Automatic Update?

blueart

Hello Community,
this morning my PFSense 2.1 was upgraded automatically to the latest Version 2.2. Is this a normal behavior? Because I did not start any update process.

Best regards
BlueArt

kejianshi

Sounds to me like you are not the only one with admin access to the box (-;

Or a windows box used for gaming / sketchy sites / P-2-P that is used to also access the pfsense?

blueart

OK and there comes the problem. I am the only one with admin rights to this box and this is something I'm 100% sure. So I can rule out any other person. That's why I was asking this question if there is a process to upgrade the box at a certain time. Because if there is not I need to assume that the box has been compromised, and someone upgraded the box to close security leak and make sure he is the only one using the box right now.

blueart

Yes SSH and as I just found out the webpage is reachable over one of my public IPs. VPN is running over OpenVPN.

So I guess this means. Reinstalling the BOX and disable SSH and the WebPage on the public interface….
At the moment I'm checking all the logs, user and so on but I cannot find anything strange by now, but I don't trust this box anymore.

kejianshi

I'm guessing someone got into something you are running exposed to the internet or maybe the machine you use for admin is compromised?

kejianshi

SSH is pretty durable if you use a long/complex password.  You can also move it to a high numbered port for a little obscurity.  VPN also - use difficult passwords and also certificates for user authentication.

Don't expose your gui though.

Yeah - wipe the box and reinstall by hand.  Don't use your config backup.

At least thats what I would do.

If its a windows admin machine thats compromised, they have your keystrokes.  This is the easiest way for someone to "hack" your box BTW.

blueart

SSH Password is 20+ char. with different numbers and all that stuff so that should be good to go.
OpenVPN is access able via Certificate.

The only thing unsafe, was that the GUI was exposed at a PublicIP for everyone reachable.

The Admin PC should be secured. I will check that before I will reinstall the box.

kejianshi

If I was doing anything for a business, I'd use a non-windows computer to admin the pfsense and would make it a no-personal-bs box.

blueart

Yeah normally I use my Linux Laptop to administrate the box but sometimes it has to windows.

I was going through the logs of the box and it really was an attack over the webGUI.

Mar 16 08:15:06 hostname php: /index.php: Successful login for user 'admin' from: 18.239.0.140
Mar 16 08:15:06 hostname php: /index.php: Successful login for user 'admin' from: 18.239.0.140
Mar 16 08:17:18 hostname shutdown: reboot by root:
Mar 16 08:17:18 hostname shutdown: reboot by root:

edit:
I can tell from which IP's I will access this box. Since they are all static and only 3 diffrent. And I don't have access to any Server in the MIT network.

stephenw10

Yikes.  :o
You never want to see that.

Steve

kejianshi

Hackers out of MIT?  haha…

Go figure...

Yeah - wipe and reinstall by hand.

blueart

I will try to export only the Firewall Rules and OpenVPN Server config and check them, because the rules are too much to do them by hand and also the VPNServer configs. But I need to change the keys since they are no longer save.

Thanks for your help!!!

kejianshi

Good deal.

BTW - Nice of your hacker friends to maintain your network for you.  I've only ever known one set of hackers to do such a thing.  Interesting.

Derelict

Yuk.  I have to know.  Was it still admin/pfsense?

kejianshi

haha - I'd assumed no, but thats actually a great question.

blueart

no :) it was admin with a 26 char password containing letters,numbers and special characters.

Derelict

Umm.  Ok.  Were you sniffed somewhere?  Was http/80 available?  Was that what you used when outside?

BBcan177

Pretty bad Rep on that IP.

https://www.projecthoneypot.org/ip_18.239.0.140

https://www.senderbase.org/lookup/ip/?search_string=18.239.0.140

That IP is listed in the Snort BL that I use for pfBlockerNG:

https://labs.snort.org/feeds/ip-filter.blf

grep "^18.239.0." /var/db/pfblockerng/deny/*

/var/db/pfblockerng/deny/BadIPs.txt:18.239.0.126
  /var/db/pfblockerng/deny/Snort_BL.txt:18.239.0.140
  /var/db/pfblockerng/deny/Snort_BL.txt:18.239.0.155

kejianshi

I'm pretty sure its a proxy address used by lots of people.  Thats not the biggest deal.  Whats on the other side of that pfsense?  Anything important?

BBcan177

Also listed in the Spamhaus XBL list.
  http://www.spamhaus.org/query/bl?ip=18.239.0.140

It is also listed in MaxMind Inc. Anonymous Proxy list:
  https://www.maxmind.com/en/proxy/18.239.0.140

Stop Forum Spam - appears in our database 402 times. Current country of … 14-Mar-15 13:54
www.stopforumspam.com/ipcheck/18.239.0.140