Blocked a Host but it still gets out??

pinoyboy · Jul 31, 2013, 3:18 PM

Ok, I removed ALIAS and just using straight IP and moved above the disabled ALLOW ALL OUT rule - above any and all rules. Let's see what happens.

I should repeat that it is the only host with that IP of 192.168.1.151; and only host on that test subnet…also shown in above screenshot.

UPDATE: pfSense was rebooted and the results are the same with the changes I just mentioned. I am looking at NTOP to see what connections are established.

kejianshi · Jul 31, 2013, 3:20 PM

OK - Cool.

Try this. Go to the machine that you say is making all those connections and ping all those IPs its apparently connecting to.
Then also ping some other IPs that should normally be contactable, like 8.8.8.8 and others like that.

I'm interested to see if it actually connects to any of them.

kejianshi · Jul 31, 2013, 3:39 PM

I have this theory that what you are seeing isn't actual connections, but connection attempts and that they are not getting through your firewall. Is this the machine that is infected from earlier?

pinoyboy · Jul 31, 2013, 3:48 PM

Yes, the infected machine. Also thought that this would be the case, connection attempts; however, after leaving it on the other evening on the test network, the next day there was near 1 GB of traffic. It is initiating outside contact; I use COUNTRY BLOCK filters. There are a lot of files (not important) on this PC, but it could also be something masquerading through HTTPS but HTOP doesn't see it or count it. I know the quick fix which we do apply every time, re-image; however, I was just interested how this particular malware issue is functioning.

doktornotor · Jul 31, 2013, 3:50 PM

@pinoyboy:

Yes, the infected machine. Also thought that this would be the case, connection attempts; however, after leaving it on the other evening on the test network, the next day there was near 1 GB of traffic.

Traffic where? On LAN? On WAN? Where are you detecting these connections? You are running something on the compromised machine's OS and trusting the output? Wow, that's a piece of useless exercise.

kejianshi · Jul 31, 2013, 3:55 PM

If you have blocked this machine’s IP explicitly and it has somehow cut through anyway its beyond me how that could happen. That would be "BAD". Is it possible that this machine is generating these files "empty files" or perhaps big files full of screen grabs and keyboard hook grabs and not actually downloading them but generating them its self? I wouldn't worry too much about traffic on the LAN between that computer and pfsense. I'd be really worried if I saw this traffic on the WAN.

pinoyboy · Jul 31, 2013, 4:29 PM

dok / rez, I knew you couldn't keep off. Not only are you color blind, but you are schitzo with no sense of useful responses. Lay off thread since you provide no useful information. If you read the thread carefully, you would know the why for the test, and how error filled your comments were. You are useless to this thread and overall community.

kejianshi, thanks for trying to assist. Like I said, we always re-image anyow, but it was just an academic exercise.

kejianshi · Jul 31, 2013, 4:04 PM

Well - If I remember correctly this machine and perhaps others were ruining the reputation of your IP and using up your bandwidth, so I'd be analysing the hell out of also to make sure I didn't fall victim again. Did you ever figure out what exactly trojan/virus or intentional sabotage you were inflicted with?

pinoyboy · Jul 31, 2013, 4:29 PM

Running Symantec AV Enterprise did not see anything, offline/livecd of Dr. Web, AVG, and Avast did not turn anything up. Could be 0day that's not detectable yet by AV companies. As far as ruining IP, that's why we try and have proactive review of the network making sure there's no jump in traffic, or abnormal outbound/inbound traffic. Soon as we do, we isolate to review on test network.

kejianshi · Jul 31, 2013, 4:08 PM

Could be zero day - could be one of your employees trying to use your IP to make a little money on the side. Either is possible.

pinoyboy · Jul 31, 2013, 4:11 PM

Ha, this old lady doesn't even know where the Control Panel is in Windows.

kejianshi · Jul 31, 2013, 4:19 PM

So you think… But she is probably the notorious hacker "BlackWidow". (I totally made that up)
Yeah - I'd wipe it - I'm pretty sure pfsense is doing its job, but why take risks.

podilarius · Jul 31, 2013, 10:07 PM

I don't know if it was asked or if I missed it, but, did you check your state table to see if there are states being opened by this machine?

pinoyboy · Aug 1, 2013, 3:17 PM

Yes, it coincided with HTOP. At this point, it is closed issue since it has been reimaged. Thank you.