Trojan virus in PFsense box

arnel

Hello,

Does anyone experience having their pfsense host got infected by a Torpig Trojan? I received a report that my pfsense box was identified as a bot participating in an IRC network channel of bots or attempting to contact known command and control rendevouz point?

And this was the report:

Timestamp | Src Por |      Infection
2009-11-03 01:44:19+ |  30343 |          Torpig
2009-11-03 01:44:20+ |  23057 |          Torpig
2009-11-03 01:58:51+ |  46955 |          Torpig
2009-11-03 02:06:53+ |  38457 |          Torpig
2009-11-03 02:26:56+ |  18197 |          Torpig
2009-11-03 02:26:57+ |  48255 |          Torpig
2009-11-03 02:47:00+ |  64060 |          Torpig
2009-11-03 02:47:01+ |  10160 |          Torpig
2009-11-03 02:53:31+ |  39467 |          Torpig
2009-11-03 03:13:34+ |  60254 |          Torpig
2009-11-03 03:13:35+ |  54636 |          Torpig
2009-11-03 03:33:38+ |  55962 |          Torpig
2009-11-03 03:33:39+ |  17076 |          Torpig
2009-11-03 05:28:44+ |    3299 |          Torpig
2009-11-03 05:37:44+ |  26166 |          Torpig
2009-11-03 05:48:18+ |  48832 |          Torpig
2009-11-03 06:08:26+ |  21104 |          Torpig
2009-11-03 06:08:39+ |  56734 |          Torpig
2009-11-03 06:28:46+ |  40012 |          Torpig
2009-11-03 06:28:47+ |  35957 |          Torpig

Please advise if anyone has encountered this before. Or can anyone advise how can I find out if my pfsense is infected. I’m running version 1.2.3RC1 of PFSense. I’m using it mainly as a captive portal but its firewall is enabled and its pretty close which only few hosts are allowed to its WAN interface.

Thanks,
Arnel

jimp

Torpig only infects Windows hosts, so the problem is not pfSense, but a system somewhere on your network.

arnel

I'm curious why they see those ports being sourced from my pfsense's WAN IP address. I thought it might be originated from the client that connects into the portal. But I'm using Public IP's for the clients and I'm not doing NAT so they should see it coming from the client's IP address. Does pfsense doing some translation inside even I'm using Public IPs for the LAN? Any thoughts would be appreciated.

jimp

Did you disable NAT Completely? (Switch to Manual outbound NAT and then delete the resulting rules). It may still be using NAT even though you are using public IPs.

Proxies of any kind can also make things appear to come from pfSense's WAN IP, though squid and such don't typically coexist well with Captive Portal on pfSense.

arnel

Yes my PFsense is set to 'Automatic outbound NAT rule generation' and when I switch to manual I notice this default rule:

WAN    149.142.28.0/23  *  *  *  *  *  NO Auto created rule for LAN

I deleted it then I put it back to automatic. And when I switched it back again to manual the default rule came up again. So I deleted it again and now I set it as manual. I remember having issue before when I set it to manual but I'll see if there will be a problem. Thanks.

arnel

Looks like clients are unable to establish connections when I enabled Manual Outbound NAT rule generation and without any mappings. Should I need to create mappings if I enable AON?

jimp

@arnel:

Yes my PFsense is set to 'Automatic outbound NAT rule generation' and when I switch to manual I notice this default rule:

WAN    149.142.28.0/23  *  *  *  *  *  NO Auto created rule for LAN

I deleted it then I put it back to automatic. And when I switched it back again to manual the default rule came up again. So I deleted it again and now I set it as manual. I remember having issue before when I set it to manual but I'll see if there will be a problem. Thanks.

By putting it on automatic it will still NAT.

You need to leave it on Manual and delete the rule. Do not set it back to automatic, as that will just cause it to use NAT again.

If your clients can't connect with manual NAT and no rules, then your IP routing for your public IPs may not be correct, but that is up to you and your ISP.

arnel

Thanks. Do I need to configure routing in the PFsense or in my router where the pfsense is connected? As far as the routing configuration in my router is concerned it looks ok. But I don't have any routing configured on my pfsense. The LAN and WAN interface of my PFSense are connected on the same switch (Cisco 6500) but on separate VLAN.

jimp

On your Cisco, you should route the "lan side" subnet to the WAN IP address of pfSense. pfSense should handle the internal routing properly.

something like

ip route a.b.c.d 255.255.255.0 w.x.y.z

Where w.x.y.z is the WAN IP

danswartz

Or activate RIP on the pfsense if you are also running RIP on your cisco :)

jimp

@danswartz:

Or activate RIP on the pfsense if you are also running RIP on your cisco :)

That, too. Personally, I have an inherent distrust of dynamic routing protocols. It's a bit more to manage by hand but at least I know the routes won't disappear at random…

arnel

I'm running dynamic routing protocols (OSPF and BGP) in my Cisco switch. From the router's perspective, the routing is working between the two Vlans (LAN and WAN) I created for my PFSense . I thought there's some routing configuration I need to create inside PFSense box.

jimp

There isn't an OSPF daemon for pfSense at the moment, and the BGP package is currently geared toward WAN routing and not internal (but it might work, I'm not very familiar with BGP).

The easiest thing to do would be as I said, add a manual route for your lan-side subnet pointed at the pfSense WAN IP.