Continuous block port 7000

Murus
Post Reply
ggarcia
Posts: 2
Joined: Thu Oct 01, 2015 9:41 am

Continuous block port 7000

Post by ggarcia » Fri Apr 22, 2016 5:08 pm

Hi, I am getting continuous logs of a block for port 7000 out to a Chinese address. (116.129.1.125).

Apr 22 09:24:36 My-iMac pf[457]: 00:00:01.066599 rule 10/0(match): block out on en0: 192.168.0.5.55720 > 116.129.1.125.7000: Flags [S], seq 3833951851, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 423721078 ecr 0,sackOK,eol], length 0
Apr 22 09:24:38 My-iMac pf[457]: 00:00:02.146904 rule 10/0(match): block out on en0: 192.168.0.5.55720 > 116.129.1.125.7000: Flags [S], seq 3833951851, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 423723078 ecr 0,sackOK,eol], length 0
Apr 22 09:25:01 My-iMac pf[457]: 00:00:22.597261 rule 10/0(match): block out on en0: 192.168.0.5.55800 > 116.129.1.107.7000: Flags [S], seq 2441280979, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 423744520 ecr 0,sackOK,eol], length 0
Apr 22 09:25:02 My-iMac pf[457]: 00:00:01.020430 rule 10/0(match): block out on en0: 192.168.0.5.55800 > 116.129.1.107.7000: Flags [S], seq 2441280979, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 423745521 ecr 0,sackOK,eol], length 0

The problem is how I identify the "rule 10/0(match)". As far as I know I do not have a block for outgoing services and I think I do not have the login report for all the blocks enabled.

hany
Posts: 481
Joined: Wed Dec 10, 2014 5:20 pm

Re: Continuous block port 7000

Post by hany » Sat Apr 23, 2016 2:46 pm

The problem is how I identify the "rule 10/0(match)"
you do this using Murus PF rules browser or shell command /sbin/pfctl. There are examples in Murus manual.
00:00:01.066599 rule 10/0(match):
It means "rule number ten in pf root anchor".

If you see something like this:
00:01:34.870878 rule 35.murus.inbound.87/0(match):
then it means "rule number eightyseven in anchor murus.inbound. This anchor is defined by rule thirtyfive in root pf anchor."
As far as I know I do not have a block for outgoing services
Rule number 10 is (on almost all Murus settings) the rule that blocks traffic to Emerging Threats blocked addresses. I bet you activated this option in Murus wizard or preferences.
Well, an app running on your Mac is trying to connect to this "dangerous" (and banned) IP address, but Murus is blocking it. Luckily :D
I suggest you to try to understand which app is doing this nasty thing :)
It can be simply a web site you are visiting with the browser. If this is the case, then don't worry.
I suggest you to investigate about this issue :)
Let me know if you need help doing this.

ggarcia
Posts: 2
Joined: Thu Oct 01, 2015 9:41 am

Re: Continuous block port 7000

Post by ggarcia » Sat Apr 23, 2016 5:36 pm

Yes, the cause is the Emerging Thread blocked address. I didn't find the match before because the threat file did not have a string match for 10.129.x.x. But the Emerging Threat file is blocking 116.128.0.0/10 with includes the 116.129.x.x subnet. The "dangerous" :evil: application is "/usr/libexec/AirPlayXPCHelper". It tries to connect to the IP address 116.129.1.10 using port 7000. It also tries to connect to 192.168.0.101 and 10.0.1.7 IP addresses.

Post Reply