19:22 PsychoBox kernel: [ 469.946668] audit: type=1326 audit(1634519962.837:76): auid=1000 uid=1000 gid=1000 ses=4 subj=snap.firefox.firefox pid=2660 comm="GeckoMain" exe="/snap/firefox/631/usr/lib/firefox/firefox" sig=0 arch=c000003e syscall=314 compat=0 ip=0x7f2444ce389d code=0x50000
Oct 17 18:19:36 PsychoBox kernel: [ 483.415069] [UFW BLOCK] IN= OUT=wlo1 SRC=2600:6c4e:2e7f:f1e0:5e3f:a49b:d4d6:5af9 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=166 TC=0 HOPLIMIT=255 FLOWLBL=344215 PROTO=UDP SPT=5353 DPT=5353 LEN=126
Oct 17 18:19:36 PsychoBox kernel: [ 483.415180] [UFW BLOCK] IN= OUT=wlo1 SRC=192.168.1.111 DST=224.0.0.251 LEN=146 TOS=0x00 PREC=0x00 TTL=255 ID=65391 DF PROTO=UDP SPT=5353 DPT=5353 LEN=126