Help! I'm under attack!

RChadwick

I'm running 1.2.3. For the past day or so, the Internet seemed slow, pictures sometimes take too long to appear. Speed tests show a very nice speed, but sometimes slows to nothing. I see that the CPU is averaging 25% to 50% (Usually under 5%), and the state table seem to fill up instantly after resetting states. MBUF is 5401/6405. I'm no security expert, and I've never been under attack while using pfsense, so I feel helpless. Looking in the state list, I see a whole bunch of one IP address, beginning with 45 or 46 (45.x.x.x), but they keep changing. The keep trying to connect to one port after another. It seems targeted at my web server. When I shut down the webserver, everything settles down. What should I do? Will Snort stop this kind of thing?

Here's an example of the state log:

tcp 46.108.41.72:80 <- 192.168.8.24:4294 CLOSED:SYN_SENT
tcp 192.168.8.24:4294 -> 69.253.164.39:14213 -> 46.108.41.72:80 SYN_SENT:CLOSED
tcp 46.109.189.4:80 <- 192.168.8.24:4295 CLOSED:SYN_SENT
tcp 192.168.8.24:4295 -> 69.253.164.29:27915 -> 46.109.189.4:80 SYN_SENT:CLOSED
tcp 46.109.189.5:80 <- 192.168.8.24:4296 CLOSED:SYN_SENT
tcp 192.168.8.24:4296 -> 69.253.164.29:64456 -> 46.109.189.5:80 SYN_SENT:CLOSED
tcp 46.108.41.73:80 <- 192.168.8.24:4297 CLOSED:SYN_SENT
tcp 192.168.8.24:4297 -> 69.253.164.29:15487 -> 46.108.41.73:80 SYN_SENT:CLOSED
tcp 46.109.189.6:80 <- 192.168.8.24:4298 CLOSED:SYN_SENT
tcp 192.168.8.24:4298 -> 69.253.164.29:34283 -> 46.109.189.6:80 SYN_SENT:CLOSED
tcp 46.108.41.74:80 <- 192.168.8.24:4299 CLOSED:SYN_SENT
tcp 192.168.8.24:4299 -> 69.253.164.29:46688 -> 46.108.41.74:80 SYN_SENT:CLOSED
tcp 46.109.189.7:80 <- 192.168.8.24:4300 CLOSED:SYN_SENT
tcp 192.168.8.24:4300 -> 69.253.164.29:32979 -> 46.109.189.7:80 SYN_SENT:CLOSED
tcp 46.108.41.75:80 <- 192.168.8.24:4301 CLOSED:SYN_SENT
tcp 192.168.8.24:4301 -> 69.253.164.29:52865 -> 46.108.41.75:80 SYN_SENT:CLOSED
tcp 46.108.41.76:80 <- 192.168.8.24:4302 CLOSED:SYN_SENT
tcp 192.168.8.24:4302 -> 69.253.164.29:48614 -> 46.108.41.76:80 SYN_SENT:CLOSED
tcp 46.108.41.77:80 <- 192.168.8.24:4303 CLOSED:SYN_SENT

69.253.164.29 is my WAN IP Address
192.168.8.24 is my webserver IP Address
46.108.41.77 is an attacker IP

AhnHEL

Do not post your WAN IP Address in any forum, it will only give you further problems.  Represent it with x's in text (xxx.xxx.xxx.xxx), or obfuscate it in screenshots.

wallabybob

On my Linux netbook I see:

$ whois 46.108.41.74
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%      To receive output for a database update, use the "-B" flag.

% Information related to '46.108.32.0 - 46.108.63.255'

inetnum:        46.108.32.0 - 46.108.63.255
netname:        ADNET
descr:          ADNET TELECOM
country:        RO
admin-c:        ADN-RIPE
tech-c:        ADN-RIPE
status:        ASSIGNED PA
mnt-by:        MNT-ADNET
mnt-routes:    MNT-ADNET
mnt-domains:    MNT-ADNET
source:        RIPE # Filtered

role:            ADNET TELECOM
address:        96B Basarabiei Boulevard, district 2
address:        Bucharest, Romania
e-mail:          noc@adnettelecom.ro
remarks:        –-----------------------------------
admin-c:        CV208-RIPE      # Calin Velea
tech-c:          CV208-RIPE      # Calin Velea
tech-c:          RALU            # Raluca Andreea Gogioiu
tech-c:          KARO            # Daniel Pana
tech-c:          AP13038-RIPE    # Alexandru Prodan
tech-c:          MM26510-RIPE    # Marius-Alexandru Matei
remarks:        -------------------------------------
nic-hdl:        ADN-RIPE
mnt-by:          MNT-ADNET
remarks:        -------------------------------------
remarks:        Abuse reports: abuse@adnettelecom.ro
remarks:        NOC E-mail: noc@adnettelecom.ro
remarks:        Support: support@adnettelecom.ro
remarks:        Phone: +40215681111 (24/7 NOC)
remarks:        -------------------------------------
source:          RIPE # Filtered

% Information related to '46.108.0.0/17AS5541'

route:          46.108.0.0/17
descr:          AdNet Telecom
remarks:        -------------------------------------
remarks:        Abuse reports: abuse@adnettelecom.ro
remarks:        NOC E-mail: noc@adnettelecom.ro
remarks:        Support: support@adnettelecom.ro
remarks:        -------------------------------------
origin:        AS5541
mnt-by:        MNT-ADNET
source:        RIPE # Filtered

$

It rather looks to me that something on web server system is making multiple attempts to access a web server in Romania. (Notice all the accesses to port 80, http, on 46.108.x.x.) with varying port numbers on your web server system.

If there is no need for someone on your LAN to be making web accesses to systems in Romania you might want to add firewall rules to block (or even pass with log to get a better idea of usage patterns) such access.

AhnHEL

Using the Country Block Package might be very useful in this instance blocking out all of Romania

wallabybob

@onhel:

Using the Country Block Package might be very useful in this instance blocking out all of Romania

Does that package block access FROM a country or block access TO a country or (optionally) both?

The posted segment of the log appears to show access from pfSense box TO Romania. Or am I interpreting that data incorrectly?

AhnHEL

You are absolutely right Wallabybob.  He said he was under attack, so I quickly misread, looks more like he was infected.

RChadwick

As an update, it looks like he was attacking webdav on my server. Looking at my apache logs, I see something different:

46.29.255.122 - - [06/Apr/2011:03:05:30 -0400] "GET /webdav/sip2.php?&IP=47.111.203 HTTP/1.1" 404 1188 "-" "Opera/9.21 (Windows NT 5.1; U; en)"
46.29.255.122 - - [06/Apr/2011:03:05:35 -0400] "GET /webdav/sip2.php?&IP=47.112.50 HTTP/1.1" 404 1188 "-" "Opera/9.21 (Windows NT 5.1; U; en)"
46.29.255.122 - - [06/Apr/2011:03:05:35 -0400] "GET /webdav/sip2.php?&IP=47.112.150 HTTP/1.1" 404 1188 "-" "Opera/9.21 (Windows NT 5.1; U; en)"
46.29.255.122 - - [06/Apr/2011:03:05:36 -0400] "GET /webdav/sip2.php?&IP=47.112.250 HTTP/1.1" 404 1188 "-" "Opera/9.21 (Windows NT 5.1; U; en)"
46.29.255.122 - - [06/Apr/2011:03:05:40 -0400] "GET /webdav/sip2.php?&IP=47.113.98 HTTP/1.1" 404 1188 "-" "Opera/9.21 (Windows NT 5.1; U; en)"
46.29.255.122 - - [06/Apr/2011:03:05:40 -0400] "GET /webdav/sip2.php?&IP=47.113.198 HTTP/1.1" 404 1188 "-" "Opera/9.21 (Windows NT 5.1; U; en)"
46.29.255.122 - - [06/Apr/2011:03:05:45 -0400] "GET /webdav/sip2.php?&IP=47.114.45 HTTP/1.1" 404 1188 "-" "Opera/9.21 (Windows NT 5.1; U; en)"
46.29.255.122 - - [06/Apr/2011:03:05:45 -0400] "GET /webdav/sip2.php?&IP=47.114.145 HTTP/1.1" 404 1188 "-" "Opera/9.21 (Windows NT 5.1; U; en)"
46.29.255.122 - - [06/Apr/2011:03:05:45 -0400] "GET /webdav/sip2.php?&IP=47.114.245 HTTP/1.1" 404 1188 "-" "Opera/9.21 (Windows NT 5.1; U; en)"

I find a single IP address, which I blocked. Now, everything seems back to normal. Any security advice welcome.

BTW, That wasn't my real WAN IP. I changed a few digits.

chpalmer

Get used to those attacks!  Thats why its important to keep your house in order…

:)

RChadwick

I'm working on it! I've found the problem was my server got hacked, and it's fixed now. What can I do on the pfsense side to help in the future?