• Hello guys.

    One of the pfSenses that I've installed on a client was hacked and somekind of Ransomware was installed.

    The /etc/motd was changed but nothing else appears to be done on the system. This is the content of the /etc/motd file:

    cat /etc/motd 
    Hi, please view here: http://pastebin.com/raw/vadfLyDS for information on how to obtain your files!

    The site was running 2.2.2-RELEASE and I don't know from where the Ransomware has come, but it's confirmed.

    Some googling indicated something about compromised Redis Servers: http://www.bleepingcomputer.com/news/security/hacked-redis-servers-being-used-to-install-the-fairware-ransomware-attack/

    Anyway, just warning the community about the issue. I'm not sure if here is the proper place to report it, but I'm doing here anyway. If someone has some infos and recommendations I would be thankful.


    PS: I'm reinstalling the Firewall with 2.3.2-RELEASE :-\

  • Running an old and unsupported version despite of the numerous warnings is always a very bad idea.

  • Moderator

    By any chance did you run Samba on this box?

  • I would very much like to know the entire list of packages installed on the box. Also, what if any access from the WAN was allowed.

  • Hmmm,  You're able to access 'cat' and '/etc/motd'.  What is being held for ransom?

  • LAYER 8 Global Moderator

    Well according to that its a scam ransomware and nothing is encrypted, just deleted..  Yeah if you leave your ssh open to the public and or webgui and just have basic passwords as security sure I could bruteforce in and then do whatever..

    Let me guess a remote site when you say customer, so ssh open - not even locked down to public key auth only?  Or worse yet web gui open to the public, etc.

    Your warning is good advice on why you don't leave access to your stuff open to the public internet ;)  No matter how easy you think it makes it for you to admin..

  • Rebel Alliance Developer Netgate

    When you rebuild it, be sure to close whatever hole was left open that allowed them in. Whether it was wide-open ssh/GUI access, accounts with weak passwords, or other common security fumbles.

    Without more info it's impossible to say what might have happened, but either an add-on package with weak security or accounts with default or weak passwords exposed to attackers would be safe bets. The attacker could be on the local network if someone local was infected, but a default or weak password would still have exposed the firewall to it.

    So make sure to not only close off access to ports on the firewall from WAN (which are closed by default) but also from local interfaces except for approved management hosts/networks. Make sure not to leave any account passwords at their default – especially root/admin. And if you had anything like samba or other packages that were not from pfSense originally installed on the firewall, don't put those back.

  • Hello on the theme of ransomware variants can be locky or zepto, this eliminates the information but before makes an encrypted copy the user data; I have seen this in many of my clients but esteos attacks were made by email when a spammer sends in the mail a URL or attachment javascript theme, executed see ua connection that directs you to a tor server and which opens download ransomware, encryption keys can be RSA or AES; that is where the hacker leaves a part of the key to decipher and ask for a payment to give the other party, which is a trick for theft, the technique only is prevention because so far antiviral engines are not ransomeware detecting these variants, there are some herraientas recovery but only for older versions.

  • Gotta love this guy.  Shows up, claims his pfSense box got own by ransomware, and then disappears into thin air.

  • @KOM:

    Gotta love this guy.  Shows up, claims his pfSense box got own by ransomware, and then disappears into thin air.

    Possibly embarrassed that the ssh password was "password"

  • LAYER 8 Global Moderator

    Maybe he just on vac?

  • Another ransomware - http://soft2secure.com/knowledgebase/odin-file-virus
    Most ransomware come with email attachments and rogue links - do not click anything suspecious

  • BritneySpears_Naked.exe!!! OMG! I must click the email attachment!

  • Rebel Alliance Developer Netgate


    BritneySpears_Naked.exe!!! OMG! I must click the email attachment!

    While also opening the Anna Kournikova equivalent, for good measure.

  • I think that the main cause of ransomware infection is between LCD and chair  ;D
    As I know the only way to decrypt locked files including this new Odin (http://myspybot.com/odin-virus/) is to use shadow copies extract tools like ShadowExplorer (http://www.shadowexplorer.com/downloads.html) or similar.
    But the best option is to have backups of all your important data in separate hard drive/usb drive/cloud.

  • But the best option is to have backups of all your important data in separate hard drive/usb drive/cloud.

    This has been the best advice for a plethora of computer issues going back 35+ years, but it still seems like everyone has to learn it the hard way.

  • Rebel Alliance Developer Netgate

    And another offline copy in a locked safe off-site.

  • All of this being said, and obviously I do share  ;), there is something to be noticed: with default set-up, meaning not access allowed from outside, pfSense doesn't offer, as far as I understand, anything against brute force attack from the LAN.

    Sure one can set-up FW rules to limit this, build VLAN, use strong admin password but if one device on the LAN side get infected by piece of code executing brute force attack against your default gateway, how do you notice and prevent it?

    From WAN, this is quite simple… and furthermore covered by default set-up
    From LAN, this is another story and perhaps some mechanism "a la fail2ban" may help on the internal side.

  • Rebel Alliance Developer Netgate

    We already have it. 15 denied logins via GUI or SSH gets your IP banned for an hour, even local.

  • Cool, this is what I didn't know. Excellent, thank you.
    and most likely enough to fight brute force if your admin paswword is not "password" or "admin"  ;D ;D ;D