Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Possible Pfsense get Hacked by ISP

    Scheduled Pinned Locked Moved General pfSense Questions
    28 Posts 6 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Peter_APIIT
      last edited by Peter_APIIT

      Dear All,
      I suspect my home network is hacked by ISP although I have pfsense firewall configured, Snort packages install with legacy mode blocking with community, subscribe oinkcode rules. I had arpwatch installed and no sshd enabled.
      The LAN computer is Fedora, ubuntu, GhostBSd and MS Window laptop. All deny incoming connection by default.

      Does Snort legacy mode blocking is not safe enough and need inline mode blocking is far more better?

      Proof of suspicious:
      My browser tab get refresh automatically even I did not instruct to do so. Hence, I suspect i get hacked.

      I have Kali linux installed onto my laptop. Please teach me how to penetrate testing my home network safetly level.

      Open port from Fedora machine:
      Screenshot from 2022-04-27 08-32-45.png

      Any steps to further harden the open port connection?

      Sorry if the topic is childish. Really appreciate your help. Thanks.

      johnpozJ M 2 Replies Last reply Reply Quote 1
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Peter_APIIT
        last edited by

        @peter_apiit said in Possible Pfsense get Hacked by ISP:

        My browser tab get refresh automatically even I did not instruct to do so. Hence, I suspect i get hacked.

        huh?? That makes no sense.. You understand there is a simple meta tag the site could set that refreshes the page right

        https://en.wikipedia.org/wiki/Meta_refresh

        Those are ports that are listening, etc.. I see no actual connections to anything there.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        P 1 Reply Last reply Reply Quote 2
        • M
          michmoor LAYER 8 Rebel Alliance @Peter_APIIT
          last edited by

          @peter_apiit what?

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          1 Reply Last reply Reply Quote 0
          • P
            Peter_APIIT @johnpoz
            last edited by

            @johnpoz said in Possible Pfsense get Hacked by ISP:

            @peter_apiit said in Possible Pfsense get Hacked by ISP:

            My browser tab get refresh automatically even I did not instruct to do so. Hence, I suspect i get hacked.

            huh?? That makes no sense.. You understand there is a simple meta tag the site could set that refreshes the page right

            https://en.wikipedia.org/wiki/Meta_refresh

            Those are ports that are listening, etc.. I see no actual connections to anything there.

            First of all, thanks for your detail explanation.

            P 1 Reply Last reply Reply Quote 0
            • P
              Peter_APIIT @Peter_APIIT
              last edited by Peter_APIIT

              Dear All, I turn the network on and go out for lunch and set the auto dim screen 1 minutes but it doesn;t turn off monitor. It seems suspicious.

              Anything prevent it from auto dim since no one is using the Fedora GUI?

              johnpozJ GertjanG 2 Replies Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @Peter_APIIT
                last edited by

                @peter_apiit said in Possible Pfsense get Hacked by ISP:

                dim screen 1 minutes but it doesn;t turn off monitor. It seems suspicious.

                I would suggest you read up on why that function might not work vs thinking you been hacked..

                Maybe its time to lay off the paranoid inducing recreational substances ;)

                https://thegeekpage.com/screen-wont-turn-off/

                If you look about there are many a thread all over the net with sim issues about screen savers not kicking in, monitors not turning off, etc..

                https://ask.fedoraproject.org/t/monitor-does-not-turn-off-after-idle-on-gnome-wayland/4425

                What is more likely - something not working in that process, or the guys in black helicopters hacked you machine.. And btw they are also too stupid to let the screen dim while they are hacking ;)

                Maybe your watching too many hacker tv shows/movies ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 3
                • GertjanG
                  Gertjan @Peter_APIIT
                  last edited by

                  @peter_apiit said in Possible Pfsense get Hacked by ISP:

                  Anything prevent it from auto dim since no one is using the Fedora GUI?

                  Fedora is open source, so it's behaviour is well documented, and a lot of help is available. Although not here, as this forum is pfSense related.

                  All you need to know :
                  How does an OS decide if sleep mode has to be activated.
                  This will bring you to the " what does an OS need so the sleep mode isn't activated ".
                  And that will bring you to the process that keeps the system 'awake'.

                  @peter_apiit said in Possible Pfsense get Hacked by ISP:

                  Possible Pfsense get Hacked by ISP

                  pfSense is as any other router firewall out there.
                  The moment you install it, nothing comes in through the WAN interface.
                  Then the "admin" starts modifying settings, add packages, etc. Now things can go down hill fast. It's rare, but it can happen.

                  The next step is a no-brainer : the admin becomes an admin. The "slap front head" moment starts kicking in a lot. It's called leaning.
                  At this moment, the road continues with a T split :
                  Left : No one is actually tracing you **.
                  Right : The ISP is actually replaced by all the 3 letter agencies. Say goodbye to your civil rights, or stop doing what you are doing, fast.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    As easy test to prove network activity is keeping the machine awake is just to unplug it from the network and wait. Though if it is network activity it's probably completely legit anyway.

                    Steve

                    P 1 Reply Last reply Reply Quote 1
                    • P
                      Peter_APIIT @stephenw10
                      last edited by Peter_APIIT

                      @stephenw10 I don't get what u mean. My TV Box run on WIFI network suddenly will go back few times on google play store. I did not press anything.

                      Is it possible to hack through snmp or others routing protocol by ISP?? I not a network expert so please forgive me asking stupid question.

                      stephenw10S 1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator @Peter_APIIT
                        last edited by

                        @peter_apiit said in Possible Pfsense get Hacked by ISP:

                        Is it possible to hack through snmp or others routing protocol by ISP?

                        No, not as far as I know. There is certainly no known vulnerabilities in pfSense for that.

                        @peter_apiit said in Possible Pfsense get Hacked by ISP:

                        My TV Box run on WIFI

                        How is that connected? Through pfSense? If it's connected directly to an ISP router that traffic probably doesn't go through pfSense and there's nothing we can do about it anyway. Your ISP probably does have some visibility into IPTV devices if they provided them.

                        Steve

                        P 1 Reply Last reply Reply Quote 0
                        • P
                          Peter_APIIT @stephenw10
                          last edited by

                          @stephenw10 said in Possible Pfsense get Hacked by ISP:

                          @peter_apiit said in Possible Pfsense get Hacked by ISP:

                          Is it possible to hack through snmp or others routing protocol by ISP?

                          No, not as far as I know. There is certainly no known vulnerabilities in pfSense for that.

                          @peter_apiit said in Possible Pfsense get Hacked by ISP:

                          My TV Box run on WIFI

                          How is that connected? Through pfSense? If it's connected directly to an ISP router that traffic probably doesn't go through pfSense and there's nothing we can do about it anyway. Your ISP probably does have some visibility into IPTV devices if they provided them.

                          Steve

                          The TV BOX connected via pfsense router.

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            So it's like an Android TV device or similar?

                            Your ISP is not going to 'hack' that. At worst I would think they may choose to block something it's trying to do. That's not going to present as Google play store going back a few times though. Sounds more like a sticky button on the remote.

                            Steve

                            johnpozJ P 2 Replies Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator @stephenw10
                              last edited by johnpoz

                              @stephenw10 said in Possible Pfsense get Hacked by ISP:

                              Sounds more like a sticky button on the remote.

                              Or the app crashed and default back to like a "home" screen. Or the dog laid on the remote on the couch. Or the voice activation glitched when it "heard" something.

                              Or someone in another room did something on a remote that controls both, or can - or they were on the wrong device when they hit a button on the say like the roku app on their phone.. I can control any of my roku's from my phone - but have to select which one, etc.

                              There are like a billion things I could think of on why something like that happened - before I thought oh my gosh my isp is hacking me ;) Tracking you sure - the device itself is likely sending everything you do back up to the mother ship, what shows you watched, did swap channels when a commercial came on, etc.

                              My roku tv sometimes just shuts off on its own - maybe my isp is hacking me?? ;) There are hundred of threads about it happening, and things to try and get it to stop, etc. But maybe its just the ISP hacking away on them ;)

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 1
                              • P
                                Peter_APIIT @stephenw10
                                last edited by

                                @stephenw10 Yes, It is a 3 party Android TV box connected to pfsense WIFI.

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  Yeah almost certainly not the result of hacking. Far more likely to be a software glitch or sticky button.

                                  But, if we were to look at this from a security standpoint, a random ebay Android TV box is exactly the sort of device that should be isolated from your network. You probably have no idea what code it's running or where it's pulling updates from. The manufacturers may not know or care either. An exploit here might be someone hacking the update servers for that box and inserting their own code. Next time it updates, you're in a bot net. Or mining crypto for someone etc.

                                  Steve

                                  P 1 Reply Last reply Reply Quote 2
                                  • P
                                    Peter_APIIT @stephenw10
                                    last edited by

                                    @stephenw10 said in Possible Pfsense get Hacked by ISP:

                                    Yeah almost certainly not the result of hacking. Far more likely to be a software glitch or sticky button.

                                    But, if we were to look at this from a security standpoint, a random ebay Android TV box is exactly the sort of device that should be isolated from your network. You probably have no idea what code it's running or where it's pulling updates from. The manufacturers may not know or care either. An exploit here might be someone hacking the update servers for that box and inserting their own code. Next time it updates, you're in a bot net. Or mining crypto for someone etc.

                                    Steve

                                    OK,Thanks for your explanation.

                                    P 1 Reply Last reply Reply Quote 0
                                    • P
                                      Peter_APIIT @Peter_APIIT
                                      last edited by Peter_APIIT

                                      I found out the root cause of hacking activity. I have a laptop which distribute by my ISP and it has backdoor which uses to surveillance the user network activity. I understand i can format the PC but for precatious steps i want to harden the network security level.

                                      How to block LAN to other same subnet computer only allow LAN to gateway?

                                      johnpozJ 1 Reply Last reply Reply Quote 0
                                      • stephenw10S
                                        stephenw10 Netgate Administrator
                                        last edited by

                                        You cannot do that at the firewall. Traffic between hosts in the same subnet doesn't go through the firewall. You would need a switch that has port isolation. Or use a new interface to create a new subnet and put the laptop in that.

                                        But if you really suspect that someone has been hacking your network from your laptop (unlikely) then just don't connect it at all.

                                        Steve

                                        P 1 Reply Last reply Reply Quote 1
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator @Peter_APIIT
                                          last edited by johnpoz

                                          @peter_apiit said in Possible Pfsense get Hacked by ISP:

                                          has backdoor which uses to surveillance the user network activity.

                                          Dude lay off the HERB.. Or go with a different strain that doesn't cause your tinfoil hat to constrict.. What your saying is just nuts..

                                          Your isp gave you a laptop with a backdoor installed so they can hack your TV? And put it back on the home store screen, and your other pc doesn't kick in screensaver?

                                          Come on dude... Lay off the Mr Robot episodes for a bit maybe.

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 3
                                          • P
                                            Peter_APIIT @stephenw10
                                            last edited by

                                            @stephenw10 said in Possible Pfsense get Hacked by ISP:

                                            Or use a new interface to create a new subnet and put the laptop in that.

                                            Perhaps I could use aother NIC for that since i got one spare NIC.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.