Unknown proxy running on pfsense
-
Hello everyone
I have this issue with the pfsense 2.0.1 where sometimes a squiq proxy starts running, but I don't even have that package installed. I know its not on any of my computers because i had shut everything down and checked from my phone and still showing some sort of squid proxy running (i checked by going to whatismyip.com) it tells you if it detects any proxy. I reboot the pfsense and the proxy goes away.
The reason its a problem because my ISP thinks my network is infected with "Conficker" virus and they block my internet access.Any ideas as to what could be wrong??
Thank you
-
You can try this from the shell to make sure it's not installed/running on pfSense:
pkg_delete -f \*squid\* rm /usr/local/pkg/*squid*
If you had it installed and setup but it wasn't running/active, that will make sure it's completely removed.
If that doesn't help or doesn't find anything, then it's not likely that it's actually running on your firewall.
-
ok it showed up again,
going to whatismyip.com i get thisYour IP Address Is: xxx.xxx.x.xxx Other IPs Detected: yyy.yyy.yy.yyyy Possible Proxy Detected: 1.1 wnpgmb021fw-cfn2.mts.net:3128 (squid/2.5.STABLE12) Read more: http://www.whatismyip.com/
This is strange…
any ideas?
-
Is 205.200.78.142 your pfSense WAN IP?
It could be your ISP routing your HTTP traffic through a transparent proxy for caching.
-
no that is the second IP that is showing up. My static IP, though of the similar convention is another one.. but when i reboot the router it works for a while like few days and then it starts showing this again. Sometimes different IPs.
EDIT: ok looks like the second IP that is showing up is the proxy that my ISP routes me through if they detect a virus in my system. But i've scanned all my network no virus. If i reboot the pfsense router everything works for few days and then same thing.
-
Ask them what virus, or what specifically they're seeing from your network, that indicates there is a virus. Having an AV scan come back clean doesn't mean squat these days, AV is nearly worthless.
-
@cmb:
Ask them what virus, or what specifically they're seeing from your network, that indicates there is a virus. Having an AV scan come back clean doesn't mean squat these days, AV is nearly worthless.
They said its "conficker". In pfsesne i have blocked the port 445 as well as I have tried turning off all of my switches to disconnect the network from internet, and only thing i left connected was my wireless router and then through my phone browser and i was still getting the same message from my ISP, Until i rebooted pfsense.
-
Scans can be worthless. Try this test on every device you have after getting out from behind that proxy (reboot or whatever):
http://www.confickerworkinggroup.org/infection_test/cfeyechart.html
If you have the virus, certain images on that page won't load because the virus prevents them from being accessed. That test won't be valid if you're being routed through a proxy server.
pfSense wouldn't be doing anything to the traffic to help/hurt you here - if they say they detected the virus, it's highly likely that one of your systems does in fact still have a virus.
-
Thank you Jimp,
I will try this on all computers and will post. -
OMG this eye chart tool is awesome… i was able to find conficker on 3 of the computers on the network and remove them.
in AV defense i did not scan these 3 computers because i didn't even suspect them, as they are not even used by users.
Thanx alot everyone ;D -
Good result. Interesting thread too. :)
Steve
-