Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.7.2 hacked? Chinese characters/code in TONS of files. Persists even after fresh installs.

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 432 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      Looking for confirmation whether or not I should be concerned about these files (a few screenshots attached) and if so -- what to do!

      Running pfSense 2.7.2 on a Protectli Vault (6 port) with coreboot. SSH is not enabled (and has not been enabled through two fresh install attempts). Terrapin patch was installed just to be safe and pfSense/Protectli was rebooted.

      Yesterday I noticed that dozens of source code files from the 'Edit File' section of the pfSense GUI are loaded with Chinese characters / illegible code. The more I click around, the more files I find. This was a totally random discovery by even going to the 'Edit File' section on the GUI but now I'm very concerned about possible MTM attack.

      After this discovery I downloaded a fresh version of pfSense CE 2.7.2 directly from pfSense's website, used Balena Etcher to flash a new USB stick, and reinstalled pfSense on my Protectli Vault. After that install, the Chinese character code files were still there.

      Then I completely reinstalled coreboot on my Protectli Vault by using Protectli's flashli tool and performing yet another fresh install of pfSense CE 2.7.2. The files are still there.

      These files are not normal, right? What are some immediate steps I can take to secure my network?

      Screenshot 2024-04-14 at 23-01-28 router.home.arpa - Diagnostics Edit File.png Screenshot 2024-04-14 at 23-01-56 router.home.arpa - Diagnostics Edit File.png Screenshot 2024-04-14 at 23-12-13 router.home.arpa - Diagnostics Edit File.png

      S GertjanG 2 Replies Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @A Former User
        last edited by

        @cheezycat
        .gz files are compressed with gzip so need to be uncompressed to read. If they are even text.

        .rnd is a seed for a random number generator and is not text.

        similar with /entropy: https://lists.freebsd.org/pipermail/freebsd-questions/2008-December/188827.html

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        ? 1 Reply Last reply Reply Quote 1
        • ?
          A Former User @SteveITS
          last edited by

          @SteveITS Hey, thanks for the reply! That's a big relief. With all of the cybersecurity threats and CVEs we hear about these days, I guess my paranoia is in overdrive.

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @A Former User
            last edited by

            @cheezycat said in 2.7.2 hacked? Chinese characters/code in TONS of files. Persists even after fresh installs.:

            These files are not normal, right?

            If further doubt : Throw "what is entropy ?" into Google and take the first page proposed : It was https://en.wikipedia.org/wiki/Entropy for me.

            [ joke ahead ]

            Knowing this, it's time for drastic measures :

            @cheezycat said in 2.7.2 hacked? Chinese characters/code in TONS of files. Persists even after fresh installs.:

            What are some immediate steps I can take to secure my network?

            because you have probably several zip files on your PC or phone : take it down, and reformat it straight away, as you will find the same hieroglyphs in there everywhere. Even worse, all these files like DDL, EXE etc etc are all very suspect !

            [ end joke ]

            Keep this one on a post-it nearby : the only imminent danger is close : it's the admin himself ^^

            Still, I'm curious. For all the files you can 'see', why did you chose entropy ? Or .rnd ? What / who told you to do so ? With what goal ?

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.