Hacked ?



  • Hello everyone.

    We have a small test infrastructure, which was not really focused on safety… ;)

    we have a pfsense for this infra.
    yesterday, I saw a rule added by a foreign (thailand) ip. It opened the 23 telnet port on the wan interface.

    we had a nat rule for 443 on our wan to one of our server (a RDS), so the gui was (theorically) not directly available.

    We have nothing with telnet so it's ok, but we're concerned about how did this happened.

    we see no login from foreign ip, all logs are from our lans (in logs)
    there is nothing strange except this only rule (no nat behind the rule)

    what did he get acces to (in pfsense ? ) ?
    Was the gui got hacked ?
    Where would you look first ?

    we were on the latest public version

    Thanks

    Edit : Just to mention, our password is quite strong... special car, 12+ car, caps, numbers...



  • Was the gui got hacked ?

    Very unlikely.

    Edit that rule and scroll to the bottom of the rule.  What does it say for Rule Information?



  • Hello Kom !

    Sorry but the first thing i did was to delete that rule immediately…
    i just did a screenshot of the rule before deleting (cf attachement)

    is there any way to find this information in some log?

    Edit : Just to mention, our password is quite strong... special car, 12+ car, caps, numbers...




  • Me, i own a call center in Dominican Republic, so, i travel quite much, what i do, is i have a VPS, and i whitelist that VPS ip address on all my servers and from there, i jump everywhere else..

    Yesterday, i order a Windows Remote Desktop machine, so, i whitelist that as well, use a firewall on my windows and hopefully, it will have low chances for me to get hacked or my main boxes to get hacked

    That's a suggestion… and like someone else noted, it is unlikely that pfSense got hacked, but nowadays telnet has been kinda deprecated, next time it happens, first, disable the rule, then check everything else



  • Go to  Diagnostics: Backup/restore  and view the  Config History  tab.



  • Sorry but the first thing i did was to delete that rule immediately…

    In future, disable it instead of deleting it.

    If you are a pfSense Gold subscriber and are using their AutoConfigBackup service, you could download a previous version of your config that includes this rule and then check it there.



  • hello everyone !

    @ge-quiros : we do not use telnet… we got hacked by someone trying to get access to telnet by opening telnet ports.
    @KOM : you're absolutely right, i'll do this in the future... unfortunately I do not have a gold subscription...
    @Jahonix : Thanks i did not know this feature existed. But i do not find a cache old enough ... i diffed newer/oldest, the rule is not there... ;(


  • Rebel Alliance Global Moderator

    " I saw a rule added by a foreign (thailand) ip."

    How exactly do you know it was added by this IP?  So you saw that in the rule info at the bottom?  But thought you said you deleted it right away?

    So how did they get access?  Your webgui is open to the public??




  • Hello Johnpoz

    I did a capture of the rule before deleting it, please see the attachement of my second post in this thread.
    it's a spam thailand IP

    I have a pfsense on a fourth infra, in the same config than the first hacked, and this one too got a rule added too, by a chinese ip…

    I have more detail in here :
    please see the attachement.

    It seems that the rule is added by "Easy rule", the comment is the same as the classic easy pass.

    Both firewall are on ssl with no certificate (for now), and both have a nat on 443 on wan to another server (a RDS)... the gui should'nt have been exposed through wan

    i just CANNOT believe our password has been hacked... it is (believe me) really complicated... !



  • Banned

    Looks like you clicked the easyrule icon in firewall logs view by mistake.



  • @aniodon:

    yesterday, I saw a rule …

    @aniodon:

    … i do not find a cache old enough ... i diffed newer/oldest, the rule is not there...

    Yesterday it was there and today you can't find it in the cache anymore?
    Tinfoil hat time?

    Edit: give doktornotor a round of applause and calm down. You hacked yourself and your super-duper-pdw is still safe.



  • @jahonix:

    @aniodon:

    yesterday, I saw a rule …

    @aniodon:

    … i do not find a cache old enough ... i diffed newer/oldest, the rule is not there...

    Yesterday it was there and today you can't find it in the cache anymore?
    Tinfoil hat time?

    Edit: give doktornotor a round of applause and calm down. You hacked yourself and your super-duper-pdw is still safe.

    Thanks but…
    Yes Jahonix, my last cache is 11/23/16 18h41:46... 
    and i deleted the rule before this time.

    I got the exact same rule (telnet) on two different pfsense added by a 'easy rule'
    I can consider making a mistake once, but twice on a totally different environment  ... ?


  • Rebel Alliance Global Moderator

    "I can consider making a mistake once, but twice on a totally different environment  … ? "

    You wouldn't believe the stupidity of the typical user.. Personally no offense - but this clearly looks to be complete and utter PEBKAC all the way..

    The rule will clearly stated from what IP is was created from..  Your just showing a rule you allowed from a source.  Not where the rule was created from.. So you clicked firewall hit to add it as a easy rule.. So yeah PEBKAC..



  • In your Firewall log, do not click the button shown with the red arrow or it will allow this IP and port on the interface it appeared.