Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Hacked ?

    Scheduled Pinned Locked Moved General pfSense Questions
    14 Posts 6 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      aniodon
      last edited by

      Hello everyone.

      We have a small test infrastructure, which was not really focused on safety… ;)

      we have a pfsense for this infra.
      yesterday, I saw a rule added by a foreign (thailand) ip. It opened the 23 telnet port on the wan interface.

      we had a nat rule for 443 on our wan to one of our server (a RDS), so the gui was (theorically) not directly available.

      We have nothing with telnet so it's ok, but we're concerned about how did this happened.

      we see no login from foreign ip, all logs are from our lans (in logs)
      there is nothing strange except this only rule (no nat behind the rule)

      what did he get acces to (in pfsense ? ) ?
      Was the gui got hacked ?
      Where would you look first ?

      we were on the latest public version

      Thanks

      Edit : Just to mention, our password is quite strong... special car, 12+ car, caps, numbers...

      1 Reply Last reply Reply Quote 0
      • KOMK Offline
        KOM
        last edited by

        Was the gui got hacked ?

        Very unlikely.

        Edit that rule and scroll to the bottom of the rule.  What does it say for Rule Information?

        1 Reply Last reply Reply Quote 0
        • A Offline
          aniodon
          last edited by

          Hello Kom !

          Sorry but the first thing i did was to delete that rule immediately…
          i just did a screenshot of the rule before deleting (cf attachement)

          is there any way to find this information in some log?

          Edit : Just to mention, our password is quite strong... special car, 12+ car, caps, numbers...

          Capture.JPG
          Capture.JPG_thumb

          1 Reply Last reply Reply Quote 0
          • G Offline
            ge-quiros
            last edited by

            Me, i own a call center in Dominican Republic, so, i travel quite much, what i do, is i have a VPS, and i whitelist that VPS ip address on all my servers and from there, i jump everywhere else..

            Yesterday, i order a Windows Remote Desktop machine, so, i whitelist that as well, use a firewall on my windows and hopefully, it will have low chances for me to get hacked or my main boxes to get hacked

            That's a suggestion… and like someone else noted, it is unlikely that pfSense got hacked, but nowadays telnet has been kinda deprecated, next time it happens, first, disable the rule, then check everything else

            1 Reply Last reply Reply Quote 0
            • jahonixJ Offline
              jahonix
              last edited by

              Go to  Diagnostics: Backup/restore  and view the  Config History  tab.

              1 Reply Last reply Reply Quote 0
              • KOMK Offline
                KOM
                last edited by

                Sorry but the first thing i did was to delete that rule immediately…

                In future, disable it instead of deleting it.

                If you are a pfSense Gold subscriber and are using their AutoConfigBackup service, you could download a previous version of your config that includes this rule and then check it there.

                1 Reply Last reply Reply Quote 0
                • A Offline
                  aniodon
                  last edited by

                  hello everyone !

                  @ge-quiros : we do not use telnet… we got hacked by someone trying to get access to telnet by opening telnet ports.
                  @KOM : you're absolutely right, i'll do this in the future... unfortunately I do not have a gold subscription...
                  @Jahonix : Thanks i did not know this feature existed. But i do not find a cache old enough ... i diffed newer/oldest, the rule is not there... ;(

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    " I saw a rule added by a foreign (thailand) ip."

                    How exactly do you know it was added by this IP?  So you saw that in the rule info at the bottom?  But thought you said you deleted it right away?

                    So how did they get access?  Your webgui is open to the public??

                    sowhatdidthissay.png
                    sowhatdidthissay.png_thumb

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • A Offline
                      aniodon
                      last edited by

                      Hello Johnpoz

                      I did a capture of the rule before deleting it, please see the attachement of my second post in this thread.
                      it's a spam thailand IP

                      I have a pfsense on a fourth infra, in the same config than the first hacked, and this one too got a rule added too, by a chinese ip…

                      I have more detail in here :
                      please see the attachement.

                      It seems that the rule is added by "Easy rule", the comment is the same as the classic easy pass.

                      Both firewall are on ssl with no certificate (for now), and both have a nat on 443 on wan to another server (a RDS)... the gui should'nt have been exposed through wan

                      i just CANNOT believe our password has been hacked... it is (believe me) really complicated... !

                      Capture.JPG
                      Capture.JPG_thumb

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        doktornotor Banned
                        last edited by

                        Looks like you clicked the easyrule icon in firewall logs view by mistake.

                        1 Reply Last reply Reply Quote 0
                        • jahonixJ Offline
                          jahonix
                          last edited by

                          @aniodon:

                          yesterday, I saw a rule …

                          @aniodon:

                          … i do not find a cache old enough ... i diffed newer/oldest, the rule is not there...

                          Yesterday it was there and today you can't find it in the cache anymore?
                          Tinfoil hat time?

                          Edit: give doktornotor a round of applause and calm down. You hacked yourself and your super-duper-pdw is still safe.

                          1 Reply Last reply Reply Quote 0
                          • A Offline
                            aniodon
                            last edited by

                            @jahonix:

                            @aniodon:

                            yesterday, I saw a rule …

                            @aniodon:

                            … i do not find a cache old enough ... i diffed newer/oldest, the rule is not there...

                            Yesterday it was there and today you can't find it in the cache anymore?
                            Tinfoil hat time?

                            Edit: give doktornotor a round of applause and calm down. You hacked yourself and your super-duper-pdw is still safe.

                            Thanks but…
                            Yes Jahonix, my last cache is 11/23/16 18h41:46... 
                            and i deleted the rule before this time.

                            I got the exact same rule (telnet) on two different pfsense added by a 'easy rule'
                            I can consider making a mistake once, but twice on a totally different environment  ... ?

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ Offline
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              "I can consider making a mistake once, but twice on a totally different environment  … ? "

                              You wouldn't believe the stupidity of the typical user.. Personally no offense - but this clearly looks to be complete and utter PEBKAC all the way..

                              The rule will clearly stated from what IP is was created from..  Your just showing a rule you allowed from a source.  Not where the rule was created from.. So you clicked firewall hit to add it as a easy rule.. So yeah PEBKAC..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • KOMK Offline
                                KOM
                                last edited by

                                In your Firewall log, do not click the button shown with the red arrow or it will allow this IP and port on the interface it appeared.

                                EasyRule.png
                                EasyRule.png_thumb

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.