Help with Logging Info - ISP Warning



  • I'm on PFSense 2.0rc3…  looking for help with a security exposure...

    I received a warning from my ISP (AT&T) a few weeks ago about a PC accessing a sketchy (possibly a botnet) IRC service.  I haven't noticed any unusual activity on my PC's but I ran malware and AV scans on them all, including rootkit, etc.  So far nothing discovered.  In an attempt to narrow down which PC might be the problem I enabled logging triggered on IRC ports (6660-6670) and setup a syslog server.  Nothing much was found so I thought it may have been a fluke until today when I received another email from AT&T.

    This time I looked through my syslog archive and found only the following:

    2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf:     85.190.0.3.38716 > 74.x.x.x (MY ISP IP).6664: Flags [ S], cksum 0x809d (correct), seq 6980266, win 5840, options [mss 1452,sackOK,TS val 36479528 ecr 0,nop,wscale 7], length 0
    2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf: 00:00:00.048794 rule 55/0(match): pass in on pppoe0: (tos 0x0, ttl 50, id 30976, offset 0, flags [DF], proto TCP (6), length 60)
    2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf:     85.190.0.3.47732 > 74.x.x.x (MY ISP IP).6665: Flags [ S], cksum 0x7e59 (correct), seq 2264193833, win 5840, options [mss 1452,sackOK,TS val 36479529 ecr 0,nop,wscale 7], length 0
    2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf: 00:00:00.000490 rule 55/0(match): pass in on pppoe0: (tos 0x0, ttl 50, id 62562, offset 0, flags [DF], proto TCP (6), length 60)
    2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf:     85.190.0.3.50465 > 74.x.x.x (MY ISP IP).6663: Flags [ S], cksum 0x3b75 (correct), seq 1141659211, win 5840, options [mss 1452,sackOK,TS val 36479529 ecr 0,nop,wscale 7], length 0
    2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf: 00:00:00.003211 rule 55/0(match): pass in on pppoe0: (tos 0x0, ttl 50, id 34893, offset 0, flags [DF], proto TCP (6), length 60)
    2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf:     85.190.0.3.39290 > 74.x.x.x (MY ISP IP).6661: Flags [ S], cksum 0xf23b (correct), seq 3839175268, win 5840, options [mss 1452,sackOK,TS val 36479529 ecr 0,nop,wscale 7], length 0
    2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf: 00:00:00.006405 rule 55/0(match): pass in on pppoe0: (tos 0x0, ttl 50, id 60402, offset 0, flags [DF], proto TCP (6), length 60)
    2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf:     85.190.0.3.46727 > 74.x.x.x (MY ISP IP).6667: Flags [ S], cksum 0x2f9b (correct), seq 1793870299, win 5840, options [mss 1452,sackOK,TS val 36479529 ecr 0,nop,wscale 7], length 0
    2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf: 00:00:00.001236 rule 55/0(match): pass in on pppoe0: (tos 0x0, ttl 50, id 15595, offset 0, flags [DF], proto TCP (6), length 60)
    2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf:     85.190.0.3.52672 > 74.x.x.x (MY ISP IP).6668: Flags [ S], cksum 0xd21d (correct), seq 1548263106, win 5840, options [mss 1452,sackOK,TS val 36479529 ecr 0,nop,wscale 7], length 0
    2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf: 00:00:00.016161 rule 55/0(match): pass in on pppoe0: (tos 0x0, ttl 50, id 15601, offset 0, flags [DF], proto TCP (6), length 60)
    2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf:     85.190.0.3.36887 > 74.x.x.x (MY ISP IP).6669: Flags [ S], cksum 0xe3d0 (correct), seq 2284297944, win 5840, options [mss 1452,sackOK,TS val 36479529 ecr 0,nop,wscale 7], length 0
    2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf: 00:00:00.019076 rule 55/0(match): pass in on pppoe0: (tos 0x0, ttl 50, id 2327, offset 0, flags [DF], proto TCP (6), length 60)
    2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf:     85.190.0.3.60081 > 74.x.x.x (MY IP).6664: Flags [ S], cksum 0xe2a7 (correct), seq 576039741, win 5840, options [mss 1452,sackOK,TS val 36479530 ecr 0,nop,wscale 7], length 0
    2011-09-24 13:14:52 Local0.Info 192.168.0.1 Sep 24 13:15:56 pf: 00:04:25.165309 rule 59/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 11, offset 0, flags [none], proto IGMP (2), length 40, options (RA))

    Can anyone help me figure out what is happening?  It seems like the traffic is not from my LAN but from my PFSense Router (but I'm not sure).  The IP 85.190.0.3 reports (google search): "This is the freenode IRC network proxy scanner service to detect abusive hosts and misconfigured proxies. If you see portscans/abuse from 85.190.0.3: Please read http://freenode.net/policy.shtml#proxies"

    I'm worried that it's possible I have something setup wrong on my router and it's being used as a proxy?  Or, worse, it's setup OK but there is an exposure in the software.  If it was a PC I Should have seen the PC's IP Address from my LAN Subnet in the logs, correct?

    My PFSense is running on an ALIX platform, with one WAN, One LAN, one WLAN, and the second WAN unused (at the moment.)

    WLAN and LAN are bridged.



  • what rules you're having on wan?
    there is also a release nowadays, so you don't need to run on rc3 anymore



  • Updated to 2.0 overnight.  Here's a screenshot of the WAN rules… some minor-identifying info blurred out...



  • so you're having vpn. what vpn logs tells to you?



  • I'm not seeing anything in the VPN Logs.  In the System Logs \ Settings I have PPTP VPN events checked, should I have anything else captured?

    I'm the only one who uses the VPN, unless it's hacked, so if I need a rule to capture that traffic / status besides the above please advise.



  • use capture on wan and capture anything let's say around 10 000 packets, you might see something(it's still guite narrow window) but don't be disappointed, if nothing extra ordinary is seen.

    i just asked to see wan rules, if you have opened too much ports, like made proxy accessible outside world. you also might want to change admin password if you have only password authentication on that vpn.



  • Thanks, since the email is a few weeks apart, I'm not sure if the malware is running constantly or not, I assume not.  My VPN is running SSL/TLS + User Authentication.  I've got the ports for IRC blocked now and logged, so, I'm hoping I'll get a little more info that way.  I may just disable VPN for a bit too since I don't really need it running all the time.


Locked