Strange traffic on WAN



  • Hi All,  I run a small business with my own web server behind pfsense.  This has worked worked fine for a number of years.  You can assume from this that I am no IT expert!

    I noticed of Wednesday that there had been a lot of traffic on WAN1 and upon checking the RRD Graph for WAN1 (see attached) found that this traffic had been constant inbound and outbound for about 24 hrs.  I have checked my web server logs and can't anything out of the ordinary.  I also checked the traffic graphs for LAN, DMZ and WLAN  and there is matching spike in activity.

    I am hoping that someone might be able to give me an idea of what might be going on here - have I been hacked or compromised in some way.  Also any pointers on how I might investigate this further and what I should do if it happens again.

    Regards,

    Wayne




  • I cannot say with out more details such as ports used and possibly the external ip that is connecting, not your external ip. but looks like maybe a file share service. I would have snort running to better help with the issues. If you would like feel free to pm me and I can try and assist you.


  • Rebel Alliance Global Moderator

    without more details of what ports where being used, or better yet capture of the traffic its impossible to say what could of caused the spike.  File sharing would be a good guess.

    So its not happening now?  If it does grab a capture of the traffic and then we can see what IPs and exactly what it is.



  • Thanks Josh,  Basic info of my system is as follows:
    Dual WAN (WAN1 and WAN2 are on a VLAN).  Behind pfsense is LAN, WLAN, DMZ and OpenVPN.

    Incoming rules WAN1 :
    Port 25 -> Nat Redirect -> 127.0.01 (Postfix Mail Relay)
    Port 80 -> Nat Redirect -> DMZ -> Web server
    Port 443 -> Nat Redirect -> DMZ -> Web server
    Port 11000:20000 -> Nat Redirect -> LAN -> Voip server
    Port 1194 -> Nat Redirect -> 127.0.01 (OpenVPN)

    Incoming rules WAN2 :
    Port 25 -> Nat Redirect -> 127.0.01 (Postfix Mail Relay)
    Port 5060 -> Nat Redirect -> LAN -> Voip server
    Port 11000:20000 -> Nat Redirect -> LAN -> Voip server
    Port 1194 -> Nat Redirect -> 127.0.01 (OpenVPN)

    I don't do or allow Torrents.  Also noticed that the Postfix logs for Tuesday & Wednesday are missing???  I will look at this more closely in a few hours when I finish work.

    One again, thanks in advance.



  • the only thing from what I can gather out of those details would be VOIP. is VOIP used often? If so that could be the cause of the spike but should not be that huge of a spike. but there might be a need for some more information.



  • Thanks for the feedback guys.  I spent a good part of the weekend checking all server and PC logs (all Linux) and could find nothing that corresponded with the 20Hr spike in in/out bandwidth.  From this I can only assume that someone may have been relaying directly of the pfsense box.

    The only thing that I can see that could cause this problem is Postfix Forwarder.  Does anyone have any comments on this?

    Regards,

    Wayne


Locked