Ransomeware infected machine



  • Hey all,
    Had part of our network go down, went to go hunt the issue down and found a ransomeware message running on what I "beleive" was a 2.4.3 box thats been running fine for a good few years. Other than some password changes admin settings were vanilla, from when it was orignally setup in ~2014. It did have some external ports open for a PBX but thankfully those are on fully segragated hardware.

    The drive would not boot after a restart, so swapped hardware and am reinstalling now.

    Anyone see this before?



  • No, and I've been here for about 5 years.

    What exactly leads you to believe there is ransomware on your pfSense? I don't remember ever hearing about any FreeBSD ransomware.



  • First thing I did when I couldn't get on the Web GUI was go to the physical machine in the racks. This is what was coming out of the VGA.

    20190604_0932010.jpg



  • Why does it say SLAX LOGIN at the bottom? Slax is a flavour of Linux.



  • I'm assuming that has something to do with whatever got installed on this box.
    This was a vanilla PFSense install from 2014 which has had nothing done to it other than upgrades and package installs from the default package manager.
    Alas I do not have a list of what has been installed on this box (which I know would probably be useful.



  • https://www.slax.org/

    If that box was truly running a version of pfsense Id have to believe that someone (probably a disgruntled employee) gained physical access to that box and plugged a USB stick into it and installed that little jewel.

    Otherwise- do you have your GUI and ssh ports open on your WAN?



  • What version of pfsense do you believe it had on it?



  • He said he thought it was 2.4.3.


  • Netgate Administrator

    If you have a backup of the config or had ACB configured recovering from that is not an issue.

    The problem is discovcering how that happened. I would physically examine the hardware. What is it actually booting from?

    Is that really the box you think it is? Was is running virtually maybe?

    Steve



  • @KOM said in Ransomeware infected machine:

    He said he thought it was 2.4.3.

    Missed that. I saw-

    running fine for a good few years. orignally setup in ~2014.



  • @stephenw10

    Thanks guys,
    Ya I'm pretty sure it was 2.4.3 and it was on physical metal with a physical SSD.

    Disgruntled employee is a "possibility" have some peeps running CCTV stuff now but our access control to this room is shitty so 50/50. Also if this one individual was trying to be an ass there's much more serious stuff they could have done.
    As for admin ports being open from other interfaces, there are/were 2 WANs and 2 LANs on this setup. One pair for regular traffic and one for PBX traffic. There was some concerns back in the day about having open ports for the PBX to work so a fully segmented network was setup but still had a single PFSense box (with 4x Ethernet ports).
    I'm not 100% sure if admin was possible through the 2nd LAN/WAN (trying to sort out how to restrict access on the new install now actually).


  • LAYER 8 Rebel Alliance

    Can you post your config.xml Backup here so we can check for Config (Security) mistakes?

    -Rico



  • Is this going to be another one of those posts where we talk among ourselves for hours without ever seeing any evidence that pfSense has anything to do with this?



  • @Rico
    Would love too but don't have any from this install.
    For reference to the uninitiated access to the admin section is all done via firewall rules right?


  • LAYER 8 Rebel Alliance

    Yes, to access the WebGUI or SSH from WAN side would require manual adding of Firewall Rules.

    -Rico


  • LAYER 8 Rebel Alliance

    What happens if your try to login with User root and Password toor at the slax login prompt?
    I'd also try to boot some rescue disk and check what is really going on the filesystem. Some ransomware is not even encrypting anything, just telling so.

    -Rico


  • LAYER 8 Netgate

    Even with full remote root ssh/webgui access I struggle to come up with a procedure where such a result would be possible without physical/console access.

    Is there IPMI? Is that accessible? Is that secured?



  • 19 hours later, still nothing...


  • LAYER 8 Global Moderator

    Slax login? So this pfsense was running on VM?



  • I suspect this entire post is bogus:

    • this is his first forum post ever
    • he accuses pfSense of being vulnerable to ransomware attack despite no history whatsoever of this happening on FreeBSD
    • the provided evidence is non-existent, confusing or irrelevant
    • requests for follow-up information go unanswered

    If this is as he claims, you would think he would be a little more proactive about reading replies and providing information. Instead, we all seem to care a lot more about his problem than he does.

    However, he can feel free to prove me wrong by actually answering questions or providing more detail.


  • Netgate Administrator

    I think you're reading that into it. He didn't accuse pfSense of anything, he just asked if anyone had seen that before. That seems like a reasonable question given what he was seeing.

    Steve


  • LAYER 8 Global Moderator

    Yeah I think it very well could be a legit question... But I understand KOMs frustration with such a question with no follow up at all..



  • I think you're reading that into it. He didn't accuse pfSense of anything

    'suspects' would have been a better choice of word.

    That seems like a reasonable question given what he was seeing.

    Slax Linux? Is this guy just trolling? None of this makes any sense.



  • Hey all,
    Sorry for the delayed followup.

    For some additional background and rumor control. This is 100% legit (said every troll ever). I have been using PFSense very happily for years and have no doubts or concerns to it being insecure. Whatever this was (and I have a bit of a theory) it was most certainly 100% user error.

    This was NOT a VM install, this machine is running on bare metal on a 1U supermicro box with a SATA SSD.
    The drive had undergone some sort of formatting as it was not immediately mountable however I did not dig deep on what it was running (it was a work day and I had staff sitting on their thumbs). I debated rolling out a new drive and keeping the old to send to (someone?) once I ran into the problem yesterday but we didn't have any suitable drives in inventory + have deadlines to meet so I elected to just reformat the drive (knowing full well I was going to take flak for it.)

    Now to some updates:
    As previously mentioned we have 2 LANs and 2 WANs here. One LAN/WAN pair is for general internet and the second is for PBX/Telco.
    The PBX was running Asterisk with some exposed ports. The Pf sense admin panel was accessible from the PBX LAN.
    The PBX was running an old install, and appears to have been compromised (and is now also being rebuilt)
    Not 100% sure if the PBX was the point of entry or not but everything is now being hardened substantially as a result of this.


  • LAYER 8 Global Moderator

    So your saying someone compromised your pfsense box and put slax linux on it? From your internal pbx lan.. Via the web gui?


  • LAYER 8 Netgate

    @Derelict said in Ransomeware infected machine:

    Even with full remote root ssh/webgui access I struggle to come up with a procedure where such a result would be possible without physical/console access.
    Is there IPMI? Is that accessible? Is that secured?

    ???


  • LAYER 8 Global Moderator

    @YYJWalking said in Ransomeware infected machine:

    1U supermicro box

    Which specific hardware - IPMI would be by my guess to something like this happening.



  • @johnpoz

    Well I'm not certain that the PBX controller was the entry point, just that it was also impacted. Would it even be possible to infect a machine from the WebGui? Maybe get the box to install a bogus manual package which runs a payload?

    The box DOES hsve IPMI (https://www.supermicro.com/products/system/1U/5015/SYS-5015A-EHF-D525.cfm) but I hadn't checked to see if it had been left open or not (will do so tomrrow and report back.)

    So just out of curriosity not a lot of other people have encountered this before is that correct?


  • LAYER 8 Netgate

    Literally nobody.



  • Well that's joyus!!


  • LAYER 8 Netgate

    Well, that's to be expected when you are on a pfSense forum asking about something that is, in all likelihood, not a pfSense problem.


  • LAYER 8 Global Moderator

    JungleSec is well known ransomware that installed via ipmi.. Sure there are others..

    There is tons of info and warnings about supermicro bmc firmware (IPMI) that should of been updated long time ago, etc. etc. If your saying this box is from 2014.. That stuff was prob never updated, etc.



  • @YYJWalking Thank you for coming back and proving me wrong! 😃

    It is unfortunate that this happened to you, and while you will likely never really know for sure how this infection happened, you did get some good advice about possible entry points and remedies.


  • LAYER 8 Global Moderator

    Yeah anyone coming here should take the time to validate that their IPMI is not exposed to the public, and make sure the BMC firmware is current, etc..

    Also good time to make sure that vlans that do not need access to web gui or ssh, do not have access!!


  • LAYER 8 Rebel Alliance

    Very lucky if the PBX and pfSense box is the only compromised stuff.
    Could be a lot worse...

    -Rico



  • @YYJWalking If these 2 machines (pfsense and PBX) were the only ones compromised, I agree with @Rico. Could be worse...

    Having said that, depending on how long they were like this, it might be time to do a security audit on your network/machines there.

    Jeff



  • Perhaps this is how he became exposed?

    https://www.reddit.com/r/homelab/comments/6vord0/rookie_mistake_exposed_supermicro_ipmi_to_the/

    I don't use a supermicro board for my pfsense setup but I do use one for another box on my network and had this issue. I'm not using IPMI and didn't have any spare ports on my switch so I had to pull out and old switch and connect it to the IPMI port on the board connecting nothing else to the switch just so the IPMI software would detect the connection and not failover to one of the other ports on the board.


  • Netgate Administrator

    You can disable that in the BIOS rather than having to connect the port.

    Steve


  • LAYER 8 Global Moderator

    @mhertzfeld said in Ransomeware infected machine:

    not failover to one of the other ports on the board.

    It can failover to another port for IPMI? That doesn't seem like all that smart of an idea from a security point of view ;)


Log in to reply