UPNP disabled, but something was using it - Unpossible, right?
-
I have a pfSense box acting as a router for my home network. It has 2x Intel gigabit cards, one for LAN, the other for WAN, going to a cable modem. PfSense sends all traffic out through an OpenVPN link to a commercial VPN provider. This has been working for 4 - 6 months with no problem. In fact, I didn't even reboot the machine in that whole time.
Yesterday I started seeing a weird phenomenon. The VPN would go down, and no Internet traffic would go out, save for a torrent client, Deluge. The client was enabled for UPNP and NAT-PMP. After restarting the VPN service a few times, i started looking into things. Eventually figured out that it was able to keep going through UPNP or NAT-PMP, so I turned them both off. next time there was a failure, the torrent client failed completely, like it should have.
Today, I haven't been running any torrents, but the VPN daemon even crashed so hard I had to reboot the box. I decided to turn UPNP and NAT-PMP off on the pfsense box, but lo and behold, it was already off.
I don't understand how something could use UPNP if it was turned off. Even if the modem could use it, wouldn't pfsense block the traffic, for at least 2 reasons (UPNP is LAN only, and when things failed, there was no reason/way for pfsense to relay packets to the modem), right?
-
sounds like pwnage - someone prolly got logins to your box
do you use a remote log server to see if there's any suspicious activity? If they have your logins then local logs will be useless unless they were sloppy.