Had my pfSense been compromised?

JeGr

@bchan said in Had my pfSense been compromised?:

For sure it does not have the offending 103.240.140.10 in my first post.

Yes but it has your local FQDN. You sure that resolves correctly and not to some strange web IP? I'd never use local hostnames in Aliases.

bchan

@johnpoz
Nothing logged around that time (05:29):

johnpoz

look in your full rule set for what that ID number matches up with.

bchan

@JeGr

whois 103.240.140.10
inetnum: 103.240.140.1 - 103.240.142.255
netname: CTCL-HK
descr: ClearDDoS Technologies
country: HK

It sounds like a web security company.

JeGr

I'm talking about your alias. Not the IP.

bchan

@JeGr

I have checked the table values for this alias and they all resolve correctly to 192.168.x.x

JeGr

@bchan said in Had my pfSense been compromised?:

all resolve correctly to 192.168.x.x

LAPTOP-1CGD66U4 resolves to 192.168.x.x? Even on pfsense itself? Its resolvers?

bchan

@JeGr

bchan

@johnpoz said in Had my pfSense been compromised?:

pfctl -vvsr

pfctl -vvsr | grep 4294967295
return nothing.

johnpoz

Then the rule was deleted, make sure your grep is working by using a ID in your command that you see when just looking at the output.

Are you currently seeing logs for this?

bchan

@johnpoz said in Had my pfSense been compromised?:

Then the rule was deleted, make sure your grep is working by using a ID in your command that you see when just looking at the output.

Are you currently seeing logs for this?

grep works for other id e.g. the teamviewer logger.
I have 2 WANs for months. This incident was the first time I saw incoming traffic to WAN2 and were logged.
As you can see from my rules, I don't have anything that will log incoming traffic for WAN2.

jimp

Do you have UPnP enabled? Do you have it set to use WAN2, and to log connections?

That's the most likely explanation.

johnpoz

That would be my guess as well... You might be able to glean a bit more info by looking at the raw log in output.

jimp

When I manually trigger something like that (for example, open Deluge, go into settings, and trigger a port test), I get a similar log message with a random-ish ID.

Since the UPnP rules don't have a description, and have random IDs, and are probably short-lived, they wouldn't have a visible description in the logs even if you caught them when they were active.

bchan

@jimp said in Had my pfSense been compromised?:

Do you have UPnP enabled?

No I have not enabled UPnP.

johnpoz

That doesn't actually mean its not running - that is a wiget that can be edited to not show specific services.

bchan

@johnpoz
UPnP is not running:

hulleyrob

@bchan hey dude, im interested in this as i saw exactly the same thing this morning, about 5 low ports opened by upnp and incoming UDP traffic however i now have no idea what opened them up. Do you have a PS4 on the network as its the only thing i can think that would do this?

bchan

@hulleyrob said in Had my pfSense been compromised?:

Do you have a PS4 on the network as its the only thing i can think that would do this?

I am running a small office and have no PS4 and have not enabled any uPnP.

hulleyrob

@bchan ah ok i do have upnp enabled but have the same problem you are and cannot see after the even which computer opened up the ports just that there was a rule and its been deleted.