SECURITY ISSUE

jompigrande

Hello i have a firewall with 2.6 release and i detected that something strage was going on as 100% cpu usage was all the time.

this is the fragment i can get from nginx logs:
nginx.log.4.bz2:Nov 13 02:30:01 fwbody nginx: 178.62.44.152 - - [13/Nov/2022:02:30:01 -0600] "GET /pfblockerng/www/index.php HTTP/1.1" 200 54 "-" "python-requests/2.27.1"
nginx.log.4.bz2:Nov 13 02:30:03 fwbody nginx: 178.62.44.152 - - [13/Nov/2022:02:30:03 -0600] "POST /system_advanced_control.php HTTP/1.1" 200 63 "-" "python-requests/2.27.1"
nginx.log.4.bz2:Nov 13 02:30:05 fwbody nginx: 178.62.44.152 - - [13/Nov/2022:02:30:05 -0600] "POST /system_advanced_control.php HTTP/1.1" 200 174 "-" "python-requests/2.27.1"
nginx.log.4.bz2:Nov 13 02:30:07 fwbody nginx: 178.62.44.152 - - [13/Nov/2022:02:30:07 -0600] "POST /system_advanced_control.php HTTP/1.1" 200 31 "-" "python-requests/2.27.1"
nginx.log.4.bz2:Nov 13 02:30:10 fwbody nginx: 178.62.44.152 - - [13/Nov/2022:02:30:10 -0600] "POST /system_advanced_control.php HTTP/1.1" 200 31 "-" "python-requests/2.27.1"
nginx.log.5.bz2:Nov 12 08:44:26 fwbody nginx: 178.62.44.152 - - [12/Nov/2022:08:44:26 -0600] "\x16\x03\x01\x00\xEE\x01\x00\x00\xEA\x03\x03" 400 150 "-" "-"
nginx.log.5.bz2:Nov 12 08:44:26 fwbody nginx: 178.62.44.152 - - [12/Nov/2022:08:44:26 -0600] "GET / HTTP/1.1" 200 3708 "-" "Mozilla/5.0 (Linux; Android 8.0.0; LG-H870DS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36"
nginx.log.5.bz2:Nov 12 08:48:34 fwbody nginx: 178.62.44.152 - - [12/Nov/2022:08:48:34 -0600] "GET /pfblockerng/www/index.php HTTP/1.1" 200 54 "-" "-"
nginx.log.5.bz2:Nov 12 08:48:37 fwbody nginx: 178.62.44.152 - - [12/Nov/2022:08:48:37 -0600] "GET /pfblockerng/www/index.php HTTP/1.1" 200 54 "-" "-"

Attacker is able to download script to /tmp directory, and from there run mining software. Script is named "bsd.sh"

Some of this php scripts has Security issues on it, im closing all my firewalls HTTP public access and hope this can help track this issue.

NogBadTheBad

@jompigrande Why open your firewall to http on its WAN interface?

Use a VPN if you need to access the firewall from the internet.

rcoleman-netgate

@jompigrande said in SECURITY ISSUE:

im closing all my firewalls HTTP public access and hope this can help track this issue.

Yeah, don't make it public if you are worried about remote access. Run on a different port, perhaps, or behind a VPN (preferred).

stephenw10

Yeah, never open the webgui up for public access via http.

If you have to access it remotely you should only ever use https and you should restrict the source IPs that can connect in the firewall rules.

Using a VPN to access it s a much better solution.

If, for whatever reason, you have unknown scripts running on the firewall then you need to reinstall clean and examine your config before restoring it.

You might also pull the full system logs from it first and review those.

Steve