Unknown proxy running on pfsense

jimp

You can try this from the shell to make sure it's not installed/running on pfSense:

pkg_delete -f \*squid\*
rm /usr/local/pkg/*squid*

If you had it installed and setup but it wasn't running/active, that will make sure it's completely removed.

If that doesn't help or doesn't find anything, then it's not likely that it's actually running on your firewall.

zer0 0

ok it showed up again,
going to whatismyip.com i get this

Your IP Address Is: xxx.xxx.x.xxx
Other IPs Detected: yyy.yyy.yy.yyyy
Possible Proxy Detected: 1.1 wnpgmb021fw-cfn2.mts.net:3128 (squid/2.5.STABLE12)

Read more: http://www.whatismyip.com/

This is strange…

any ideas?

jimp

Is 205.200.78.142 your pfSense WAN IP?

It could be your ISP routing your HTTP traffic through a transparent proxy for caching.

zer0 0

no that is the second IP that is showing up. My static IP, though of the similar convention is another one.. but when i reboot the router it works for a while like few days and then it starts showing this again. Sometimes different IPs.

EDIT: ok looks like the second IP that is showing up is the proxy that my ISP routes me through if they detect a virus in my system. But i've scanned all my network no virus. If i reboot the pfsense router everything works for few days and then same thing.

cmb

Ask them what virus, or what specifically they're seeing from your network, that indicates there is a virus. Having an AV scan come back clean doesn't mean squat these days, AV is nearly worthless.

zer0 0

@cmb:

Ask them what virus, or what specifically they're seeing from your network, that indicates there is a virus. Having an AV scan come back clean doesn't mean squat these days, AV is nearly worthless.

They said its "conficker". In pfsesne i have blocked the port 445 as well as I have tried turning off all of my switches to disconnect the network from internet, and only thing i left connected was my wireless router and then through my phone browser and i was still getting the same message from my ISP, Until i rebooted pfsense.

jimp

Scans can be worthless. Try this test on every device you have after getting out from behind that proxy (reboot or whatever):

http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

If you have the virus, certain images on that page won't load because the virus prevents them from being accessed. That test won't be valid if you're being routed through a proxy server.

pfSense wouldn't be doing anything to the traffic to help/hurt you here - if they say they detected the virus, it's highly likely that one of your systems does in fact still have a virus.

zer0 0

Thank you Jimp,
I will try this on all computers and will post.

zer0 0

OMG this eye chart tool is awesome… i was able to find conficker on 3 of the computers on the network and remove them.
in AV defense i did not scan these 3 computers because i didn't even suspect them, as they are not even used by users.
Thanx alot everyone  ;D

stephenw10

Good result. Interesting thread too.  :)

Steve

zer0 0

@stephenw10:

Good result. Interesting thread too.  :)

Steve

Indeed