Strange Log Entries, File Changes, Etc
-
Hi,
We’ve had some pretty problematic cyber security problems at home with a good bit of definitive evidence(hashes, files, IPs) of fairly advanced Malware(s) that can infiltrate a number of operating systems. This led me to PfSense and wanting to tighten up our home network, dump the cheap IoT, WiFi chaos, etc. Which, I am really appreciating the detail and level of control it gives, even if I’m somewhat over my head, haha
So I could be overvigilant and I’m just learning the software. I am an intermediate Linux user and a fairly experienced PHP software dev, but not much FreeBSD experience.
Anyway. I’m getting burnt out on log digging and researching so I’m hoping someone can help either give clarity or affirm reasons for concern before I go down that road. But I have logs of what seems to be a programmatic battle between root and an unknown user over files and permissions. Also I have logs from sshguard “Attacks”, which I know are probably often not a concern but I’ve only ever been 1 IP and it seems to be coming from several places, one being my Google TV. Also there are lots of recently modified files in the /boot and /var folders, with some 0777 files in /tmp, and some arp logs of “Mac access using my ip”, but the Mac address is not one of my devices. I did some doc searches and found nothing mentioned regarding what I’m seeing. And there are 7/8 tty processes running but it’s just me with a serial port or monitor hooked up and then in the web UI.
I downloaded and burned the IMG in a live boot Linux distro like 2 days ago and put in on a Protectli with the stock AMI bios. Our WiFi is completely down, so it’s been all offline except about an hour when I wired it straight into the ISP modem to test the DNS settings but it’s possible something was still infected. Anyway I I’ll drop some photos with a few transcribed here and I have more and the logs if it seems worthwhile but phone shots are safer just in case. The docs are just transcribed from phone pictures I took.
I know this is not a cyber security forum but i know yall are more familiar with the quirks. So, If someone could just let me know if I have good reason for concern with this device/install or if I’m just over analyzing. I would be very grateful! I really hope it’s nothing, cause im not sure what to do at that point otherwise.
Thanks!
https://docs.google.com/document/d/11sm9RP08e6EJR-2Y0DAvhz5NArvuwiPRkkIVNVXOsSI/edit
https://docs.google.com/document/d/12RgPj0tUuZoOA8MXRU3uU8UUnZtx74LtMguzZ8zljJE/edit
-
What subnet(s) are you using there on which interfaces?
Are any of those IPs actually you?
At the very least SSH login attempts like that imply you have something open to somewhere that it probably shouldn't be. Since they are all private IPs that must be something local.
Where did you take those user/group logs from?
That looks unexpected at best. It appears as though someone/something is running commands that aren't valid in pfSense/FreeBSD which is fortunate. But it implies they were able to rum them.
-
Hey thanks for the feedback. I was trying to run the protectli mini pc with pfsense and a layer 2 switch so I could really get good network segmentation, so I was setting up some subnets and VLANs, getting a little over complicated with that, probably but really need to isolate the various devices “nodes” to hopefully minimize the damage.
It was probably dumb to hook the TV up as I’m pretty sure IoT has been a vector for persistence,but I had just factory reset it which probably means nothing
. At that point it was just me on the live boot, the firewall, switch, and the TV, and not online for the majority of when the logs were sampled. And I def wasn’t using SSH unless the UI uses it somewhere, much safer to plug in. I’m guessing pfSense doesn’t wipe when you reinstall? Soms of then logs persisted after I tried that.I have logs of thousands of IPs hitting our network with http requests and almost all of those IPs are hits on virus total for malware so maybe we are part of a botnet ?
️Also I noticed that there was some insane ARP scanning activity happening on the Spectrum subnet when I had it online thanks to built in tcpdump and logging, which I love btw. But yeah l like thousand of scan requests in minutes as well. Maybe that’s normal.., I’ve never looked at that much.It could be the Linux variant of whatever trying to operate in FreeBSD. Maybe I can rescue it. I had a number of base 64 encoded binaries and hashes in browser memory dumps come back positive for things like Lumma Stealer and Cobalt Strike a few weeks ago, so I who knows
. If that’s true Im probably over my head, I was hoping I had the answer with this setup and heavily reducing/segmentign wifi to cut out most of the attack/spread surface. -
I mean what subnets are connected locally to pfSense? There are no public IPs shown so whatever is making connection attempts is local to you.
Your WAN interface is connected to some other upstream router? ISP provided?
There are what looks like 2 subnets in the logs: 192.168.99.0/24 and 192.168.1.0/24
Are those your WAN and LAN respectively? -
Also, some of this probably sounds a bit implausible,but certainly in the realm of reality.
My gut suspicions haven’t been terribly far off the last few months, in hindsight. I know pfsense is well hardened, as is FreeBSD by folks much smarter than I, and so I guess I’m just unsure as to how to proceed. Should I just try reformat the storage, reflash to coreboot and try again, given that there is abnormal activity or, maybe this is minor and can be fixed? I though the protectli I bought was going to be completely clean based on the listing, but it def had AMI bios installed. Do most folks run coreboot?
I’d be happy to pay for support at this point, if it could help me get reliable feedback from someone more knowledgable as I do think I’m on a good path tech-wise. I Just don’t have more time to waste doing forensics and redoing things, just be to less confident, which tends to be how it goes.
Any advice thoughts would be appreciated. Thanks.
-
Well it's hard to interpret the logs usefully without knowing what subnets you are using and how those are connected.
-
Its the more traditional spectrum internet service(not dedicated fiber) so they do distrubute shared bandwidth on localized subnets from my understanding. Those two subnets you asked about were entirely local. The spectrum subnet starts with 75. I was generally 192.168.99.10/11 but I was always on the web portal or directly connected. The 192.168.1.100 was my tv The portal has a separate log file I see that is empty. ( maybe a bug?) Never SSH
I’m just go throw all the logs from cmdline into a drive and double check for hidden binaries and put them up somewhere if anyone is open to taking a look. I’m sure I made some confirmation mistakes too. There are two utx.log and utx.lastlog than come back with binary data, if that’s abnormal. Also the root .sujournal file is at over 600mb which seems strange haha.
Thanks again!
-
Ah, OK. Then you probably have firewall rules passing traffic on those interfaces allowing login attempts.
This would be most worrying for me:
Feb 7 09:12:07 php-fpm 393 /index.php: Successful login for user 'admin' from: 192.168.1.100 (Local Database)If that really is your TV that's an issue! Unless you were using a browser on the TV. But even if that was the TV (or malware on it) it would only have been able to login if the password were still default probably.
-
There was a period where I just reset back to default password while not connected to the public network and accidentally left it for a bit. Since it is what it is now, ill hook the tv back in and do some packet captures to see what it does.
-
If you never logged from 192.168.1.100 then that looks bad!
