Had my pfSense been compromised?

akuma1x

Nothing is coming in on WAN2, you have no pass rules there.

What have you defined for that "Desktop" alias you've got in your Source column on the Floating Rules tab?

Jeff

bchan

@akuma1x
Desktop contains list of desktop computers:
Screenshot_2019-10-11 asus kleaders - Firewall Aliases Edit.png

For sure it does not have the offending 103.240.140.10 in my first post.

johnpoz

And what is that rule - just look it up via
https://docs.netgate.com/pfsense/en/latest/firewall/viewing-the-full-pf-ruleset.html

pfctl -vvsr

Will show you rule ID numbers so you can match up rules with what your seeing.. Unless the rule has been deleted.. You can look in your config change history.

bchan

I have gathered additional info on the port numbers:

These ports seem to be related to hostname, nameserver, smtp.

JeGr

@bchan said in Had my pfSense been compromised?:

For sure it does not have the offending 103.240.140.10 in my first post.

Yes but it has your local FQDN. You sure that resolves correctly and not to some strange web IP? I'd never use local hostnames in Aliases.

bchan

@johnpoz
Nothing logged around that time (05:29):
Screenshot_2019-10-11 asus kleaders - Diagnostics Backup Restore Config History.png

johnpoz

look in your full rule set for what that ID number matches up with.

bchan

@JeGr

whois 103.240.140.10
inetnum: 103.240.140.1 - 103.240.142.255
netname: CTCL-HK
descr: ClearDDoS Technologies
country: HK

It sounds like a web security company.

JeGr

I'm talking about your alias. Not the IP.

bchan

@JeGr

I have checked the table values for this alias and they all resolve correctly to 192.168.x.x

JeGr

@bchan said in Had my pfSense been compromised?:

all resolve correctly to 192.168.x.x

LAPTOP-1CGD66U4 resolves to 192.168.x.x? Even on pfsense itself? Its resolvers?

bchan

@JeGr
Screenshot_2019-10-11 asus kleaders - Diagnostics Tables.png

bchan

@johnpoz said in Had my pfSense been compromised?:

pfctl -vvsr

pfctl -vvsr | grep 4294967295
return nothing.

johnpoz

Then the rule was deleted, make sure your grep is working by using a ID in your command that you see when just looking at the output.

Are you currently seeing logs for this?

bchan

@johnpoz said in Had my pfSense been compromised?:

Then the rule was deleted, make sure your grep is working by using a ID in your command that you see when just looking at the output.

Are you currently seeing logs for this?

grep works for other id e.g. the teamviewer logger.
I have 2 WANs for months. This incident was the first time I saw incoming traffic to WAN2 and were logged.
As you can see from my rules, I don't have anything that will log incoming traffic for WAN2.

jimp

Do you have UPnP enabled? Do you have it set to use WAN2, and to log connections?

That's the most likely explanation.

johnpoz

That would be my guess as well... You might be able to glean a bit more info by looking at the raw log in output.

jimp

When I manually trigger something like that (for example, open Deluge, go into settings, and trigger a port test), I get a similar log message with a random-ish ID.

Since the UPnP rules don't have a description, and have random IDs, and are probably short-lived, they wouldn't have a visible description in the logs even if you caught them when they were active.

bchan

@jimp said in Had my pfSense been compromised?:

Do you have UPnP enabled?

No I have not enabled UPnP.

johnpoz

That doesn't actually mean its not running - that is a wiget that can be edited to not show specific services.