Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Numerous ET SCAN Potential SSH Scan OUTBOUND alerts. Is Pfsense infected?

    Scheduled Pinned Locked Moved IDS/IPS
    28 Posts 8 Posters 15.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      boobletins
      last edited by

      Have you been making any external connections via ssh or using sftp?

      This alert can fire if you make repeated outbound connections within a period of time:

      alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg:"ET SCAN Potential SSH Scan OUTBOUND"; flow:to_server; flags:S,12; threshold: type threshold, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2003068; classtype:attempted-recon; sid:2003068; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
      

      So 5 attempts in 120 seconds will generate this alert.

      Do you have EVE JSON enabled in Suricata?

      1 Reply Last reply Reply Quote 1
      • B
        boobletins @lambro690
        last edited by boobletins

        @lambro690 said in Numerous ET SCAN Potential SSH Scan OUTBOUND alerts. Is Pfsense infected?:

        Here is a screenshot if one of the alerts (there are hundreds of them. All with different IPs.

        I missed that on my first read.

        If you have hundreds of alerts on SID 2003068, you control your network (have a kid running a port scanner in the basement?), and you aren't running your own port scan on that class C, then your firewall is compromised, one of your LAN machines is, or you have a rogue wifi client.

        Are you also running Suricata on the VLAN for wifi?

        I would suspect the LAN/wifi machines before the firewall, but if you're running Suricata (I presume with the same rules?) on the LAN and VLAN, then yes, I would assume your firewall is compromised.

        If you use who from the console (or under diagnostics->command prompt), do you see any ttys?

        What output do you get from ps -aux | grep ssh ?

        1 Reply Last reply Reply Quote 1
        • L
          lambro690
          last edited by

          @boobletins Thank you for your response.

          I ended up reinstalling after I tried the packet capture as @bmeeks suggested.

          It seems like the firewall was compromised. This is weird because it started happening after the recent update. Not sure if it is related or not.

          After the reinstall, I powered on my servers one by one and no alerts were triggered so I think we are good. I will continue to monitor it and report back if I see anything.

          Thanks again guys!

          Gigabyte J1900N-D3V with on board Celeron - 4gb Ram - 250gb HDD - 1U Rack mount Case

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @lambro690
            last edited by

            @lambro690 said in Numerous ET SCAN Potential SSH Scan OUTBOUND alerts. Is Pfsense infected?:

            @boobletins Thank you for your response.

            I ended up reinstalling after I tried the packet capture as @bmeeks suggested.

            It seems like the firewall was compromised. This is weird because it started happening after the recent update. Not sure if it is related or not.

            After the reinstall, I powered on my servers one by one and no alerts were triggered so I think we are good. I will continue to monitor it and report back if I see anything.

            Thanks again guys!

            A compromised firewall would be of great concern to me! If it were me, I would want to figure out how and what compromised my firewall.

            1 Reply Last reply Reply Quote 0
            • B
              boobletins
              last edited by

              Indeed. Logs, pcaps, or a disk image would have been interesting.

              It would also be interesting to know how you reinstalled (not worried about rootkits? efi/bios resident malware?).

              After re-install, did you put the same config back in and just modify the password?

              All kinds of interesting questions... thread had 10/10 potential :)

              L 1 Reply Last reply Reply Quote 0
              • L
                lambro690 @boobletins
                last edited by

                @boobletins @bmeeks

                It would have been nice to see but I just wanted my internet back under control :)

                All good questions! Yes same config, new LastPass random password this time.

                I am a Linux admin at work so I know a few things, although not everything :p

                I reinstalled after booting up an Ubuntu instance and running chkrootkit. Not sure how effective it'll be but I made an attempt. I then formatted the drive (it was ZFS) and I have moved back to UFS.

                I installed fresh, restored backup, changed password and then sat there for about 30 mins watching the Suricata alerts just to make sure.

                Then I powered all severs/desktops back up one by one just to be sure it did not spread to them.

                Not 100% trusting just yet.

                Gigabyte J1900N-D3V with on board Celeron - 4gb Ram - 250gb HDD - 1U Rack mount Case

                1 Reply Last reply Reply Quote 0
                • chromefinchC
                  chromefinch
                  last edited by

                  I'm getting the same thing, Seems to be crawling through the IP's. Really worrisome as I host a site for my wife's Co.
                  Has the rebuild fixed it? Are you sure you still have the alert enabled?

                  Member of the 'emerging scan rules':
                  SID 2003068
                  https://docs.emergingthreats.net/bin/view/Main/2003068

                  1 Reply Last reply Reply Quote 0
                  • B
                    boobletins
                    last edited by

                    How many times per minute are you seeing this? You're sure it isn't a result of you attempting to make an ssh connection 5 times in a 2 minute window?

                    1 Reply Last reply Reply Quote 0
                    • B
                      boobletins
                      last edited by

                      Also, could you paste the output from the command line sockstat | grep ":22"

                      1 Reply Last reply Reply Quote 0
                      • chromefinchC
                        chromefinch
                        last edited by

                        0_1546637981852_Screen Shot 2019-01-04 at 4.39.08 PM.png

                        1 Reply Last reply Reply Quote 0
                        • chromefinchC
                          chromefinch
                          last edited by

                          @boobletins said in Numerous ET SCAN Potential SSH Scan OUTBOUND alerts. Is Pfsense infected?:

                          sockstat | grep ":22"

                          Thanks for the quick response, here is what the command yielded, what am I looking at?
                          ? ? ? ? tcp4 192.168.2.1:20356 192.168.2.23:22
                          ? ? ? ? tcp4 192.168.1.8:54310 192.168.1.24:22
                          ? ? ? ? tcp4 192.168.1.8:54312 192.168.1.24:22

                          1 Reply Last reply Reply Quote 0
                          • B
                            boobletins
                            last edited by boobletins

                            Those question marks are in the original output? And you're running that from the pfSense command line?

                            The command should be showing you which process has open sockets on port 22. We're hoping whatever process is scanning will show up there to try to get an indication of what is going on.

                            chromefinchC 1 Reply Last reply Reply Quote 0
                            • chromefinchC
                              chromefinch @boobletins
                              last edited by

                              @boobletins 0_1546638255655_Screen Shot 2019-01-04 at 4.44.05 PM.png

                              1 Reply Last reply Reply Quote 0
                              • B
                                boobletins
                                last edited by

                                Can you check chat for me? It will be faster.

                                chromefinchC 1 Reply Last reply Reply Quote 1
                                • B
                                  boobletins
                                  last edited by

                                  chromefinch had previously had ntop-ng installed but only recently re-enabled suricata.

                                  sockstat | grep ":22" output from the ui did not generate helpful output.

                                  He re-enabled ssh access for himself and sockstat | grep ":22" generated output similar to below:

                                  root ntopng 15017 45 tcp4 x.x.x.x:33912 57.151.10.72:22
                                  

                                  ntop was likely scanning what it thought was an internal network for sshd servers (though I have no experience with ntop on pfsense) -- he's following up in the ntop forums.

                                  lambro690 -- I wonder if you had something similar going on?

                                  L 1 Reply Last reply Reply Quote 2
                                  • chromefinchC
                                    chromefinch @boobletins
                                    last edited by

                                    @boobletins Thanks for your help!!!! I disabled the ntop wan interface and No more alerts!

                                    bmeeksB 1 Reply Last reply Reply Quote 1
                                    • bmeeksB
                                      bmeeks @chromefinch
                                      last edited by

                                      @chromefinch said in Numerous ET SCAN Potential SSH Scan OUTBOUND alerts. Is Pfsense infected?:

                                      @boobletins Thanks for your help!!!! I disabled the ntop wan interface and No more alerts!

                                      So your firewall was infected -- but with ntop instead of a trojan ... ☺ . (Just kidding).

                                      1 Reply Last reply Reply Quote 1
                                      • L
                                        lambro690 @boobletins
                                        last edited by

                                        @boobletins Yup lol I sure did have ntop installed. Must have been a bug with the package because I haven't gotten anything since the reinstall. Now I will know what to look out for!

                                        Great work guys. That makes me feel a little bit better about my security :p

                                        Gigabyte J1900N-D3V with on board Celeron - 4gb Ram - 250gb HDD - 1U Rack mount Case

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          smokers
                                          last edited by

                                          I'm having same issue with ntop .. .. seems to try ip's like 0.106.219.157...
                                          installed, reinstalled several times. ... anyone might know what is the issue?

                                          1 Reply Last reply Reply Quote 0
                                          • NyarlathotepN
                                            Nyarlathotep
                                            last edited by

                                            This post is deleted!
                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.