Pfsense found docker process
-
@johnpoz I have open the wan ip address port for l2tp/ipsec connection, ssh disable, and only lan access for web gui.
-
@dmateos86 if you hit that 104 on just http you get this back
This is a Tor Exit RouterAnd lots of other info.. talk to it on port 10005 like that command but doesn't connect..
None of that looks good or legit that is for sure... Your not doing anything routing traffic over tor are you?
Can tell you for sure that I don't have anything like running on mine, there is no sh process forked off my php-fpm processes that is for damn sure..
-
Yup I would nuke it and start over if you've not added any of that yourself.
It would be interesting to know what's in any of those referenced files but if it anything suspect it's likely to be obscured anyway.
Steve
-
I'm curious what the hardware is that it's on.... the output of
dmesghere would be really telling.
-
I agree that docker is not being used here - these look like scripts named in a purposely misleading way. Ultimately, this is not normal and hence I suggest wiping the drive(s) and re-installing pfSense. First however, try extracting more information.
Make sure SSH is enabled under System / Advanced, then verify you can SSH by running the following from your Windows host:
ssh root@192.168.1.1Then create a folder to transfer files to, e.g. C:\tmp_dir\ and grab all of the files in /tmp/ - for example by running this from Windows:
scp -r root@192.168.1.1:/tmp/ C:\tmp_dir\The scripts should be stored under the www folder which you can verify by going to Diagnostics / Edit File and browsing to /usr/local/www/. Try finding them otherwise (likely the process needs to be running for the scripts to exist). Grab the scripts as well - for example:
scp root@192.168.1.1:/usr/local/www/*.sh C:\tmp_dir\ scp root@192.168.1.1:/usr/local/www/*docker* C:\tmp_dir\ scp root@192.168.1.1:/usr/local/www/*clinche* C:\tmp_dir\If you get all of that, inspect it and feel free to share it here (zip it up, upload it somewhere, and share the link).
-
@rcoleman-netgate Hi, I share the result from dmesg, the pfsense is running on a dell r240 server.
thanks
-
@dmateos86 I thought for sure it wasn't going to be running a bare metal... I'm a bit more concerned about the rest of the software, then. What got on it and how did it get there?
-
@johnpoz said in Pfsense found docker process:
Your not doing anything routing traffic over tor are you?
Hi, no I dont route any tor traffic, and the php-fpm is:
-
Hmmm ....
That curl + chmod smells a lot too ...
Payload fetcher ??
/Bingo
-
Even scarier: The ptr record for 104.244.77.92 points to nasa.gov.
I don’t know which is more disturbing: The thought that the US Feds did this, or the thought that their server might be compromised!??!
I don’t know. Can a ptr record be spoofed?
-
Thinking about it some more, the ptr record is certainly spoofed. Probably attempting misdirection.
-
@aaronouthier
If your box wasn’t accessible from the outside, then something inside maybe compromised, or perhaps a visitor’s device was compromised and launched an attack on your router while on your network. -
Mmm, it would be very interesting to see what's in those script files.
Seeing this error log on a box with 16GB RAM:
[zone: pf states] PF states limit reached\Implies it's moving a lot of traffic.
Steve
-
I knew it, one day docker would come to pfSense...
-
@bob-dig hahah
-
@stephenw10 Yeah I bet ;)
Other then curiosity on what it is, and how it got there being the biggest question. I would wipe this box for sure.. This is clearly not something you setup. And everything points to nefarious use.. The IPs are hosted vps, and you got some weird ass PTR setting nasa.gov - yeah ok ;)
And the one IP is a tor exit node..
