Is this a Hack Bot that Suricata Found?
-
This post is deleted! -
@ProfessorManhattan said in Is this a Hack Bot that Suricata Found?:
03/23/2020-19:39:30.151530 [] [1:2001569:15] ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection [] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.1.101:50361 -> 96.45.83.246:445
What is 192.168.1.101 ?
It tried to connect via SMB to 96.45.83.246.
This is the rule that triggered the alert:-
alert tcp $HOME_NET any -> any 445 (msg:"ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2001569; classtype:misc-activity; sid:2001569; rev:14; metadata:created_at 2010_07_30, updated_at 2017_05_11;)
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node27.html
-
@NogBadTheBad As far as I know, I did not create 192.168.1.101. I connected pfSense's WAN to my LAN and then connected 192.168.1.100 to the LAN of pfSense. I may have switched internet connections to the WiFi of the LAN and back to the pfSense LAN. Could this have caused my computer to increment in IP address?
I'm worried that some bot sniffed pfSense in its odd configuration, changed to 192.168.1.101 somehow and then did something that made all the ALERTS go away.
Any advice would be helpful but now I'm wondering if my pfSense is compromised?
Also, without going into detail, how advanced of a hack is too advanced for me to even bother protecting myself from?
-
I'm worried that some bot sniffed pfSense in its odd configuration, changed to 192.168.1.101 somehow and then did something that made all the ALERTS go away.
It's something connected to your LAN, not sure why you are using the terms bot and hack, maybe take off the tin foil hat for a mo
Look in the arp table Diagnostics -> ARP Table and Status -> DHCP Leases does a MAC address show against 192.168.1.101, if not try Status -> System Logs -> DHCP
Also from 192.168.1.101:-
03/23/2020-19:45:11.302820 [] [1:2008581:3] ET P2P BitTorrent DHT ping request [] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 192.168.1.101:48381 -> 91.121.72.196:50771
03/23/2020-19:53:21.140064 [] [1:2010144:6] ET P2P Vuze BT UDP Connection (5) [] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 192.168.1.101:38820 -> 62.138.0.158:6969
-
@NogBadTheBad It's just weird that the alerts were spamming, then it says something was scanning or infecting, and then all the results go silent.
This is tin foil hat status? Guess I should take off my tinfoil suit.
-
Any mac address ?
-
Just tried going to ARP Table but it's not loading.. after a couple minutes it started loading:
WAN 192.168.1.101 00:26:*** Permanent ethernet
It basically has the same stats as the 192.168.1.1 except it says Permanent
SMH... there are a bunch of MAC addresses/192.168.1.x addresses but I only connected 1 computer to pfSense's LAN
-
Do you have another router conneced between the Internet and your pfSense WAN interface.
-
@NogBadTheBad Yes, I do. Internet -> Router -> Router's LAN -> pfSense -> Single Computer
-
Well its a device connected to that other router then, either by ethernet or WiFi.
-
Yeah, I figured that... I'm just curious how it knew to start scanning and then dropped silent all of a sudden
-
@ProfessorManhattan said in Is this a Hack Bot that Suricata Found?:
Here are the logs (Note: I had to remove a massive sum of the malicious logs because Stack does not allow that many characters... I left in the parts that show the Network Trojan and Scanning of the pfSense Router (IP address: 192.168.1.101):
Can you switch the upstream router to modem mode ?
If you can it would be better as you'll have a non rfc1918 IP address on the pfSense WAN interface and you won't have a double NAT occurring.
-
@ProfessorManhattan
You have an active malware infection. It's certainly capable of knowing what network its on, changing its own IP address, and then "hiding" itself to fall silent until called upon by its master. -
@NogBadTheBad @msf2000 This post is the truth and partially for my own protection:
ok, do you think I should reinstall pfSense? Or if they can hack my router I'm supposed to let them have their way with my set up? I experienced some extremely high level hacks in the past so I'm not sure what I should do (you would not believe --- I tracerouted at one point and saw my traffic going through countries on the other side of the world... also I logged into my cell phones manufacturer menu and saw someone changed the Cellular SSID to the name of one of my research projects -- Radiation TDR.. then sh*t got gnostic)... on one hand, I (POSSIBLY still) have this unknown group that's capable of doing extremely high level hacks on my system (I believe they actually fixed up some settings last time they hacked me) and on the other hand I live with a bunch of computer n00bs who prolly click virus.exe like its candy..
I'm not sure I want to even "protect" myself from the high level group -- I wouldn't want to cause some guy in the NSA to be like, "Shit, they know our IP block now" But on the other hand, I want to keep the script kiddies out.
Any recommendations on what to do? Is this malware capable of infecting the rest of the LAN? There is some sensitive information on the network PLUS BTW IN CASE I POSTED IPs... HIGHLY DO NOT RECOMMEND HACKING THIS NETWORK --- just read this post which doesn't even scratch the surface
-
It just looks like DNS queries on weird ports... Mostly reconnaisance-type connections. I would just the host/client device. I don't see any evidence that your pfSense box is hacked...
Also, connections all over the world are not necessarily a sign of compromise... something as simple as getting the current time (NTP) from a Russian timeserver can be benign and even routine.
In any event, we're off topic. Suricata helps you detect malware/reconnaisance, and it's doing its job as far as I can see.
-
No it's not a pfSense issue.
It's an issue with the hosts.
By default pfSense blocks anything hitting the WAN interface.
-
@NogBadTheBad Thank you for the re-assurance. I can take off my tin foil hat as you say and not waste a month compulsively re-installing pfSense which probably would be from a source with a mismatching checksum anyway.
