Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Home Network Accessed

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 5 Posters 1.1k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • AndyRHA Offline
      AndyRH @TAC57
      last edited by

      @TAC57 If someone managed to drop malware on your computer, it will now appear to pfSense as an outbound connection. You could have pfSense log all connections from this computer, but you will find that Windows is chatty and you are not likely to find anything useful.

      If you suspect the computer is compromised, the best option is a wipe and reload.

      Windows logs and a scan are the best route now. It would also be a really good idea to isolate the system.

      o||||o
      7100-1u

      1 Reply Last reply Reply Quote 1
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        What have you seen that makes you think there's a problem?

        Security breaches like that are almost always because something in the client connected out rather than an unsolicited connections coming in.

        TAC57T 1 Reply Last reply Reply Quote 3
        • TAC57T Offline
          TAC57 @stephenw10
          last edited by

          @stephenw10 I was in my vehicle and got a note from Coinbase of a transaction. I was home within minutes. In getting to my computer there was some Windows update screen displayed. On moving the mouse, the pointer it would move elsewhere like someone else was controlling it. Within seconds I my desktop popped up and everything since has look normal...... except for the withdrawal from my Coinbase account. :-(

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            Yup I would wipe and reload if faced with that.

            Is the Plex server isolated from the other LAN clients? Given that that's the only thing open to the internet at all it's worth considering that.

            TAC57T 1 Reply Last reply Reply Quote 0
            • TAC57T Offline
              TAC57 @stephenw10
              last edited by TAC57

              @stephenw10 No my TrueNAS server is on 192.168.30.1 with all my other computers.

              Can I look at some of the pfSense logs when this happened and maybe find some hints?

              What exactly do you mean when you say wipe and reload?

              1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                I mean format that Windows machine and reinstall it.

                It depends what logging you have enabled or what packages you have installed as to whether or not any logs exist. By default outbound connections from clients are not logged.

                TAC57T 2 Replies Last reply Reply Quote 0
                • TAC57T Offline
                  TAC57 @stephenw10
                  last edited by

                  @stephenw10 Do you mean format only the C drive and reinstall windows? Most all of my data is on a D: drive.

                  1 Reply Last reply Reply Quote 0
                  • TAC57T Offline
                    TAC57 @stephenw10
                    last edited by

                    @stephenw10 If it's any consolation I did run msert.exe and the Trellix Stinger anti virus programs and didn't get any hits.

                    I don't know what you think of ChatGPT but is suggested I run this in a PowerShell

                    Get-NetTCPConnection |
  ForEach-Object {
    $p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
    $remoteHost = try { ([System.Net.Dns]::GetHostEntry($_.RemoteAddress)).HostName } catch { $_.RemoteAddress }
    [pscustomobject]@{
      PID     = $_.OwningProcess
      Process = $p.ProcessName
      Local   = "$($_.LocalAddress):$($_.LocalPort)"
      Remote  = "$($remoteHost):$($_.RemotePort)"
      State   = $_.State
      Path    = $p.Path
    }
  } | Sort-Object Process, Remote | Format-Table -Auto

                    When I pasted the output back into ChatGPT it reported back...

                    ✅ Overall assessment
                    All executables are running from legitimate system or Program Files directories.
                    All remote hosts are normal cloud/CDN providers (Amazon AWS, Google, Akamai, Microsoft).
                    No suspicious binaries in odd folders (like %TEMP%, Downloads, etc.).
                    No unexpected listeners — everything you showed is outbound traffic only.
                    ⚡Bottom Line
                    I don’t see any red flags here.
                    What you’re looking at is:
                    Your browser (Firefox) keeping multiple connections alive to websites and CDNs.
                    ChatGPT app using AWS.
                    Windows background services (Defender, svchost, OneDrive).
                    A couple of normal closing sockets (CloseWait).
                    Nothing malicious, nothing “phone home” from unknown executables.

                    1 Reply Last reply Reply Quote 0
                    • S Offline
                      scottjh1
                      last edited by

                      As a side note Windows has a number of default shares. You can run "fsmgmt.msc" to see them. They can be deleted using "net share * /delete". Enclosed is a link with further information.

                      https://www.action1.com/blog/how-to-stop-file-sharing-windows-10/

                      1 Reply Last reply Reply Quote 0
                      • VioletDragonV Offline
                        VioletDragon @TAC57
                        last edited by VioletDragon

                        @TAC57 Plex themselves had a data breech awhile ago, there Plex code had some bad malware in, infostealer. Workstations and Public Facing services should be in VLANs regardless.

                        Look at netstat but bare in mind that it will most likely be noisy, Monitor Wireshare and pfSense together to look at logs, I would recommend wiping the system completely and starting from scratch. Change all passwords, move Public Facing services into there own VLAN with strict firewall rules, TrueNAS should be in a Storage VLAN, Workstations in their own VLAN. Having a flat network with public facing services is the worst thing you can do.

                        Implement a IDS/IPS something like Snort or Suricata, pfblockerng with Geolocation blocking which are the things I would suggest implementing as well.

                        Check have i been pwned also.

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.