is pfsense forums hacked?
-
Background: I use a custom email address @domain.ca for everything.
Problem: Today i recieved an email that was to pfsense@domain.ca . What this likely means, since i have never used that anywhere else, is that some pfsense forums or other pfsense corporate asset is compromised. There are no google hits on the email address, so it hasnt been published anywhere. You can all draw your own conclusions, but this is just a be wary message, a slight caution has been raised.
Posting here incase anyone sees the same thing. Perhaps i am super paranoid, but i often find database compromises for companies in this fashion. Partial headers follow:
Return-Path: <pfsense5041@zechstreets.com> X-Original-To: pfsense@DOMAIN.CA Delivered-To: pfsense@DOMAIN.CA Received: by mailsever.DOMAIN.CA (Postfix, from userid 5001) id 71B469AC75; Tue, 29 Jun 2021 13:10:40 -0700 (PDT) Authentication-Results: mailsever.DOMAIN.CA; dkim=pass (1024-bit key; unprotected) header.d=zechstreets.com header.i=pfsense5041@zechstreets.com header.b="VgtYQVpk"; dkim-atps=neutral X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mailsever.DOMAIN.CA X-Spam-Level: **** X-Spam-Status: No, score=4.7 required=5.0 tests=BAYES_50,DATE_IN_FUTURE_06_12, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RDNS_NONE, SPF_HELO_NONE,SPF_PASS,T_KAM_HTML_FONT_INVALID,URIBL_ABUSE_SURBL autolearn=no autolearn_force=no version=3.4.2 Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=198.144.145.183; helo=mta0.zechstreets.com; envelope-from=pfsense5041@zechstreets.com; receiver=<UNKNOWN> Received: from mta0.zechstreets.com (unknown [198.144.145.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by mailsever.DOMAIN.CA (Postfix) with ESMTPS id 6877799F81 for <pfsense@DOMAIN.CA>; Tue, 29 Jun 2021 13:10:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; d=zechstreets.com; h=Message-ID:From:To:Subject:Date:MIME-Version:Content-Type; i=pfsense5041@zechstreets.com; bh=AaQrtjXVeCq0ayCHS51WeqhwKVk=; b=VgtYQVpklOVrI4x7o0uhIMGqn4QqPlMz10xq755+IDCO28gEPUYuVWt3EU7M7DhQMxnAoATa9zOH Y3tLQzXGWJWuMT2gF4BblN40favon4mJQqMmvFUf9po2Z/P6M3ggcfOXSKekq7kHXCBAXTyfOs3h wzlrbu1aSk7s427MH5U= Message-ID: <A6F1EF9ED0CFFA51C43D4A697B92B7C1@lpr> From: Ray Ban <pfsense5041@zechstreets.com> To: pfsense <pfsense@DOMAIN.CA> Subject: Ray Ban Sunglasses 2021 New Styles - Save up to 80% Off Date: Tue, 29 Jun 2021 20:10:04 -0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_001_143f1e62313290e9_=----" This is a multi-part message in MIME format. ------=_001_143f1e62313290e9_=---- Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 ICAgIC REMOVED ENCODE BECAUSE I DONT KNOW WHAT IT DOES ogDQo= ------=_001_143f1e62313290e9_=---- Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PCFET0NUWVB REMOVED ENCODE BECAUSE I DONT KNOW WHAT IT DOES w+DQo= ------=_001_143f1e62313290e9_=------
-
@ipfftw
nothing to do with pfsense or netgate,
the culprit is https://whois.domaintools.com/198.144.145.183
zechstreets.com -
@kiokoman said in is pfsense forums hacked?:
nothing to do with pfsense or netgate,
I guess @ipfftw was asking : how did "zechstreets.com" obtained my mail address "pfsense@DOMAIN.CA".
-
@gertjan
ahh now I understand...
without the real domain it's impossible to say -
Hi @ipfftw !
I do the same for most sites (with some exceptions)...
I do have a pfsense@MYDOMAIN for this site and it has not been spammed yet, let's hope it stays that way...
What was that email about, was it from a possible Netgate partner?
As for the comment you made about removing part of the email it was HTML encoded in base 64, you can use one of the online base 64 decoders to look at it but it should essentially be the body of the email you received.
As for how they got your email it does not necessarily mean this site or another Netgate related site was compromised, it could also be the mail server(s) involved in sending and receiving those emails (are you self hosting?) or the computer(s) you are writing/receiving those messages on...
Good luck and have a nice day!
Nick
-
no it was about sunglasses, you can see the subject of the mail. Nothing to do with netgate.
well post back if you get spammed too.
answer to your question its self hosted ubuntu with autoupdate on. And its just a catchall domain, so its not like i actually wrote "pfsense@domain.ca" anywhere on the mailserver. I mean sure its possible someone hacked my email, but unlikely, as this would be the least of my worries...
And they would spam with one of the real users on the host, not a fake alias that only is used for pfsense forums.
im not super worried about it, just wanted to see if anyone else had the same experience. i obviously use a random password on every site so no problem with that. And i haven't received any login attempts with it as shown by my daily logwatch...just strange.
-
@ipfftw Same here.. I use an email address for every forum I am on that is specific to them. Nothing here spam related on the pfSense email address as of this date.
-
So i just started receiving spam to my pfsense address as well.
I'm in the same boat as ipfftw, where i know that this address is used nowhere except pfsense related things.
Somewhere something has been leaked. -
@gruensfroeschli
two people could be random chance or something. Still i would be interested to see sanitized headers if you want to post them. see if there are any comonalities. Could be some kind of targeted spearphishing campaign. (because we are just that important... :P ) -
@ipfftw sure
Return-Path: <info123@geoattendance.com> Delivered-To: **********@may.nu Received: from mail.may.nu by mail.may.nu (Dovecot) with LMTP id r3d1F8ibCmEAdQAA7RFmPA for <**********@may.nu>; Wed, 04 Aug 2021 15:53:12 +0200 Received: from alpha.xprohosting.com (f012.fuchsia.servdiscount-customer.com [217.79.181.12]) by mail.may.nu (Postfix) with ESMTPS id 2909D17C036E for <**********@may.nu>; Wed, 4 Aug 2021 15:53:08 +0200 (CEST) Authentication-Results: mail.may.nu; dkim=pass (2048-bit key; unprotected) header.d=geoattendance.com header.i=@geoattendance.com header.b="SLa04DyS"; dkim-atps=neutral Received: from r22710 (unknown [40.77.63.56]) by alpha.xprohosting.com (Postfix) with ESMTPSA id 35CDB34CA593 for <**********@may.nu>; Wed, 4 Aug 2021 15:53:08 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=geoattendance.com; s=202009; t=1628085188; bh=FoCUUax9aL+R62ReUNyY9gsQPsuhHPLNyC8eXoKsv6A=; h=From:To:Date:Subject:From; b=SLa04DyS8KOLi8bqYBPLfvk7lqQzewCkc2vR8PsBV1z8F/8kyuZU+0Yo4xoBv7DIo z6hupnWk3i615wrSCDxqN2ShuokuVoxkcrTykOBgbk2/63jFfigsOZlgJ/Wv4hLX8D t9KWHfYjlLu9rUWRferINJWM4z36GwkbJP7P+ArWQWNQgoQVGj4V4bODK24G5/8+u5 CI9tgbFmhJhZJ6Due1P29b5Q+Bdoqt2tVU6quD3TqW4vHJkA0/l1slsvWoqUhFunvA MYcxOX+pEZMFrlEmVkqHlbfqD300Wmbt8vYCQRCJwk6dqN1Gy6FU1QPQ/1XV7ru20k BzlhVy1LoabwA== MIME-Version: 1.0 From: "app invoice" <info123@geoattendance.com> To: **********@may.nu Date: 4 Aug 2021 13:53:08 +0000 Subject: Premium package activated for **********@may.nu cloud account. Enjoy feaures and services. Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: base64 X-Spam-Status: No, score=1.7 required=4.5 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG, MIME_HTML_ONLY,MISSING_MID,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.2 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.may.nu
and
Return-Path: <office@d2turboparts.com> Delivered-To: **********@may.nu Received: from mail.may.nu by mail.may.nu (Dovecot) with LMTP id pt2cBSj7CmHZNAAA7RFmPA for <**********@may.nu>; Wed, 04 Aug 2021 22:40:08 +0200 Received: from vmi314772.contaboserver.net (autoq.ro [213.136.74.59]) by mail.may.nu (Postfix) with ESMTPS id 22FC217C036E for <**********@may.nu>; Wed, 4 Aug 2021 22:40:06 +0200 (CEST) Authentication-Results: mail.may.nu; dkim=pass (2048-bit key; unprotected) header.d=d2turboparts.com header.i=@d2turboparts.com header.b="daoofF1+"; dkim-atps=neutral DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=d2turboparts.com; s=default; h=Content-Transfer-Encoding:Content-Type: Subject:Date:To:From:MIME-Version:Sender:Reply-To:Message-ID:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=FoCUUax9aL+R62ReUNyY9gsQPsuhHPLNyC8eXoKsv6A=; b=daoofF1+w3pvvKfo+ERt1hAdqn rJ1oLc7KfAggISxUkG/zSwdy9V+PIJB4qCoy2W6BNYBBvfjStjQhsyQWnnhncAH8Ly8BOS3PIV5px 43gJ8funa4hhs35Y7Vs9PbDkrTqzHTbKi+n+SqI2/w7lfekHwDS1em4ixVJIFvyZs75YAw+BpZ7YF UcEz7kcE9o9jiCMm6b875UBpSTdZvr7mBs4rEOTzlbRR6YujxCDt+RS+FoehthUjAbG8wz4IG1kVn z+c9dF62yeqXE8s6gcLI7KtBDK7mnwtp0DQEm5Rv4hSvxqbZvmdMT9C3L/c3oqFdlYjNDBLcIn9F7 DQjShqpg==; Received: from [20.74.174.147] (port=51985 helo=r2074) by vmi314772.contaboserver.net with esmtpsa (TLS1) tls TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (Exim 4.94.2) (envelope-from <office@d2turboparts.com>) id 1mBL04-0008Eh-QJ for **********@may.nu; Wed, 04 Aug 2021 20:48:14 +0300 MIME-Version: 1.0 From: "app info" <office@d2turboparts.com> To: **********@may.nu Date: 4 Aug 2021 17:48:14 +0000 Subject: Order for **********@may.nu cloud account placed. Please confirm delivery and purchase. Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: base64 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - vmi314772.contaboserver.net X-AntiAbuse: Original Domain - may.nu X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - d2turboparts.com X-Get-Message-Sender-Via: vmi314772.contaboserver.net: authenticated_id: office@d2turboparts.com X-Authenticated-Sender: vmi314772.contaboserver.net: office@d2turboparts.com X-Source: X-Source-Args: X-Source-Dir: X-Spam-Status: No, score=1.7 required=4.5 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG, MIME_HTML_ONLY,MISSING_MID,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.2 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.may.nu
-
This post is deleted! -
This post is deleted!