Urgent File Server behind Firewall got hacked
-
Hello,
On the eve of new year my entire network seems to be hacked.
To patch up things temporarily I placed new firewall ( just acting as load balancer and vpn server) before my previous firewall.
So my current network is
isp2 –----
|
isp1----- load balancer ---- my old firewall ---- switches ----- Win Server, Desktops, APs.rdp and teamviewer are off WIn Server.....
The LAN network of load balancer is 192.168.5.0/24 . The WAN ip of old firewall is 192.168.5.2.
Suddenly, the arp of load balancer shows 192.168.5.2 allotted to a new mac id de:ad:f9:xx:xx:xx. And the old firewall doesn't get the WAN IP and my entire LAN doesn't get internet access. This is happening every 20-25 min. There are no vendor for mac id de:ad:f9.
I think some one internally intentionally or unintensionally spoofing a mac id and taking up firewall wan ip.
What should I do ? Meanwhile I have taken down my entire LAN network and connecting each device one by one to find the culprit. A tedious job but No other option.
Please Help me and save my NEW Year.....
Regards,
Ashima -
It's definitely intentional. The MAC address starts with the word "dead". You can't "accidentally" change you MAC address.
Since you have no idea where this MAC address is coming from, your local network is physically unsecure. You should either use your switch to figure out which port the address is coming from or start disconnecting devices while attempting to ARP ping or something.
-
Its a locally admin mac, you can tell since de the 2nd significant bit is 1, so that is locally admin mac address.
What is between your LB and your firewall? I would take it just a wire and or a switch where you would of setup this 192.168.5 as a transit network - there should be no other devices on this network other than possible other routers.. You show –- so take it just a wire between your LB and your firewall?
-
@johnpoz there is just a wired connection between LB and the Firewall…..There is no other device between them.
-
We literally removed almost all devices one by one almost 60 off them and reconnected them one by one. There are 3 more win 7 systems, win server, tally server and an AP which are yet be connected and tested. We shall continue the test tomorrow.
Meanwhile I have disabled DHCP in LB and given firewall a fixed ip.
What I don't understand how can a device connected to firewall LAN get a dhcp response from LB (dhcp was initially enabled in LB).
Any help please.
-
"There is no other device between them."
Then why are you bother to check all the other devices on your network??? mac address are layer 2.. They do not go beyond your layer 2 connection. If all you have is a wire between your LB and Pfsense - then your issue is between those 2 devices - PERIOD!!!
-
Hello,
A very Happy New Year to everyone.
Yes, There is just a wire between LB and firewall. That is what was surprising me. The rogue mac id de:ad:b9:80:87:90 was in between getting the wan IP of the firewall, as a result there was no internet for the firewall clients.
I have disabled dhcp in LB and given firewall a static IP. This seems to have solved the issue.
I am also running Xarp ( a program to detect arp spoofing) in my lan. In between I get alerts
169.254.50.80 de:ad:b9:80:87:90
The same mac id but now it's not getting the ip address…. so the net is working fine. I guess someone has done mac spoofing and now running arp snoofing.....
Any clue ?
BTW I had enabled virtual Ip (IP alias) in my firewall if that has some thing to do with the case.
-
169.254 is link local address for ipv4.. Interface set for dhcp that does not get response from dhcp will assign itself a random address with 169.254 as well APIPA..
https://en.wikipedia.org/wiki/Link-local_address
-
@johnpoz, That is exactly what I want to tell 169.254 is link local address.
The rogue mac de:ad:b9 is unable to get a valid ip. But when I enable dhcp at the LAN port of LB, this rogue mac id takes the WAN ip of firewall. At times more than one IP is assigned to same mac id. When I disable LAN and enable LAN back in LB, it disapears and firewall gets back its ip.
Any clue…..
Ashima
-
How is it a rouge mac, its a wire between your LB and pfsense - so clearly you set that mac up on pfsense. Do an ifconfig and remove the mac..
