Automatic Update?



  • Hello Community,
    this morning my PFSense 2.1 was upgraded automatically to the latest Version 2.2. Is this a normal behavior? Because I did not start any update process.

    Best regards
    BlueArt



  • Sounds to me like you are not the only one with admin access to the box (-;

    Or a windows box used for gaming / sketchy sites / P-2-P that is used to also access the pfsense?



  • OK and there comes the problem. I am the only one with admin rights to this box and this is something I'm 100% sure. So I can rule out any other person. That's why I was asking this question if there is a process to upgrade the box at a certain time. Because if there is not I need to assume that the box has been compromised, and someone upgraded the box to close security leak and make sure he is the only one using the box right now.



  • Yes SSH and as I just found out the webpage is reachable over one of my public IPs. VPN is running over OpenVPN.

    So I guess this means. Reinstalling the BOX and disable SSH and the WebPage on the public interface….
    At the moment I'm checking all the logs, user and so on but I cannot find anything strange by now, but I don't trust this box anymore.



  • I'm guessing someone got into something you are running exposed to the internet or maybe the machine you use for admin is compromised?



  • SSH is pretty durable if you use a long/complex password.  You can also move it to a high numbered port for a little obscurity.  VPN also - use difficult passwords and also certificates for user authentication.

    Don't expose your gui though.

    Yeah - wipe the box and reinstall by hand.  Don't use your config backup.

    At least thats what I would do.

    If its a windows admin machine thats compromised, they have your keystrokes.  This is the easiest way for someone to "hack" your box BTW.



  • SSH Password is 20+ char. with different numbers and all that stuff so that should be good to go.
    OpenVPN is access able via Certificate.

    The only thing unsafe, was that the GUI was exposed at a PublicIP for everyone reachable.

    The Admin PC should be secured. I will check that before I will reinstall the box.



  • If I was doing anything for a business, I'd use a non-windows computer to admin the pfsense and would make it a no-personal-bs box.



  • Yeah normally I use my Linux Laptop to administrate the box but sometimes it has to windows.

    I was going through the logs of the box and it really was an attack over the webGUI.

    Mar 16 08:15:06 hostname php: /index.php: Successful login for user 'admin' from: 18.239.0.140
    Mar 16 08:15:06 hostname php: /index.php: Successful login for user 'admin' from: 18.239.0.140
    Mar 16 08:17:18 hostname shutdown: reboot by root:
    Mar 16 08:17:18 hostname shutdown: reboot by root:

    edit:
    I can tell from which IP's I will access this box. Since they are all static and only 3 diffrent. And I don't have access to any Server in the MIT network.


  • Netgate Administrator

    Yikes.  :o
    You never want to see that.

    Steve



  • Hackers out of MIT?  haha…

    Go figure...

    Yeah - wipe and reinstall by hand.



  • I will try to export only the Firewall Rules and OpenVPN Server config and check them, because the rules are too much to do them by hand and also the VPNServer configs. But I need to change the keys since they are no longer save.

    Thanks for your help!!!



  • Good deal.

    BTW - Nice of your hacker friends to maintain your network for you.  I've only ever known one set of hackers to do such a thing.  Interesting.


  • LAYER 8 Netgate

    Yuk.  I have to know.  Was it still admin/pfsense?



  • haha - I'd assumed no, but thats actually a great question.



  • no :) it was admin with a 26 char password containing letters,numbers and special characters.


  • LAYER 8 Netgate

    Umm.  Ok.  Were you sniffed somewhere?  Was http/80 available?  Was that what you used when outside?


  • Moderator

    Pretty bad Rep on that IP.

    https://www.projecthoneypot.org/ip_18.239.0.140

    https://www.senderbase.org/lookup/ip/?search_string=18.239.0.140

    That IP is listed in the Snort BL that I use for pfBlockerNG:

    https://labs.snort.org/feeds/ip-filter.blf

    grep "^18.239.0." /var/db/pfblockerng/deny/*

    /var/db/pfblockerng/deny/BadIPs.txt:18.239.0.126
      /var/db/pfblockerng/deny/Snort_BL.txt:18.239.0.140
      /var/db/pfblockerng/deny/Snort_BL.txt:18.239.0.155



  • I'm pretty sure its a proxy address used by lots of people.  Thats not the biggest deal.  Whats on the other side of that pfsense?  Anything important?


  • Moderator

    Also listed in the Spamhaus XBL list.
      http://www.spamhaus.org/query/bl?ip=18.239.0.140

    It is also listed in MaxMind Inc. Anonymous Proxy list:
      https://www.maxmind.com/en/proxy/18.239.0.140

    Stop Forum Spam - appears in our database 402 times. Current country of … 14-Mar-15 13:54
    www.stopforumspam.com/ipcheck/18.239.0.140



  • Was that 2.1-RELEASE, not 2.1.2 or newer? If so, that was Heartbleed vulnerable. Definitely could be compromised through either OpenVPN (if a server is listening and not using TLS auth) and the web interface since it was open to the world. That's my best guess as to what happened. Given it was upgraded, sounds like maybe someone hacking Heartbleed vulnerable devices to patch them.

    That IP is clearly a compromised machine of some sort, given the spam and other abuse coming out of it. Though it's odd that someone into spamming would be going around fixing people's security vulnerabilities. I'd expect them to want to be silent, to keep access to the system without you being aware. It's not uncommon for attackers to patch a system after they compromise it, because they don't want others to hack "their" systems, but usually done more quietly so the system's owner is unaware.



  • Actually that's a Tor exit node, which changes things a bit. It's potentially anyone in the world, not just a machine controlled by some spammers/hackers. More likely to have "altruistic" possibilities in that case.



  • Yes it was still 2.1 since I never got the downtime to patch it :( Which I did now….

    the WebGUI of the PFsense was available via HTTPs on the OPT1 Interface which is the DMZ.
    In the DMZ thare are a  couple of WebServer, Lync Frontend and the usual stuff.
    The PFsense is also holding a couple of VPN Tunnels to remote Sites and Remote Access for VPN Clients.
    And all the Clients have been using OpenVPN without TLS!!!



  • You think the hacker hacked his system and patched it to be nice?

    Or that the TOR node is made available to be nice?  (This on I can believe)

    Heartbleed - I didn't even consider that but really I should have.

    Unless I'm understanding wrong, you have to update not only the pfsense but also any SSH or Openvpn client accessing it.

    Any unpatched server or client makes everything vulnerable.  Is this correct?


  • Moderator

    Since I had De-Duplication on in pfBNG my first search only showed that IP in one list, i did a full search for that IP and it is a TOR exit node and listed on more Lists…

    grep "^18.239.0." *

    Blut_Tor.orig:18.239.0.140
      ET_IPrep.orig:18.239.0.140
      Greensnow.orig:18.239.0.155
      Iblock_TOR.orig:18.239.0.155/32
      Infiltrated.orig:18.239.0.140
      Snort_BL.orig:18.239.0.140



  • @kejianshi:

    You think the hacker hacked his system and patched it to be nice?

    Possibly. That or they're super inept given absolutely no attempts to clear up their tracks - no clearing of logs showing their login and IP, and probably other traces left behind.



  • Yeah - These guys left alot of evidence behind.  Pretty sloppy…  Barely better than I could do (-:


  • LAYER 8 Netgate

    So the prevailing concern at the time was that heartbleed would divulge private key material.  Are you saying that you think it divulged the admin password instead?



  • Not sure what others were thinking, but yeah.  Credentials seems to be on the menu with heartbleed as well as other memory contents.

    http://heartbleed.com has a list of the various impacts and what could be compromised (everything in this case it would seem).

    I still wouldn't assume the way in didn't start with a compromised windows machine though.



  • @Derelict:

    So the prevailing concern at the time was that heartbleed would divulge private key material.  Are you saying that you think it divulged the admin password instead?

    It divulged contents of memory, which some proved could be used to steal the session cookie if you hit it while an admin is logged in and working with the system. It's potentially possible to get the password if you hit it at the time the admin's submitting the password, though that's harder than getting the session cookie. Lot of possibilities for badness when you can get a system to divulge its memory contents to you.



  • @blueart:

    Yeah normally I use my Linux Laptop to administrate the box but sometimes it has to windows.

    It almost never has to be Windows if you have an "DoD Lightweight Portable Security" bootable Linux CD handy. DoD came up with the concept for DoD workers to securely access DoD computers from their Windows machines when they kept failing to secure the Windows software. Stick it in, boot it up and you have a minimally functional Linux system that includes the basics. They have a Deluxe version that has more stuff but it is slower to boot and a waste of time unless you need the additional stuff.

    http://en.wikipedia.org/wiki/Lightweight_Portable_Security

    http://spi.dod.mil/ (site is down from here tonight)

    Using another bootable Linux of BSD would also work, the lightest you can find that meets your needs will boot fastest.

    Using a USB bootable media will also work and may be faster to boot but it is subject to tampering which is much harder to do to a CD.

    I keep a few handy, I hand them out to neighbors and friends with corrupt Windows systems. Good enough until they can find someone to fix their Windows problems and it gets me away from the "please fix my Windows box" sad puppy eyes with near zero effort!


  • Netgate Administrator

    @stan-qaz:

    sad puppy eyes with near zero effort!

    Ha, I know that.  ;)

    Steve


Log in to reply