Pfsense found docker process

dmateos86

Hi everyone, today my pfsense start cpu increase at 100%, restart services and the cpu still high, reviewing System Activity found some docker process target unknown ip.

Somebody know to disable this? I try to block with a firewall rule but nothing.

stephenw10

I've never seen either of those processes in pfSense.

What packages do you have installed there?

Any 3rd party packages or addons?

Steve

dmateos86

@stephenw10 Hi, I have installed, frr for bgp, ntopng and pfBlockerNG.

I just kill the both process, and the cpu went ok, but I don't know if is my setup vulnerable now.

johnpoz

@dmateos86 that IP 107.189.10.123 is a buy vm, IP - they run vpses - cheap, I run a server on there.

dmateos86

@johnpoz Thanks for your response, do you know why pfsense has those services or the meaning? I haven't install any docker instance on it.

stephenw10

Is that sold as a pfSense VPS specifically? Not sure how they would start those processes otherwise if something wasn't already installed. But I haven't spent much time playing with docker.

dmateos86

@stephenw10 Hello, the pfsense is installed on a dell server on site, actually I don't work with docker, and I'm the only one who has access to it, thats why I'm confused why this process activated.

stephenw10

Try running at the CLI: ps -auxwwd That may show you what started them. If they are still running or have restarted.

Steve

johnpoz

@dmateos86 no my pfsense has no dockers running - that for sure is not an out of the box experience, or with any packages. Odd that its talking to a buyvm IP.. So its talking to something running on a vps on their cloud would be my guess..

looks more just like a cmd that is running called that, with url to go talk to and port, and user to auth with I would assume. Not really a actual docker container running.

But yeah they are sucking some cpu that is for sure.. Some sort of miner maybe? Just wild ass guess..

A google for those commands doesn't even come up with anything.. which if was some common sort of legit package you would think you would find info on using it, etc.

I try to block with a firewall rule but nothing.

If its actually running on pfsense, you would have to use an outbound rule in floating to stop access to that IP or Port, etc. out of the box processes running on pfsense can go really anywhere they want. There is a specific rule to allow firewall to go outbound.

johnpoz

@dmateos86 said in Pfsense found docker process:

but I don't know if is my setup vulnerable now.

Did you have like the web gui open to the internet, or ssh or something..

dmateos86

@stephenw10 said in Pfsense found docker process:

ps -auxwwd

Hi, I kill both process, but when I run that command show me the following:

And there's the ip address, and another ip that I don't recognize.

dmateos86

@johnpoz I have open the wan ip address port for l2tp/ipsec connection, ssh disable, and only lan access for web gui.

johnpoz

@dmateos86 if you hit that 104 on just http you get this back

This is a Tor Exit Router

And lots of other info.. talk to it on port 10005 like that command but doesn't connect..

None of that looks good or legit that is for sure... Your not doing anything routing traffic over tor are you?

Can tell you for sure that I don't have anything like running on mine, there is no sh process forked off my php-fpm processes that is for damn sure..

stephenw10

Yup I would nuke it and start over if you've not added any of that yourself.

It would be interesting to know what's in any of those referenced files but if it anything suspect it's likely to be obscured anyway.

Steve

rcoleman-netgate

I'm curious what the hardware is that it's on.... the output of

dmesg

here would be really telling.

marcosm

I agree that docker is not being used here - these look like scripts named in a purposely misleading way. Ultimately, this is not normal and hence I suggest wiping the drive(s) and re-installing pfSense. First however, try extracting more information.

Make sure SSH is enabled under System / Advanced, then verify you can SSH by running the following from your Windows host:

ssh root@192.168.1.1

Then create a folder to transfer files to, e.g. C:\tmp_dir\ and grab all of the files in /tmp/ - for example by running this from Windows:

scp -r root@192.168.1.1:/tmp/ C:\tmp_dir\

The scripts should be stored under the www folder which you can verify by going to Diagnostics / Edit File and browsing to /usr/local/www/. Try finding them otherwise (likely the process needs to be running for the scripts to exist). Grab the scripts as well - for example:

scp root@192.168.1.1:/usr/local/www/*.sh C:\tmp_dir\
scp root@192.168.1.1:/usr/local/www/*docker* C:\tmp_dir\
scp root@192.168.1.1:/usr/local/www/*clinche* C:\tmp_dir\

If you get all of that, inspect it and feel free to share it here (zip it up, upload it somewhere, and share the link).

dmateos86

@rcoleman-netgate Hi, I share the result from dmesg, the pfsense is running on a dell r240 server.

dmesg.txt

thanks

rcoleman-netgate

@dmateos86 I thought for sure it wasn't going to be running a bare metal... I'm a bit more concerned about the rest of the software, then. What got on it and how did it get there?

dmateos86

@johnpoz said in Pfsense found docker process:

Your not doing anything routing traffic over tor are you?

Hi, no I dont route any tor traffic, and the php-fpm is:

bingo600

Hmmm ....

That curl + chmod smells a lot too ...
Payload fetcher ??

/Bingo