Malware from firewall wan interface, is my pfsense itself compromised?

dbx

Hi all,

Having "one of those days" and am hoping someone may be able to help out. Ive become aware of some unwanted traffic on my network, port 25. Assumed someone had picked up some malware somehow, and a device would need to be flattened. Odly thoguh I havent managed to track it down to anything other than the WAN interface of an internal pfsense community install. With a floating block rule I have been able to see the following happening today:

I have haproxy installed on this instance and it listens on port 80 and 443 on 10.0.1.2, which is also the WAN address. Had assumed that there was nothing wrong with this, but am now unsure. I think it is unlikely that the pfsense host itself has been compromised, but i imagine not impossible.

Am tempted to flatten the fw itself, but obviously that would be a pain. Have tried packet capture on the WAN interface with port number set to 25 to try to gleen some more info, and I can see that the packets logged seem to be every 5 mins but the capture just remains empty despite it running at the time the firewall blocks the packet.

Any help and / advice really appreciated, thanks.

johnpoz

@dbx seems like something misconfigured.. udp 25 is not used for smtp.. only tcp.

I show that IP with this info.

ip:"51.81.245.139",
hostname:"ns1000055.ip-51-81-245.us",
city:"Portland",
region:"Oregon",
country:"US",
loc:"45.5234,-122.6762",
org:"AS16276 OVH SAS",
postal:"97204",
timezone:"America/Los_Angeles",
asn:Object,

asn:"AS16276",
name:"OVH SAS",
domain:"ovhcloud.com",
route:"51.81.128.0/17",

    type:"hosting",

company:Object,

name:"OVH US LLC",
domain:"ovhcloud.com",

    type:"hosting",

privacy:Object,

vpn:false,
proxy:false,
tor:false,
relay:false,
hosting:true,

    service:"",

abuse:Object,

address:"US, VA, Reston, 11950 Democracy Drive, 20190",
country:"US",
email:"abuse@ovh.us",
name:"ABUSE",
network:"51.81.245.0/24",
phone:"+1-855-684-5463",

quick scan shows it listening on a few ports, one of them is 8443 which an alternative ssl port, the cert it hands back is for dcon.testtv.xyz

which resolves to these

;dcon.testtv.xyz.               IN      A

;; ANSWER SECTION:
dcon.testtv.xyz.        3600    IN      A       104.21.42.126
dcon.testtv.xyz.        3600    IN      A       172.67.162.8

If you hit it on port 8081 you can login ;) as admin with any password.. Not sure what that is??

dbx

@johnpoz

thank you for the answer. I dont run any mailserver on the network, and I have seen traffic with both UDP and TCP port 25 on this interface matched by this rule, the TCP traffic was during the weekend and unfortunately I have no log files to illustrate, but the ip you have traced other than appearing in the logfiles is alien to me. I need to identify the source of this traffic. the 10.0.1.2 with a port number in the logs is bizarre as that is the wan interface of the pfsense instance.

johnpoz

@dbx yeah I have no idea what that is.. Do you see any other traffic to that IP?

dbx

@johnpoz

other than the log entries for the block rule, no other traffic that I am aware of. I am half convinced that there is some malware at play, but other than seeing traffic to unknown hosts on port 25 originating from the WAN address of this pfsense box, which does have a port forward going to it from an external ip on 80 and 443 I dont have much to go off.

johnpoz

@dbx pfsense would create a state even for udp traffic. If you look in your state table you should be able to see where it was created.. Might have to allow the traffic for state to be created?? Not sure, never tried to do something like that...

But that IP is odd, not sure what dcon-server is, but there is tor, and other odd stuff on their, tor. From the web gui thing that is wide open is link to https://panjiachen.github.io/vue-element-admin-site/#/

Also show that IP on a sh attacker list
https://maltiverse.com/ip/51.81.245.139

dbx

@johnpoz

You absolute legend. You were right, I had to allow the packet through by disabling the block rule. We have now identified the problem device.

Thank you so much @jonpoz

johnpoz

@dbx glad you got sorted... Be curious to what they were infected with or doing - that box is for sure odd.. You just going to wipe that client box, or you going to do some investigation to what its infected with? If you get any more info - my curiosity cat would welcome any details for the end of this story ;)

Maybe move your blocks to stuff to the inside interface(s), so you get the source IP in the log going forward?

Possible its just a tor exit node - think you can look those up? Well doesn't show as tor, but gets a really bad score ;)

On a reputation site. Looked for other blacklists it on - that is not a good ip ;)

NightlyShark

@johnpoz This felt like a honeypot to anyone else?