Help - Has my pfSense box been hacked/



  • When I do a traceroute for google lets say I get the following:

    1  192.168.2.1 (192.168.2.1)  0.832 ms  0.767 ms  0.740 ms
    2  120.195.54.112 (120.195.54.112)  21.150 ms  14.276 ms  15.248 ms
    82.50.174.83.rev.vodafone.pt (83.174.50.82)  14.542 ms  13.647 ms  13.964 ms
    214.25.30.213.rev.vodafone.pt (213.30.25.214)  14.876 ms  13.905 ms  14.735
    114.41.30.213.rev.vodafone.pt (213.30.41.114)  33.086 ms  17.372 ms  15.419
    6  85.205.24.213 (85.205.24.213)  25.161 ms  25.225 ms  24.821 ms
    7  213.242.109.157 (213.242.109.157)  59.929 ms  25.302 ms  25.331 ms
    ae-0-11.bar1.Madrid2.Level3.net (4.69.141.45)  24.399 ms  24.269 ms  25.226
    ae-5-5.ebr1.Paris1.Level3.net (4.69.141.42)  40.965 ms  40.743 ms  40.600 ms
    10  ae-100-100.ebr2.Paris1.Level3.net (4.69.141.238)  40.689 ms  40.425 ms  40.9
    11  ae-47-47.ebr1.Frankfurt1.Level3.net (4.69.143.141)  50.065 ms
        ae-48-48.ebr1.Frankfurt1.Level3.net (4.69.143.145)  49.723 ms
        ae-45-45.ebr1.Frankfurt1.Level3.net (4.69.143.133)  49.572 ms
    12  ae-61-61.csw1.Frankfurt1.Level3.net (4.69.140.2)  50.163 ms
        ae-91-91.csw4.Frankfurt1.Level3.net (4.69.140.14)  58.795 ms
        ae-61-61.csw1.Frankfurt1.Level3.net (4.69.140.2)  57.232 ms
    13  ae-4-99.edge3.Frankfurt1.Level3.net (4.68.23.203)  50.200 ms  50.486 ms
        ae-2-79.edge3.Frankfurt1.Level3.net (4.68.23.75)  49.589 ms
    14  212.162.24.18 (212.162.24.18)  54.177 ms  54.654 ms
        62.67.33.114 (62.67.33.114)  54.165 ms
    15  209.85.248.12 (209.85.248.12)  55.169 ms  60.934 ms  54.399 ms

    What I'm concerned about is item 2 with ip 120.195.54.112, this ip is neither of my dns serververs and when I perform a whois on it, it belongs to a China network.

    Please help, as i am getting a little freaked out.



  • I doubt you've been hacked. There is possibility that your provider is using this range for internal routing which is weird but anyway possible.



  • @evp:

    … What I'm concerned about is item 2 with ip 120.195.54.112, this ip is neither of my dns serververs and when I perform a whois on it, it belongs to a China network...

    Nice catch, that is weird. But unless you're in China, it's impossible to route through Chinese IPs as your next hop to public. Even if somebody had tampered with your box to route you through an unfriendly chinese proxy, you'd still have to go through your ISPs gateway to get there, and at least a few routers in your country of origin. These would have shown up in your traceroute.

    My hunch is that Eugene is correct, and your ISP decided to use that network for internal routing while it was still a BOGON (i.e. not assigned by the IANA). That is extremely ghetto and casts serious doubts on the technical competencies of the engineers who built out your ISP's network, but it shouldn't affect you adversely. That is, unless you ever try to connect to an IP owned by the real Chinese owners of that netblock! Your ISP will almost certainly mis-route the traffic and it will get lost internally.



  • Considering the ping times, it is probably impossible.  However, if it was reasonably high enough to reach China in that amount of time, it probably is possible to have it routed over some VPN.  If your public IP or any of your ISP's IP addresses are in the list, that would likely rule out that scenario, too.



  • Thanks guys, I feel better. I am by no means fluent in networking but, I have come across some pretty funky situations with Vodafone Portugal.

    Thanks


Locked