Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    is someone hacking my OpenVPN? is my pfSense compramised?

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 3 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sceptre357
      last edited by sceptre357

      This post is deleted!
      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        Oh you didn't know there are secret hidden accounts that the North Koreans use to vpn into your setup and steal all your secrets.. <rolleyes>

        And they pay netgate a $1 for every box that installs pfsense..

        Dude really??? But if you want to look to what accounts there are just do a cat on the passwd file

        cat /etc/passwd

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • S
          sceptre357
          last edited by sceptre357

          you lost me, i dont understand the reason for your sarcasm? i have seen pfSense have configurations that dont appear in the GUI on more than one occasion . is there a way to check for an account someone might have created?

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            I just showed you how to look for all accounts

            cat /etc/passwd

            Yeah there are some firewall rules that are hidden, because if they weren't idiot users would delete them and then wonder why shit didn't work ;) Secret accounts dude - really??? Who would of created these secret accounts, and they named it loot? That is a horrible secret account name.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • S
              sceptre357
              last edited by sceptre357

              no this user isnt listed in that file. any reason why a user could connect? maybe some kind of exploit? all i can tell you is what i see and also what in the logs and i know all the users on our system and can easily check what exist. what else can i say?

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                Yeah there is an exploit that allow any account called loot to login with without a cert to openvpn.

                Are you running openvpn that just allows username password?? So now user can just login where there is no account on your system with that username?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • S
                  sceptre357
                  last edited by sceptre357

                  This post is deleted!
                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Where are the rest of your logs?

                    That is not a full login.. What IP was given to the account... If your using certs for your auth, then that would be the cert name you created... Ie for example my phone cert is called iphone.. So when it logs in - that is what is logged.

                    cert.jpg

                    Bump your logging up...

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan
                      last edited by

                      Nearly all traffic is https these days. This implies that the 'router' - all routers - on the data path can not 'see' the traffic payload.
                      pfSense can not snip out parts and bits.
                      pfSense sees source and destination IP, ports, some packet flags, a packet size and number, and scrambled data. That's it.

                      You could have added your own initial advice ; re install Windows ^^

                      Btw : routers can get hacked, of course. Not because the hacker wants to see what the users on the routers LAN(s) are doing. They have other interests.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.