Hacked ?

KOM

Was the gui got hacked ?

Very unlikely.

Edit that rule and scroll to the bottom of the rule.  What does it say for Rule Information?

aniodon

Hello Kom !

Sorry but the first thing i did was to delete that rule immediately…
i just did a screenshot of the rule before deleting (cf attachement)

is there any way to find this information in some log?

Edit : Just to mention, our password is quite strong... special car, 12+ car, caps, numbers...

ge-quiros

Me, i own a call center in Dominican Republic, so, i travel quite much, what i do, is i have a VPS, and i whitelist that VPS ip address on all my servers and from there, i jump everywhere else..

Yesterday, i order a Windows Remote Desktop machine, so, i whitelist that as well, use a firewall on my windows and hopefully, it will have low chances for me to get hacked or my main boxes to get hacked

That's a suggestion… and like someone else noted, it is unlikely that pfSense got hacked, but nowadays telnet has been kinda deprecated, next time it happens, first, disable the rule, then check everything else

jahonix

Go to  Diagnostics: Backup/restore  and view the  Config History  tab.

KOM

Sorry but the first thing i did was to delete that rule immediately…

In future, disable it instead of deleting it.

If you are a pfSense Gold subscriber and are using their AutoConfigBackup service, you could download a previous version of your config that includes this rule and then check it there.

aniodon

hello everyone !

@ge-quiros : we do not use telnet… we got hacked by someone trying to get access to telnet by opening telnet ports.
@KOM : you're absolutely right, i'll do this in the future... unfortunately I do not have a gold subscription...
@Jahonix : Thanks i did not know this feature existed. But i do not find a cache old enough ... i diffed newer/oldest, the rule is not there... ;(

johnpoz

" I saw a rule added by a foreign (thailand) ip."

How exactly do you know it was added by this IP?  So you saw that in the rule info at the bottom?  But thought you said you deleted it right away?

So how did they get access?  Your webgui is open to the public??

aniodon

Hello Johnpoz

I did a capture of the rule before deleting it, please see the attachement of my second post in this thread.
it's a spam thailand IP

I have a pfsense on a fourth infra, in the same config than the first hacked, and this one too got a rule added too, by a chinese ip…

I have more detail in here :
please see the attachement.

It seems that the rule is added by "Easy rule", the comment is the same as the classic easy pass.

Both firewall are on ssl with no certificate (for now), and both have a nat on 443 on wan to another server (a RDS)... the gui should'nt have been exposed through wan

i just CANNOT believe our password has been hacked... it is (believe me) really complicated... !

doktornotor

Looks like you clicked the easyrule icon in firewall logs view by mistake.

jahonix

@aniodon:

yesterday, I saw a rule …

@aniodon:

… i do not find a cache old enough ... i diffed newer/oldest, the rule is not there...

Yesterday it was there and today you can't find it in the cache anymore?
Tinfoil hat time?

Edit: give doktornotor a round of applause and calm down. You hacked yourself and your super-duper-pdw is still safe.

aniodon

@jahonix:

@aniodon:

yesterday, I saw a rule …

@aniodon:

… i do not find a cache old enough ... i diffed newer/oldest, the rule is not there...

Yesterday it was there and today you can't find it in the cache anymore?
Tinfoil hat time?

Edit: give doktornotor a round of applause and calm down. You hacked yourself and your super-duper-pdw is still safe.

Thanks but…
Yes Jahonix, my last cache is 11/23/16 18h41:46... 
and i deleted the rule before this time.

I got the exact same rule (telnet) on two different pfsense added by a 'easy rule'
I can consider making a mistake once, but twice on a totally different environment  ... ?

johnpoz

"I can consider making a mistake once, but twice on a totally different environment  … ? "

You wouldn't believe the stupidity of the typical user.. Personally no offense - but this clearly looks to be complete and utter PEBKAC all the way..

The rule will clearly stated from what IP is was created from..  Your just showing a rule you allowed from a source.  Not where the rule was created from.. So you clicked firewall hit to add it as a easy rule.. So yeah PEBKAC..

KOM

In your Firewall log, do not click the button shown with the red arrow or it will allow this IP and port on the interface it appeared.