Urgent File Server behind Firewall got hacked

chpalmer

We don't use microsoft products for our email server.  (other than its a product running on Windows server machine.)

We don't use webmail and setup usernames and (strong) passwords up for each of the desktops and in a case or two for their smartphones. Users never know their password for email.  We also use pfblocker to control whats coming from areas which we have no business or desire to hear from.

The email server logs everything. We've never seen anyone actually try to hack into a username (other than "abuse") that we use here but you can't count on that. Its not if..  but when.

But I think the point of this thread is-  We have enough with services that have to live with an open port or two in order to do their job. Don't open yourself up to more heartburn by opening up services to the world which can be easily set up on VPN's or other methods such as not allowing outside access at all. Or firewall rules allowing a set source.

ashima

Hello,

On the eve of new  year  my entire network seems to be hacked.

To patch up things temporarily I placed new firewall ( just acting as load balancer and vpn server) before my previous firewall.

So my current network is

isp2 –----
                  |
      isp1----- load balancer ---- my old firewall ---- switches ----- Win Server, Desktops, APs.

rdp and teamviewer are off WIn Server.....

The LAN network of load balancer is 192.168.5.0/24 .  The WAN ip of old firewall is 192.168.5.2.

Suddenly, the arp of load balancer shows 192.168.5.2 allotted to a new mac id de:ad:f9:xx:xx:xx. And the old firewall doesn't get the WAN IP and my entire LAN doesn't get internet access. This is happening every 20-25 min.  There are no vendor for mac id  de:ad:f9.

I think some one internally intentionally  or unintensionally spoofing a mac id and taking up firewall wan ip.

What should I do ? Meanwhile I have taken down my entire LAN network and connecting each device one by one to find the culprit. A tedious job but No other option.

Please Help me and save my NEW Year.....

Regards,
Ashima

Harvy66

It's definitely intentional. The MAC address starts with the word "dead". You can't "accidentally" change you MAC address.

Since you have no idea where this MAC address is coming from, your local network is physically unsecure. You should either use your switch to figure out which port the address is coming from or start disconnecting devices while attempting to ARP ping or something.

johnpoz

Its a locally admin mac, you can tell since de the 2nd significant bit is 1, so that is locally admin mac address.

What is between your LB and your firewall?  I would take it just a wire and or a switch where you would of setup this 192.168.5 as a transit network - there should be no other devices on this network other than possible other routers..  You show –- so take it just a wire between your LB and your firewall?

ashima

@johnpoz there is just a wired connection between LB and the Firewall…..There is no other device between them.

ashima

We literally removed almost all devices one by one almost 60 off them and reconnected them one by one. There are 3 more win 7 systems, win server, tally server and an AP which are yet be connected and tested. We shall continue the test tomorrow.

Meanwhile I have disabled DHCP in LB and given firewall a fixed ip.

What I don't understand how can a device connected to firewall LAN get a dhcp response from LB (dhcp was initially enabled in LB).

Any help please.

johnpoz

"There is no other device between them."

Then why are you bother to check all the other devices on your network???  mac address are layer 2.. They do not go beyond your layer 2 connection.  If all you have is a wire between your LB and Pfsense - then your issue is between those 2 devices - PERIOD!!!

ashima

Hello,

A very Happy New Year to everyone.

Yes, There is just a wire between LB and firewall. That is what was surprising  me. The rogue mac id de:ad:b9:80:87:90 was in between getting the wan IP of the firewall, as a result there was no internet for the firewall clients.

I have disabled dhcp in LB and given firewall a static IP. This seems to have solved the issue.

I am also running Xarp ( a program to detect arp spoofing) in my lan. In between I get alerts

169.254.50.80      de:ad:b9:80:87:90

The same mac id but now it's not getting the ip address…. so the net is working fine. I guess someone has done mac spoofing and now running arp snoofing.....

Any clue ?

BTW I had enabled virtual Ip (IP alias) in my firewall if that has some thing to do with the case.

johnpoz

169.254 is link local address for ipv4..  Interface set for dhcp that does not get response from dhcp will assign itself a random address with 169.254 as well APIPA..

https://en.wikipedia.org/wiki/Link-local_address

ashima

@johnpoz,    That is exactly what I want to tell 169.254 is link local address.

The rogue mac de:ad:b9  is unable to get a valid ip. But when I enable dhcp at the LAN port of LB, this rogue mac id  takes the WAN ip of firewall. At times more than one IP is assigned to same mac id. When I disable LAN and enable LAN back in LB, it disapears and firewall gets back its ip.

Any clue…..

Ashima

johnpoz

How is it a rouge mac, its a wire between your LB and pfsense - so clearly you set that mac up on pfsense.  Do an ifconfig and remove the mac..