Strange traffic on WAN
-
Hi All, I run a small business with my own web server behind pfsense. This has worked worked fine for a number of years. You can assume from this that I am no IT expert!
I noticed of Wednesday that there had been a lot of traffic on WAN1 and upon checking the RRD Graph for WAN1 (see attached) found that this traffic had been constant inbound and outbound for about 24 hrs. I have checked my web server logs and can't anything out of the ordinary. I also checked the traffic graphs for LAN, DMZ and WLAN and there is matching spike in activity.
I am hoping that someone might be able to give me an idea of what might be going on here - have I been hacked or compromised in some way. Also any pointers on how I might investigate this further and what I should do if it happens again.
Regards,
Wayne
-
I cannot say with out more details such as ports used and possibly the external ip that is connecting, not your external ip. but looks like maybe a file share service. I would have snort running to better help with the issues. If you would like feel free to pm me and I can try and assist you.
-
without more details of what ports where being used, or better yet capture of the traffic its impossible to say what could of caused the spike. File sharing would be a good guess.
So its not happening now? If it does grab a capture of the traffic and then we can see what IPs and exactly what it is.
-
Thanks Josh, Basic info of my system is as follows:
Dual WAN (WAN1 and WAN2 are on a VLAN). Behind pfsense is LAN, WLAN, DMZ and OpenVPN.Incoming rules WAN1 :
Port 25 -> Nat Redirect -> 127.0.01 (Postfix Mail Relay)
Port 80 -> Nat Redirect -> DMZ -> Web server
Port 443 -> Nat Redirect -> DMZ -> Web server
Port 11000:20000 -> Nat Redirect -> LAN -> Voip server
Port 1194 -> Nat Redirect -> 127.0.01 (OpenVPN)Incoming rules WAN2 :
Port 25 -> Nat Redirect -> 127.0.01 (Postfix Mail Relay)
Port 5060 -> Nat Redirect -> LAN -> Voip server
Port 11000:20000 -> Nat Redirect -> LAN -> Voip server
Port 1194 -> Nat Redirect -> 127.0.01 (OpenVPN)I don't do or allow Torrents. Also noticed that the Postfix logs for Tuesday & Wednesday are missing??? I will look at this more closely in a few hours when I finish work.
One again, thanks in advance.
-
the only thing from what I can gather out of those details would be VOIP. is VOIP used often? If so that could be the cause of the spike but should not be that huge of a spike. but there might be a need for some more information.
-
Thanks for the feedback guys. I spent a good part of the weekend checking all server and PC logs (all Linux) and could find nothing that corresponded with the 20Hr spike in in/out bandwidth. From this I can only assume that someone may have been relaying directly of the pfsense box.
The only thing that I can see that could cause this problem is Postfix Forwarder. Does anyone have any comments on this?
Regards,
Wayne