Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help with Logging Info - ISP Warning

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 2 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eihcet
      last edited by

      I'm on PFSense 2.0rc3…  looking for help with a security exposure...

      I received a warning from my ISP (AT&T) a few weeks ago about a PC accessing a sketchy (possibly a botnet) IRC service.  I haven't noticed any unusual activity on my PC's but I ran malware and AV scans on them all, including rootkit, etc.  So far nothing discovered.  In an attempt to narrow down which PC might be the problem I enabled logging triggered on IRC ports (6660-6670) and setup a syslog server.  Nothing much was found so I thought it may have been a fluke until today when I received another email from AT&T.

      This time I looked through my syslog archive and found only the following:

      2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf:     85.190.0.3.38716 > 74.x.x.x (MY ISP IP).6664: Flags [ S], cksum 0x809d (correct), seq 6980266, win 5840, options [mss 1452,sackOK,TS val 36479528 ecr 0,nop,wscale 7], length 0
      2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf: 00:00:00.048794 rule 55/0(match): pass in on pppoe0: (tos 0x0, ttl 50, id 30976, offset 0, flags [DF], proto TCP (6), length 60)
      2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf:     85.190.0.3.47732 > 74.x.x.x (MY ISP IP).6665: Flags [ S], cksum 0x7e59 (correct), seq 2264193833, win 5840, options [mss 1452,sackOK,TS val 36479529 ecr 0,nop,wscale 7], length 0
      2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf: 00:00:00.000490 rule 55/0(match): pass in on pppoe0: (tos 0x0, ttl 50, id 62562, offset 0, flags [DF], proto TCP (6), length 60)
      2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf:     85.190.0.3.50465 > 74.x.x.x (MY ISP IP).6663: Flags [ S], cksum 0x3b75 (correct), seq 1141659211, win 5840, options [mss 1452,sackOK,TS val 36479529 ecr 0,nop,wscale 7], length 0
      2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf: 00:00:00.003211 rule 55/0(match): pass in on pppoe0: (tos 0x0, ttl 50, id 34893, offset 0, flags [DF], proto TCP (6), length 60)
      2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf:     85.190.0.3.39290 > 74.x.x.x (MY ISP IP).6661: Flags [ S], cksum 0xf23b (correct), seq 3839175268, win 5840, options [mss 1452,sackOK,TS val 36479529 ecr 0,nop,wscale 7], length 0
      2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf: 00:00:00.006405 rule 55/0(match): pass in on pppoe0: (tos 0x0, ttl 50, id 60402, offset 0, flags [DF], proto TCP (6), length 60)
      2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf:     85.190.0.3.46727 > 74.x.x.x (MY ISP IP).6667: Flags [ S], cksum 0x2f9b (correct), seq 1793870299, win 5840, options [mss 1452,sackOK,TS val 36479529 ecr 0,nop,wscale 7], length 0
      2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf: 00:00:00.001236 rule 55/0(match): pass in on pppoe0: (tos 0x0, ttl 50, id 15595, offset 0, flags [DF], proto TCP (6), length 60)
      2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf:     85.190.0.3.52672 > 74.x.x.x (MY ISP IP).6668: Flags [ S], cksum 0xd21d (correct), seq 1548263106, win 5840, options [mss 1452,sackOK,TS val 36479529 ecr 0,nop,wscale 7], length 0
      2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf: 00:00:00.016161 rule 55/0(match): pass in on pppoe0: (tos 0x0, ttl 50, id 15601, offset 0, flags [DF], proto TCP (6), length 60)
      2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf:     85.190.0.3.36887 > 74.x.x.x (MY ISP IP).6669: Flags [ S], cksum 0xe3d0 (correct), seq 2284297944, win 5840, options [mss 1452,sackOK,TS val 36479529 ecr 0,nop,wscale 7], length 0
      2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf: 00:00:00.019076 rule 55/0(match): pass in on pppoe0: (tos 0x0, ttl 50, id 2327, offset 0, flags [DF], proto TCP (6), length 60)
      2011-09-24 13:10:27 Local0.Info 192.168.0.1 Sep 24 13:11:31 pf:     85.190.0.3.60081 > 74.x.x.x (MY IP).6664: Flags [ S], cksum 0xe2a7 (correct), seq 576039741, win 5840, options [mss 1452,sackOK,TS val 36479530 ecr 0,nop,wscale 7], length 0
      2011-09-24 13:14:52 Local0.Info 192.168.0.1 Sep 24 13:15:56 pf: 00:04:25.165309 rule 59/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 11, offset 0, flags [none], proto IGMP (2), length 40, options (RA))

      Can anyone help me figure out what is happening?  It seems like the traffic is not from my LAN but from my PFSense Router (but I'm not sure).  The IP 85.190.0.3 reports (google search): "This is the freenode IRC network proxy scanner service to detect abusive hosts and misconfigured proxies. If you see portscans/abuse from 85.190.0.3: Please read http://freenode.net/policy.shtml#proxies"

      I'm worried that it's possible I have something setup wrong on my router and it's being used as a proxy?  Or, worse, it's setup OK but there is an exposure in the software.  If it was a PC I Should have seen the PC's IP Address from my LAN Subnet in the logs, correct?

      My PFSense is running on an ALIX platform, with one WAN, One LAN, one WLAN, and the second WAN unused (at the moment.)

      WLAN and LAN are bridged.

      1 Reply Last reply Reply Quote 0
      • M
        Metu69salemi
        last edited by

        what rules you're having on wan?
        there is also a release nowadays, so you don't need to run on rc3 anymore

        1 Reply Last reply Reply Quote 0
        • E
          eihcet
          last edited by

          Updated to 2.0 overnight.  Here's a screenshot of the WAN rules… some minor-identifying info blurred out...

          1 Reply Last reply Reply Quote 0
          • M
            Metu69salemi
            last edited by

            so you're having vpn. what vpn logs tells to you?

            1 Reply Last reply Reply Quote 0
            • E
              eihcet
              last edited by

              I'm not seeing anything in the VPN Logs.  In the System Logs \ Settings I have PPTP VPN events checked, should I have anything else captured?

              I'm the only one who uses the VPN, unless it's hacked, so if I need a rule to capture that traffic / status besides the above please advise.

              1 Reply Last reply Reply Quote 0
              • M
                Metu69salemi
                last edited by

                use capture on wan and capture anything let's say around 10 000 packets, you might see something(it's still guite narrow window) but don't be disappointed, if nothing extra ordinary is seen.

                i just asked to see wan rules, if you have opened too much ports, like made proxy accessible outside world. you also might want to change admin password if you have only password authentication on that vpn.

                1 Reply Last reply Reply Quote 0
                • E
                  eihcet
                  last edited by

                  Thanks, since the email is a few weeks apart, I'm not sure if the malware is running constantly or not, I assume not.  My VPN is running SSL/TLS + User Authentication.  I've got the ports for IRC blocked now and logged, so, I'm hoping I'll get a little more info that way.  I may just disable VPN for a bit too since I don't really need it running all the time.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.