• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Strange logs on pfSense - most probably somebody has found a way to hack partially the box

General pfSense Questions
8
22
1.6k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    albgen
    last edited by albgen Apr 5, 2023, 3:47 PM Apr 5, 2023, 3:45 PM

    Hello,

    i'm running CE 2.6.0 on a VM and found the following on the logs.

    login-to-view

    Some other info:
    Web interface is not exposed on wan side. Nobody is on the lan side except my VM.
    The IP that you see on the picture, is the public ip on the WAN side of pfsense.
    8989 is the port of the web interface of pfSense.

    any idea?

    F M 2 Replies Last reply Apr 5, 2023, 4:38 PM Reply Quote 0
    • F
      fireix @albgen
      last edited by Apr 5, 2023, 4:38 PM

      This post is deleted!
      1 Reply Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @albgen
        last edited by Apr 5, 2023, 4:40 PM

        @albgen Please provide a screenshot of the WAN firewall rules.

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        1 Reply Last reply Reply Quote 0
        • S
          stephenw10 Netgate Administrator
          last edited by Apr 5, 2023, 5:03 PM

          What is the client IP shown: 62.204.41.186?

          That clearly has access to the webgui. And probably shouldn't.

          M 1 Reply Last reply Apr 5, 2023, 6:24 PM Reply Quote 1
          • M
            michmoor LAYER 8 Rebel Alliance @stephenw10
            last edited by Apr 5, 2023, 6:24 PM

            @stephenw10 Dont know how/where this pfsense is placed in the path but clearly there is a port open for management.
            Its not hacking if the port is open for the Internet.

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            1 Reply Last reply Reply Quote 0
            • S
              stephenw10 Netgate Administrator
              last edited by Apr 5, 2023, 6:27 PM

              That looks like a remote IP so the webgui is open via some unintentional rule.

              It's probably just a config error though rather than some attack. Those logs show generic access attempts.

              Steve

              1 Reply Last reply Reply Quote 0
              • A
                albgen
                last edited by Apr 5, 2023, 6:46 PM

                That is for sure a security problem.
                The client IP is not known. There is no rule that allows traffic from wan to the pfsense.

                Let me ask a different question. From the lan side, how can i trigger a log that?

                1 Reply Last reply Reply Quote 0
                • M
                  mvikman
                  last edited by Apr 5, 2023, 6:52 PM

                  https://www.showmyip.com/ip-whois-lookup/?fields=66846719&ip=62.204.41.186

                  Looks like it's an Russian IP address, so if you're not in Russia...

                  pfSense Plus 24.11-RELEASE (amd64)
                  Dell Optiplex 7040 SFF
                  Core i5-6500, 8GB RAM, 2x 240GB SSD (ZFS Mirror)
                  HPE 561T (X540-AT2), 2-port 10Gb RJ45
                  HPE 562SFP+ (X710-DA2), 2-port 10Gb SFP+

                  A 1 Reply Last reply Apr 5, 2023, 7:02 PM Reply Quote 0
                  • A
                    albgen @mvikman
                    last edited by Apr 5, 2023, 7:02 PM

                    @mvikman said in Strange logs on pfSense - most probably somebody has found a way to hack partially the box:

                    https://www.showmyip.com/ip-whois-lookup/?fields=66846719&ip=62.204.41.186

                    Looks like it's an Russian IP address, so if you're not in Russia...

                    of course i'm not in Russia and i have nothing to do with a Russian IP.
                    My Server is in Finland, Helsinki
                    https://www.showmyip.com/ip-whois-lookup/?fields=66846719&ip=65.109.35.164

                    P 1 Reply Last reply Apr 5, 2023, 7:19 PM Reply Quote 0
                    • P
                      provels @albgen
                      last edited by provels Apr 5, 2023, 7:21 PM Apr 5, 2023, 7:19 PM

                      @albgen I can web to 65.109.35.164 8989 from lovely Illinois, USA. If you need to manage your FW remotely, setup VPN or just manage it locally from the LAN side.

                      Peder

                      MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                      BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                      A 1 Reply Last reply Apr 5, 2023, 7:29 PM Reply Quote 0
                      • A
                        albgen @provels
                        last edited by Apr 5, 2023, 7:29 PM

                        @provels said in Strange logs on pfSense - most probably somebody has found a way to hack partially the box:

                        65.109.35.164 8989

                        No idea why is accessible. there is no such rule that allows it...
                        could it be because i have the config like this:
                        internet---A>Server-B>VMpfSense->LAN

                        The public IP address is at point A and B is a private IP Address

                        but in any case, those logs are strange. I cannot trigger them

                        P 1 Reply Last reply Apr 5, 2023, 7:36 PM Reply Quote 0
                        • P
                          Pippin
                          last edited by Apr 5, 2023, 7:32 PM

                          Still no rules posted.....
                          ....

                          I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                          Halton Arp

                          A 1 Reply Last reply Apr 5, 2023, 7:36 PM Reply Quote 1
                          • A
                            albgen @Pippin
                            last edited by Apr 5, 2023, 7:36 PM

                            @pippin said in Strange logs on pfSense - most probably somebody has found a way to hack partially the box:

                            Still no rules posted.....

                            login-to-view
                            login-to-view
                            login-to-view

                            1 Reply Last reply Reply Quote 0
                            • P
                              provels @albgen
                              last edited by Apr 5, 2023, 7:36 PM

                              @albgen Not exactly sure what Server B is, but Internet should go to WAN side of pfSense, then pfSense to LAN. LAN would include the host the PFSense VM is runnng on.

                              Peder

                              MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                              BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                              A 1 Reply Last reply Apr 5, 2023, 7:38 PM Reply Quote 0
                              • A
                                albgen @provels
                                last edited by Apr 5, 2023, 7:38 PM

                                @provels said in Strange logs on pfSense - most probably somebody has found a way to hack partially the box:

                                Not exactly sure what Server B is, but Internet should go to WAN side of pfSense, then pfSense to LAN. LAN would include the host the PFSense VM is runnng on.

                                A and B are just point i have inserted to make you understand what kind of IP Addresses are setup...

                                1 Reply Last reply Reply Quote 0
                                • S
                                  stephenw10 Netgate Administrator
                                  last edited by Apr 5, 2023, 7:40 PM

                                  You have a rule allowing all TCP traffic on WAN. That's passing it.

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    Cylosoft
                                    last edited by Cylosoft Apr 5, 2023, 7:45 PM Apr 5, 2023, 7:41 PM

                                    Looks like you have an allow all rule. Lots of traffic on it also. 5 GB.

                                    1 Reply Last reply Reply Quote 1
                                    • A
                                      albgen
                                      last edited by Apr 5, 2023, 8:29 PM

                                      yes, correct. the allow all rule was actually allowing everything :)

                                      but the question remains: how have they triggered those kind of logs?

                                      C 1 Reply Last reply Apr 5, 2023, 8:31 PM Reply Quote 0
                                      • C
                                        Cylosoft @albgen
                                        last edited by Apr 5, 2023, 8:31 PM

                                        @albgen said in Strange logs on pfSense - most probably somebody has found a way to hack partially the box:

                                        yes, correct. the allow all rule was actually allowing everything :)

                                        but the question remains: how have they triggered those kind of logs?

                                        Bots or hackers just checking what you have going on. Given time they'd try a lot more things.

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          stephenw10 Netgate Administrator
                                          last edited by Apr 5, 2023, 8:33 PM

                                          Because the webgui on the WAN interface was open to the internet.

                                          You can see the requests they were making were all failing because the pages don't exist in pfSense. And even if they guessed an existing page they would not have been able to access it without logging in. But you should never open the webgui to public access.

                                          A 1 Reply Last reply Apr 5, 2023, 8:42 PM Reply Quote 0
                                          6 out of 22
                                          • First post
                                            6/22
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.