intrusion detection alert for volumio boxes

When I checked my intrusion detection records today I noticed that the 2 volumio boxes I have at home trigger IDS alerts.

They attempts to make a user agent connection to 142.93.107.218 : 80 and trigger IDS rule “ET USER_AGENTS Node XMLHTTP User-Agent”.
Can anyone tell me this IP is a legitimate IP adress for volumio?
If not I’m afraid somehow my babies have been intruded in some way.

I’m a geat fan of Volumio, however it’s kind of frustrating that there is no answer for this question. This was rised nearly a year ago for the first time ( why-does-volumio-need-access-digitalocean-t11418.html )…

Every 5 min. Volumio scans for a port on wich he can reach out to a server:

Threat Management Alert 3: Unknown Traffic. Signature ET USER_AGENTS Node XMLHTTP User-Agent. From: 10.10.10.228:51692, to: 142.93.107.218:80, protocol: TCP 20:21 2019/11/04
Threat Management Alert 3: Unknown Traffic. Signature ET USER_AGENTS Node XMLHTTP User-Agent. From: 10.10.10.228:51590, to: 142.93.107.218:80, protocol: TCP 20:21 2019/11/04
Threat Management Alert 3: Unknown Traffic. Signature ET USER_AGENTS Node XMLHTTP User-Agent. From: 10.10.10.228:51634, to: 142.93.107.218:80, protocol: TCP 20:16 2019/11/04
Threat Management Alert 3: Unknown Traffic. Signature ET USER_AGENTS Node XMLHTTP User-Agent. From: 10.10.10.228:51588, to: 142.93.107.218:80, protocol: TCP 20:11 2019/11/04
Threat Management Alert 3: Unknown Traffic. Signature ET USER_AGENTS Node XMLHTTP User-Agent. From: 10.10.10.228:51584, to: 142.93.107.218:80, protocol: TCP 20:11 2019/11/04
Threat Management Alert 3: Unknown Traffic. Signature ET USER_AGENTS Node XMLHTTP User-Agent. From: 10.10.10.228:51528, to: 142.93.107.218:80, protocol: TCP 20:05 2019/11/04
Threat Management Alert 3: Unknown Traffic. Signature ET USER_AGENTS Node XMLHTTP User-Agent. From: 10.10.10.228:51524, to: 142.93.107.218:80, protocol: TCP 20:05 2019/11/04
Threat Management Alert 3: Unknown Traffic. Signature ET USER_AGENTS Node XMLHTTP User-Agent. From: 10.10.10.228:51456, to: 142.93.107.218:80, protocol: TCP 20:00 2019/11/04
Threat Management Alert 3: Unknown Traffic. Signature ET USER_AGENTS Node XMLHTTP User-Agent. From: 10.10.10.228:51452, to: 142.93.107.218:80, protocol: TCP 20:00 2019/11/04
Threat Management Alert 3: Unknown Traffic. Signature ET USER_AGENTS Node XMLHTTP User-Agent. From: 10.10.10.228:51396, to: 142.93.107.218:80, protocol: TCP 19:55 2019/11/04
Threat Management Alert 3: Unknown Traffic. Signature ET USER_AGENTS Node XMLHTTP User-Agent. From: 10.10.10.228:51392, to: 142.93.107.218:80, protocol: TCP 19:55 2019/11/04

It’s probably pushupdates.volumio.org -
pushupdates-volumio-org-requested-every-sec-t11178.html

Thank you, in the meantime I checked on my pihole DNS server. The querry goes out every 30 sec. or so, but why? I never saw a popup in volumio that there is an update…
Anyway I blocked it.

1 Like

From the other thread:

The server is probably down, so the client is feeling lonely and trying desperately to get in touch.
Should probably implement some sort of exponential backoff in the client so it doesn’t spam the network in such situations…

I’ve been seeing this for the past few days. Interestingly, I have 2 pi’s with volumio, and only 1 seems to be phoning home at the moment.