Help!!! Ghost61

  • Hi, i recently set up a wireless network and i am using pfsense to run a captive portal. It run well for a couple of days then something somewhere went wrong. After a user authenticates instead of been redirected to the predefined page, it shows a blank page written "Hacked by GHoST61". Any other page you try to access brings the same
    Other users on the lan that are not going through the pfsense box dont have a problem.
    Help me out…...
    Does pfsense have security patches

  • Reapply the firmware update and see if it helps.  However it would be nice to know what they modified and how.

  • Also since it is only affecting one machine – check your DNS on the client machine.

  • Probably 3 possibilities here and I doubt if applying a firmware update does anything as it's almost guaranteed either your config has been changed, or it's completely unrelated to your firewall.

    1. You used a weak password, didn't restrict management access, and someone on that network cracked/guessed it and changed the redirect URL or something else in your config to do that
    2. someone on the network is doing bad things to MITM your users, ARP poisoning or similar.
    3. you're redirecting to a URL that's been defaced, that tag line is common on defaced websites.

    Attaching a copy of your config, and a packet capture of all traffic from an affected machine while it's accessing captive portal and getting redirected would tell more. You can email those two files to me off-forum if you don't want to make them public (cmb at pfsense dot org, include a link to this thread).

Log in to reply