My IPS/IDS has thrown a few alerts in the past 12 hours that it has blocked CnC server traffic. I’ve got it narrowed down to my linuxserver/deluge container which is listening on those ports: TCP/UDP 62318 and it tried to access the known C2 server for the Dridex malware@37.187.115.122:51413.
I’ve done netstat -nultp within the container to get the PID, but netstat doesn’t return any PIDs in the container. I was trying to see if it was the random ports selected to listen by the deluge server, but that wouldn’t really explain the outgoing traffic to the C2 server. I doubt they’re using the C2 server to download torrents, but stranger things have happened lol.
Has anyone else noticed this, or have these ports listening in their container?
I would start by blowing away that container and starting fresh. It’s likely your transmission instance could’ve been hijacked by something. There have been no other reports of this from our transmission container.
I had already recreated it and it happened again. I just have it shut down for now. I’m going to restore the persistent files from the previous day’s backup and recreate it and see if it happens again. Then I’ll dig into the persistent files and see what I can find. I’m very interested in figuring out how it could’ve become compromised.