Suspect network activity

  • Hi,


    I eventually found the root cause of all my network issues at home and sadly it points to my OMV box. Perhaps someone with a clear understanding of the system could provide some insight to this.
    I have a DSL modem router (100mbps) connected to a central 100mbps switch. From there it goes to my study which has a gigabit switch connecting my laptop, desktop, OMV box and 3G WIFI modem router. I started experiencing very bad pings and dropped connections to my DSL router so that browsing the web was bad.
    So I found that once I unplug my OMV box from the LAN, my pings to the DSL modem goes to 1ms. Plug it back in again and it all goes erratic.
    See pics from ping and ETH interface graphs.
    Surely this is not normal?

  • I would take a look at some logfiles. Maybe someone tries to get into your machine... Additionally use higher ports from dynamic range (random ones, no well known or registered ports) and reroute them via your router.

    OMV 4.x| HP Microserver | 256GB Samsung 830 SSD for system | 4x 2TB in a RAID5
    OMV 4.x| Odroid XU4 | 5TB Data drive | 500GB Backup drive
    OMV 5.x| Raspberry Pi 4 | 6TB Data drive | 500GB SSD drive

  • Do you mean the OMV box has malware?


    We've seen that before, we couldn't determine the cause. In two cases they have plex media server exposed in WAN, but that doesn't mean is plex fault, other times ssh (22) port exposed to WAN with weak password.


    The form of malware I seen is usually they show a process with a random apha character name like "fnsdtvjka"


    First try an see how the network behaves with the new card, of course disconnect the other one

  • Ok, I started by disconnecting my OMV box from the net (clearing the gateway & DNS address setting.) Once I applied the setting, my ping from another pc to router returns to 1ms. There are a few processes with funny characters. I'll post the process list from another PC. Can it still be the NIC that is faulty? I'll replace it if I must test further.

  • BTW, I don't have plex installed.


  • Root PW was not strong. I updated all yesterday and for some reason the CPU is now running at 100%. Even after a reboot. I can't recall if port 22 was exposed to wan. I'll check my router


    Don't bother and reinstall the system. There is in the guide section how to secure ssh, also is not stated there it reduces from a lot to almost zero the bots knocking on port 22 flooding with brute force attacks is moving the exposed wan port to a random high one.

  • Root PW was not strong. I updated all yesterday and for some reason the CPU is now running at 100%. Even after a reboot. I can't recall if port 22 was exposed to wan. I'll check my router


    Yes, port 22 was forwarded. Didn't think a bot would be interested in a nobody like me. I'll do a reinstall. :mad:

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!