Seeing some strange inbound traffic when using OpenVPN

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
joel2020
OpenVpn Newbie
Posts: 1
Joined: Sat Mar 09, 2024 12:53 am

Seeing some strange inbound traffic when using OpenVPN

Post by joel2020 » Sat Mar 09, 2024 1:04 am

Hello. First post. Hope I'm in the right place.

I was recently looking at my ISP account and noticed they were alleging I was uploading 20GB on some days. I never upload much. So I installed Net limiter to monitor my traffic. Whilst watching I noticed something else strange, which has become more worrying than the 20GB upload.

I see an inbound connection from naj.sk to port 25360-, which I see in OpenVPN's config is used for a management port interface offset?
If I block naj.sk then I get what appears to be the same traffic from another domain. If I block that too, the same thing. Rinse and repeat.

naj.sk appears to be a Swiss women's fashion site. Definitely not a site I'd be using :)

This inbound traffic is a constant 6bps.

using netstat -ab or -ano I see port 25360 used by Thunderbird, or by Firefox, or by Potplayer and also openvpn.exe. There may be other programs, but that's all I've checked so far.

If I disconnect from the VPN this traffic stops. It's only when connected to the VPN that I see this traffic.

Should I be approaching my VPN provider or might this be somehow related to OpenVPN givem that 25360 is OPenVPNs management interface port offset.

naj.sk is in my hosts file, which I guess is why I'm seeing 127.0.0.1 as the local address?

I've tried 2.6.6 and 2.6.9.

Code: Select all

 Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            pipe:0                 LISTENING
  RpcEptMapper
 [svchost.exe]
  TCP    0.0.0.0:445            pipe:0                 LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:1024           pipe:0                 LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:5357           pipe:0                 LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:49664          pipe:0                 LISTENING
 [lsass.exe]
  TCP    0.0.0.0:49665          pipe:0                 LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:49666          pipe:0                 LISTENING
  EventLog
 [svchost.exe]
  TCP    0.0.0.0:49667          pipe:0                 LISTENING
  Schedule
 [svchost.exe]
  TCP    0.0.0.0:49668          pipe:0                 LISTENING
 [spoolsv.exe]
  TCP    10.8.2.6:139           pipe:0                 LISTENING
 Can not obtain ownership information
  TCP    10.8.2.6:1201          unn-84-17-38-228:https  TIME_WAIT
  TCP    10.8.2.6:1208          unn-84-17-38-228:https  TIME_WAIT
  TCP    10.8.2.6:1259          93:https               ESTABLISHED
 [firefox.exe]
  TCP    127.0.0.1:1025         www:1026               ESTABLISHED
 [thunderbird.exe]
  TCP    127.0.0.1:1026         www:1025               ESTABLISHED
 [thunderbird.exe]
  TCP    127.0.0.1:1058         www:25360              ESTABLISHED
 [openvpn-gui.exe]
  TCP    127.0.0.1:1070         www:1071               ESTABLISHED
 [firefox.exe]
  TCP    127.0.0.1:1071         www:1070               ESTABLISHED
 [firefox.exe]
  TCP    127.0.0.1:1072         www:1073               ESTABLISHED
 [firefox.exe]
  TCP    127.0.0.1:1073         www:1072               ESTABLISHED
 [firefox.exe]
  TCP    127.0.0.1:1074         www:1075               ESTABLISHED
 [firefox.exe]
  TCP    127.0.0.1:1075         www:1074               ESTABLISHED
 [firefox.exe]
  TCP    127.0.0.1:1076         www:1077               ESTABLISHED
 [firefox.exe]
  TCP    127.0.0.1:1077         www:1076               ESTABLISHED
 [firefox.exe]
  TCP    127.0.0.1:1084         www:1085               ESTABLISHED
 [firefox.exe]
  TCP    127.0.0.1:1085         www:1084               ESTABLISHED
 [firefox.exe]
  TCP    127.0.0.1:1267         www:https              SYN_SENT
 [PotPlayerMini64.exe]
  TCP    127.0.0.1:25360        pipe:0                 LISTENING
 [openvpn.exe]
  TCP    127.0.0.1:25360        www:1058               ESTABLISHED
 [openvpn.exe]
  TCP    127.0.0.1:52307        www:1258               TIME_WAIT
  TCP    192.168.1.2:139        pipe:0                 LISTENING
 Can not obtain ownership information
  TCP    192.168.1.2:1057       SERVER:microsoft-ds    ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.2:1199       SERVER:http            TIME_WAIT
  TCP    192.168.1.2:1202       SERVER:http            TIME_WAIT
  TCP    192.168.1.2:1203       SERVER:http            TIME_WAIT
  TCP    192.168.1.2:1204       SERVER:microsoft-ds    ESTABLISHED
 Can not obtain ownership information
  TCP    [::]:135               Tanya-PC:0             LISTENING
  RpcEptMapper
 [svchost.exe]
  TCP    [::]:445               Tanya-PC:0             LISTENING
 Can not obtain ownership information
  TCP    [::]:1024              Tanya-PC:0             LISTENING
 Can not obtain ownership information
  TCP    [::]:5357              Tanya-PC:0             LISTENING
 Can not obtain ownership information
  TCP    [::]:49664             Tanya-PC:0             LISTENING
 [lsass.exe]
  TCP    [::]:49665             Tanya-PC:0             LISTENING
 Can not obtain ownership information
  TCP    [::]:49666             Tanya-PC:0             LISTENING
  EventLog
 [svchost.exe]
  TCP    [::]:49667             Tanya-PC:0             LISTENING
  Schedule
 [svchost.exe]
  TCP    [::]:49668             Tanya-PC:0             LISTENING
 [spoolsv.exe]
  UDP    0.0.0.0:3702           *:*
  FDResPub
 [svchost.exe]
  UDP    0.0.0.0:3702           *:*
  FDResPub
 [svchost.exe]
  UDP    0.0.0.0:5353           *:*
  Dnscache
 [svchost.exe]
  UDP    0.0.0.0:49664          *:*
  FDResPub
 [svchost.exe]
  UDP    0.0.0.0:53020          *:*
 [openvpn.exe]
  UDP    10.8.2.6:137           *:*
 Can not obtain ownership information
  UDP    10.8.2.6:138           *:*
 Can not obtain ownership information
  UDP    192.168.1.2:137        *:*
 Can not obtain ownership information
  UDP    192.168.1.2:138        *:*
 Can not obtain ownership information
  UDP    [::]:3702              *:*
  FDResPub
 [svchost.exe]
  UDP    [::]:3702              *:*
  FDResPub
 [svchost.exe]
  UDP    [::]:49665             *:*
  FDResPub
 [svchost.exe]
 
Would appreciate your thoughts on the matter.

rose21wiley
OpenVpn Newbie
Posts: 1
Joined: Wed Nov 27, 2024 9:31 am

Re: Seeing some strange inbound traffic when using OpenVPN

Post by rose21wiley » Wed Nov 27, 2024 9:34 am

Hi there! Welcome and thanks for sharing your concern. It sounds like you've done some thorough investigation already. Let's break this down a bit:

Inbound Connection from naj.sk: It's interesting that you're seeing traffic from a Swiss women's fashion site, especially since you don't use it. This could be a case of domain spoofing or an unrelated connection that's coincidental.

Port 25360: This is indeed the management interface port for OpenVPN. It's used for administrative control and monitoring of the OpenVPN process1. The fact that blocking naj.skredirects the traffic to other domains suggests there might be some sort of automated scanning or probing happening.

Constant 6bps Traffic: This is a very low data rate, but it's still unusual if you're not expecting any traffic. It could be a keep-alive signal or some form of background communication partner hours login

Given these points, here are a few steps you might consider:

Check for Malware: Run a thorough antivirus and malware scan on your system. Sometimes, unwanted connections can be a sign of malware or a compromised system.

Update OpenVPN: Ensure you're using the latest version of OpenVPN, as updates often include security patches and bug fixes.

Post Reply