Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help!!! Ghost61

    Scheduled Pinned Locked Moved Captive Portal
    4 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mkimiti
      last edited by

      Hi, i recently set up a wireless network and i am using pfsense to run a captive portal. It run well for a couple of days then something somewhere went wrong. After a user authenticates instead of been redirected to the predefined page, it shows a blank page written "Hacked by GHoST61". Any other page you try to access brings the same
      Other users on the lan that are not going through the pfsense box dont have a problem.
      Help me out…...
      Does pfsense have security patches

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        Reapply the firmware update and see if it helps.  However it would be nice to know what they modified and how.

        1 Reply Last reply Reply Quote 0
        • S
          sullrich
          last edited by

          Also since it is only affecting one machine – check your DNS on the client machine.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Probably 3 possibilities here and I doubt if applying a firmware update does anything as it's almost guaranteed either your config has been changed, or it's completely unrelated to your firewall.

            1. You used a weak password, didn't restrict management access, and someone on that network cracked/guessed it and changed the redirect URL or something else in your config to do that
            2. someone on the network is doing bad things to MITM your users, ARP poisoning or similar.
            3. you're redirecting to a URL that's been defaced, that tag line is common on defaced websites.

            Attaching a copy of your config, and a packet capture of all traffic from an affected machine while it's accessing captive portal and getting redirected would tell more. You can email those two files to me off-forum if you don't want to make them public (cmb at pfsense dot org, include a link to this thread).

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.