Suspicious traffic after starting VPN server

[fantacinni]

Hi guys,

After I started the vpnserver, it will -
1. Get IP from DHCP with a unknown MAC address (I can't find it with ifconfig, and not exists in my network)
2. Connect to a DNS server to query
3. Send HTTP traffic to 180.76.3.151 (from IP check, it's owned by Baidu)
4. Repeat 1-4 after 5 minutes.

Attached a screenshot from Juniper SSG5 firewall log.
[attachment=1]Untitled1.jpg[/attachment]
What's the usage of these traffic? Is it expected or not?

Info of my system
1. Operating system name and the type of CPU-bits
Linuxmint 17 x64

2. The result of "ifconfig –a" (UNIX) or "ipconfig /all" (Windows)
eth0 Link encap:Ethernet HWaddr 00:1f:d0:db:5e:53
inet addr:172.16.98.101 Bcast:172.16.98.255 Mask:255.255.255.0
inet6 addr: fe80::21f:d0ff:fedb:5e53/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:61394 errors:0 dropped:0 overruns:0 frame:0
TX packets:57352 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:32415371 (32.4 MB) TX bytes:9173080 (9.1 MB)

eth1 Link encap:Ethernet HWaddr 00:1f:d0:db:5e:55
UP BROADCAST PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:133596 errors:0 dropped:0 overruns:0 frame:0
TX packets:133596 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:19190012 (19.1 MB) TX bytes:19190012 (19.1 MB)

3. The result of "uname –a" (UNIX) or "systeminfo" (Windows)
Linux linuxmint 3.13.0-35-generic #62-Ubuntu SMP Fri Aug 15 01:58:42 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

4. The build number of SoftEther VPN
Version 4.10 Build 9473

5. Which SoftEther VPN component are you using?
Softether Server for Linux x64

6. Whether or not there is a NAT or Firewall between your VPN server and the Internet.
Yes, Netscreen SSG5, Port mapped.

7. Are you using SecureNAT?
Yes. This problem always happens when the server is started.

8. Your current vpn_server.config or vpn_bridge.config file should be attached on the post.
[attachment=0]vpn_server.config.txt[/attachment]
vpn_bridge.config not exists.

[cfunk]

Interesting. Where is that trafiic generating ? I don´t think it could be coming from the linux server. Is the linux server a local machine or it is hosted on a PVS ? If you have some win machine on your network it might be a trojan sending packets to that IP. Ip leaking is very common in China to happen.

Please give more info so we can check together.

Cheers

[fantacinni]

cfunk wrote:
> Interesting. Where is that trafiic generating ? I don´t think it could be
> coming from the linux server. Is the linux server a local machine or it is
> hosted on a PVS ? If you have some win machine on your network it might be
> a trojan sending packets to that IP. Ip leaking is very common in China to
> happen.
>
> Please give more info so we can check together.
>
> Cheers

Thanks for replying.
The Linux server is a local machine.
These traffic is generated by the VPN service itself, after I stop the VPN service, these traffic will not be generated anymore.
There is no Windows machines in my network, also there is no clients connected while these traffic is logged.

[thisjun]

That traffic generated by SecureNAT virtual host.
If you don't like it, please turn on "DisableKernelModeSecureNat" in Virtual HUB extended options in Virtual Hub properties.