Malware on EA-3 Controller?

[Brian Hamachek]

My Unifi controller is reporting that my EA-3 controller is looking up .su (Soviet Union) DNS names. What could possibly cause this? Has my controller been infected with malware?

[-defunct-]

What OS version is it on?

[-defunct-]

It should not be reaching out to Russian servers, but I would review the DNS requests as it might be the ntp server reverse lookup.

My own system was pulling an NSA time server from that reverse lookup.

[Brian Hamachek]

It's running 3.3.0.613856.

[-defunct-]

Well, that's a nonexistent version, so...

[Andrew luecke]

Are you using port forwarding. Also, just to confirm, are you an end user or installer? 

[Brian Hamachek]

I'm an installer, but I'm seeing this on my home system. I think Dunamivora might be right about NTP being the cause though. I did a tcpdump on my Unifi firewall and within a few minutes saw entries from the EA-3 resolving domains for NTP servers in France.

[-defunct-]

To verify, you can use system manager and connect to the controller, then go to the time tab and select Legacy. That should do one ntp request per day instead of the frequent checks.

That would at least let you know if all of them are the reverse dns lookups for the ntp servers.