Help - Has my pfSense box been hacked/
-
When I do a traceroute for google lets say I get the following:
1 192.168.2.1 (192.168.2.1) 0.832 ms 0.767 ms 0.740 ms
2 120.195.54.112 (120.195.54.112) 21.150 ms 14.276 ms 15.248 ms
3 82.50.174.83.rev.vodafone.pt (83.174.50.82) 14.542 ms 13.647 ms 13.964 ms
4 214.25.30.213.rev.vodafone.pt (213.30.25.214) 14.876 ms 13.905 ms 14.735
5 114.41.30.213.rev.vodafone.pt (213.30.41.114) 33.086 ms 17.372 ms 15.419
6 85.205.24.213 (85.205.24.213) 25.161 ms 25.225 ms 24.821 ms
7 213.242.109.157 (213.242.109.157) 59.929 ms 25.302 ms 25.331 ms
8 ae-0-11.bar1.Madrid2.Level3.net (4.69.141.45) 24.399 ms 24.269 ms 25.226
9 ae-5-5.ebr1.Paris1.Level3.net (4.69.141.42) 40.965 ms 40.743 ms 40.600 ms
10 ae-100-100.ebr2.Paris1.Level3.net (4.69.141.238) 40.689 ms 40.425 ms 40.9
11 ae-47-47.ebr1.Frankfurt1.Level3.net (4.69.143.141) 50.065 ms
ae-48-48.ebr1.Frankfurt1.Level3.net (4.69.143.145) 49.723 ms
ae-45-45.ebr1.Frankfurt1.Level3.net (4.69.143.133) 49.572 ms
12 ae-61-61.csw1.Frankfurt1.Level3.net (4.69.140.2) 50.163 ms
ae-91-91.csw4.Frankfurt1.Level3.net (4.69.140.14) 58.795 ms
ae-61-61.csw1.Frankfurt1.Level3.net (4.69.140.2) 57.232 ms
13 ae-4-99.edge3.Frankfurt1.Level3.net (4.68.23.203) 50.200 ms 50.486 ms
ae-2-79.edge3.Frankfurt1.Level3.net (4.68.23.75) 49.589 ms
14 212.162.24.18 (212.162.24.18) 54.177 ms 54.654 ms
62.67.33.114 (62.67.33.114) 54.165 ms
15 209.85.248.12 (209.85.248.12) 55.169 ms 60.934 ms 54.399 msWhat I'm concerned about is item 2 with ip 120.195.54.112, this ip is neither of my dns serververs and when I perform a whois on it, it belongs to a China network.
Please help, as i am getting a little freaked out.
-
I doubt you've been hacked. There is possibility that your provider is using this range for internal routing which is weird but anyway possible.
-
@evp:
… What I'm concerned about is item 2 with ip 120.195.54.112, this ip is neither of my dns serververs and when I perform a whois on it, it belongs to a China network...
Nice catch, that is weird. But unless you're in China, it's impossible to route through Chinese IPs as your next hop to public. Even if somebody had tampered with your box to route you through an unfriendly chinese proxy, you'd still have to go through your ISPs gateway to get there, and at least a few routers in your country of origin. These would have shown up in your traceroute.
My hunch is that Eugene is correct, and your ISP decided to use that network for internal routing while it was still a BOGON (i.e. not assigned by the IANA). That is extremely ghetto and casts serious doubts on the technical competencies of the engineers who built out your ISP's network, but it shouldn't affect you adversely. That is, unless you ever try to connect to an IP owned by the real Chinese owners of that netblock! Your ISP will almost certainly mis-route the traffic and it will get lost internally.
-
Considering the ping times, it is probably impossible. However, if it was reasonably high enough to reach China in that amount of time, it probably is possible to have it routed over some VPN. If your public IP or any of your ISP's IP addresses are in the list, that would likely rule out that scenario, too.
-
Thanks guys, I feel better. I am by no means fluent in networking but, I have come across some pretty funky situations with Vodafone Portugal.
Thanks