Help! I'm under attack!



  • I'm running 1.2.3. For the past day or so, the Internet seemed slow, pictures sometimes take too long to appear. Speed tests show a very nice speed, but sometimes slows to nothing. I see that the CPU is averaging 25% to 50% (Usually under 5%), and the state table seem to fill up instantly after resetting states. MBUF is 5401/6405. I'm no security expert, and I've never been under attack while using pfsense, so I feel helpless. Looking in the state list, I see a whole bunch of one IP address, beginning with 45 or 46 (45.x.x.x), but they keep changing. The keep trying to connect to one port after another. It seems targeted at my web server. When I shut down the webserver, everything settles down. What should I do? Will Snort stop this kind of thing?

    Here's an example of the state log:

    tcp 46.108.41.72:80 <- 192.168.8.24:4294 CLOSED:SYN_SENT
    tcp 192.168.8.24:4294 -> 69.253.164.39:14213 -> 46.108.41.72:80 SYN_SENT:CLOSED
    tcp 46.109.189.4:80 <- 192.168.8.24:4295 CLOSED:SYN_SENT
    tcp 192.168.8.24:4295 -> 69.253.164.29:27915 -> 46.109.189.4:80 SYN_SENT:CLOSED
    tcp 46.109.189.5:80 <- 192.168.8.24:4296 CLOSED:SYN_SENT
    tcp 192.168.8.24:4296 -> 69.253.164.29:64456 -> 46.109.189.5:80 SYN_SENT:CLOSED
    tcp 46.108.41.73:80 <- 192.168.8.24:4297 CLOSED:SYN_SENT
    tcp 192.168.8.24:4297 -> 69.253.164.29:15487 -> 46.108.41.73:80 SYN_SENT:CLOSED
    tcp 46.109.189.6:80 <- 192.168.8.24:4298 CLOSED:SYN_SENT
    tcp 192.168.8.24:4298 -> 69.253.164.29:34283 -> 46.109.189.6:80 SYN_SENT:CLOSED
    tcp 46.108.41.74:80 <- 192.168.8.24:4299 CLOSED:SYN_SENT
    tcp 192.168.8.24:4299 -> 69.253.164.29:46688 -> 46.108.41.74:80 SYN_SENT:CLOSED
    tcp 46.109.189.7:80 <- 192.168.8.24:4300 CLOSED:SYN_SENT
    tcp 192.168.8.24:4300 -> 69.253.164.29:32979 -> 46.109.189.7:80 SYN_SENT:CLOSED
    tcp 46.108.41.75:80 <- 192.168.8.24:4301 CLOSED:SYN_SENT
    tcp 192.168.8.24:4301 -> 69.253.164.29:52865 -> 46.108.41.75:80 SYN_SENT:CLOSED
    tcp 46.108.41.76:80 <- 192.168.8.24:4302 CLOSED:SYN_SENT
    tcp 192.168.8.24:4302 -> 69.253.164.29:48614 -> 46.108.41.76:80 SYN_SENT:CLOSED
    tcp 46.108.41.77:80 <- 192.168.8.24:4303 CLOSED:SYN_SENT

    69.253.164.29 is my WAN IP Address
    192.168.8.24 is my webserver IP Address
    46.108.41.77 is an attacker IP



  • Do not post your WAN IP Address in any forum, it will only give you further problems.  Represent it with x's in text (xxx.xxx.xxx.xxx), or obfuscate it in screenshots.



  • On my Linux netbook I see:

    $ whois 46.108.41.74
    % This is the RIPE Database query service.
    % The objects are in RPSL format.
    %
    % The RIPE Database is subject to Terms and Conditions.
    % See http://www.ripe.net/db/support/db-terms-conditions.pdf

    % Note: this output has been filtered.
    %      To receive output for a database update, use the "-B" flag.

    % Information related to '46.108.32.0 - 46.108.63.255'

    inetnum:        46.108.32.0 - 46.108.63.255
    netname:        ADNET
    descr:          ADNET TELECOM
    country:        RO
    admin-c:        ADN-RIPE
    tech-c:        ADN-RIPE
    status:        ASSIGNED PA
    mnt-by:        MNT-ADNET
    mnt-routes:    MNT-ADNET
    mnt-domains:    MNT-ADNET
    source:        RIPE # Filtered

    role:            ADNET TELECOM
    address:        96B Basarabiei Boulevard, district 2
    address:        Bucharest, Romania
    e-mail:          noc@adnettelecom.ro
    remarks:        –-----------------------------------
    admin-c:        CV208-RIPE      # Calin Velea
    tech-c:          CV208-RIPE      # Calin Velea
    tech-c:          RALU            # Raluca Andreea Gogioiu
    tech-c:          KARO            # Daniel Pana
    tech-c:          AP13038-RIPE    # Alexandru Prodan
    tech-c:          MM26510-RIPE    # Marius-Alexandru Matei
    remarks:        -------------------------------------
    nic-hdl:        ADN-RIPE
    mnt-by:          MNT-ADNET
    remarks:        -------------------------------------
    remarks:        Abuse reports: abuse@adnettelecom.ro
    remarks:        NOC E-mail: noc@adnettelecom.ro
    remarks:        Support: support@adnettelecom.ro
    remarks:        Phone: +40215681111 (24/7 NOC)
    remarks:        -------------------------------------
    source:          RIPE # Filtered

    % Information related to '46.108.0.0/17AS5541'

    route:          46.108.0.0/17
    descr:          AdNet Telecom
    remarks:        -------------------------------------
    remarks:        Abuse reports: abuse@adnettelecom.ro
    remarks:        NOC E-mail: noc@adnettelecom.ro
    remarks:        Support: support@adnettelecom.ro
    remarks:        -------------------------------------
    origin:        AS5541
    mnt-by:        MNT-ADNET
    source:        RIPE # Filtered

    $

    It rather looks to me that something on web server system is making multiple attempts to access a web server in Romania. (Notice all the accesses to port 80, http, on 46.108.x.x.) with varying port numbers on your web server system.

    If there is no need for someone on your LAN to be making web accesses to systems in Romania you might want to add firewall rules to block (or even pass with log to get a better idea of usage patterns) such access.



  • Using the Country Block Package might be very useful in this instance blocking out all of Romania



  • @onhel:

    Using the Country Block Package might be very useful in this instance blocking out all of Romania

    Does that package block access FROM a country or block access TO a country or (optionally) both?

    The posted segment of the log appears to show access from pfSense box TO Romania. Or am I interpreting that data incorrectly?



  • You are absolutely right Wallabybob.  He said he was under attack, so I quickly misread, looks more like he was infected.



  • As an update, it looks like he was attacking webdav on my server. Looking at my apache logs, I see something different:

    46.29.255.122 - - [06/Apr/2011:03:05:30 -0400] "GET /webdav/sip2.php?&IP=47.111.203 HTTP/1.1" 404 1188 "-" "Opera/9.21 (Windows NT 5.1; U; en)"
    46.29.255.122 - - [06/Apr/2011:03:05:35 -0400] "GET /webdav/sip2.php?&IP=47.112.50 HTTP/1.1" 404 1188 "-" "Opera/9.21 (Windows NT 5.1; U; en)"
    46.29.255.122 - - [06/Apr/2011:03:05:35 -0400] "GET /webdav/sip2.php?&IP=47.112.150 HTTP/1.1" 404 1188 "-" "Opera/9.21 (Windows NT 5.1; U; en)"
    46.29.255.122 - - [06/Apr/2011:03:05:36 -0400] "GET /webdav/sip2.php?&IP=47.112.250 HTTP/1.1" 404 1188 "-" "Opera/9.21 (Windows NT 5.1; U; en)"
    46.29.255.122 - - [06/Apr/2011:03:05:40 -0400] "GET /webdav/sip2.php?&IP=47.113.98 HTTP/1.1" 404 1188 "-" "Opera/9.21 (Windows NT 5.1; U; en)"
    46.29.255.122 - - [06/Apr/2011:03:05:40 -0400] "GET /webdav/sip2.php?&IP=47.113.198 HTTP/1.1" 404 1188 "-" "Opera/9.21 (Windows NT 5.1; U; en)"
    46.29.255.122 - - [06/Apr/2011:03:05:45 -0400] "GET /webdav/sip2.php?&IP=47.114.45 HTTP/1.1" 404 1188 "-" "Opera/9.21 (Windows NT 5.1; U; en)"
    46.29.255.122 - - [06/Apr/2011:03:05:45 -0400] "GET /webdav/sip2.php?&IP=47.114.145 HTTP/1.1" 404 1188 "-" "Opera/9.21 (Windows NT 5.1; U; en)"
    46.29.255.122 - - [06/Apr/2011:03:05:45 -0400] "GET /webdav/sip2.php?&IP=47.114.245 HTTP/1.1" 404 1188 "-" "Opera/9.21 (Windows NT 5.1; U; en)"

    I find a single IP address, which I blocked. Now, everything seems back to normal. Any security advice welcome.

    BTW, That wasn't my real WAN IP. I changed a few digits.



  • Get used to those attacks!  Thats why its important to keep your house in order…

    :)



  • I'm working on it! I've found the problem was my server got hacked, and it's fixed now. What can I do on the pfsense side to help in the future?


Log in to reply