Network trogan detected in snort logs
-
Hi, I just checked my logs and the following message appears almost everyday.
pfSense snort[74411]: [1:30918:1] BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent Mozilla [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 192.168.0.100:8658 -> 220.181.124.5:80
pfSense is not even on the 192.168.0.x address range, it serves 192.168.1.x. Is this a real threat or some error?
-
What is in front of your pfsense? Give us more info on the modem/router/server in front of pfSense… Or some basic topology of your network...
Is the alert from your WAN Snort? Do you run Snort on both LAN and WAN? Any VLANS? What is your $HOME_NET, etc...
Need more info here.
But I would be worry...the IP in question 220.181.124.5 does have an history....
https://www.virustotal.com/en/ip-address/220.181.124.5/information/
F.
-
What is in front of your pfsense? Give us more info on the modem/router/server in front of pfSense… Or some basic topology of your network...
Is the alert from your WAN Snort? Do you run Snort on both LAN and WAN? Any VLANS? What is your $HOME_NET, etc...
Need more info here.
But I would be worry...the IP in question 220.181.124.5 does have an history....
https://www.virustotal.com/en/ip-address/220.181.124.5/information/
F.
The setup is AT&T uverse gateway - pfsense - switch - wireless AP. There are a bunch of PC and 2 VoIP modem connected to the switch.
Snort is only enabled for WAN.
No VLAN.
$HOME_NET is set to default, it has the following entries in the viewer:
8.8.4.4
8.8.8.8
127.0.0.1
192.168.0.1
192.168.0.100
192.168.1.0/24
208.67.220.220
208.67.222.222 -
Well look at the rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent Mozilla"; flow:to_server,established; content:"User-Agent: User-Agent: Mozilla/"; fast_pattern:only; http_header; content:!"Accept"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9ACA93AF73778E53993339/analysis/; classtype:trojan-activity; sid:30918; rev:1;)It says $HOME_NET to $EXTERNAL_NET, and yet… you say 192.168.0.100 isnt in your $HOME_NET...but it is
8.8.4.4
8.8.8.8
127.0.0.1
192.168.0.1
192.168.0.100
192.168.1.0/24
208.67.220.220
208.67.222.222Next step, capture the trafic from and to the IP…
And when you see the IP reputation of 220.181.124.5, whats does it tells you?
What are you expecting, a message from the Oracle?
F.
-
Well it is an IP from China. Here is some more Intel on that IP:
https://www.projecthoneypot.org/ip_220.181.124.5
http://www.herdprotect.com/ip-address-220.181.124.5.aspx
http://www.tcpiputils.com/browse/ip-address/220.181.124.5
-
Well look at the rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent Mozilla"; flow:to_server,established; content:"User-Agent: User-Agent: Mozilla/"; fast_pattern:only; http_header; content:!"Accept"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9ACA93AF73778E53993339/analysis/; classtype:trojan-activity; sid:30918; rev:1;)It says $HOME_NET to $EXTERNAL_NET, and yet… you say 192.168.0.100 isnt in your $HOME_NET...but it is
8.8.4.4
8.8.8.8
127.0.0.1
192.168.0.1
192.168.0.100
192.168.1.0/24
208.67.220.220
208.67.222.222Next step, capture the trafic from and to the IP…
And when you see the IP reputation of 220.181.124.5, whats does it tells you?
What are you expecting, a message from the Oracle?
F.
I actually have no clue about networking, simply followed a guide to set up pfsense. Is it ok to delete 192.168.0.100 from $HOME_NET? I started a capture with Microsoft Network Monitor to see if my PC communications with anyone at all via 192.168.0.100
-
What is your wireless AP ip??
-
-
I've attached the snort log dating back to 06/2014. Do the trojan detection entries mean a computer on the network is infected or the pfsense box itself is infected?
-
Who has this address 192.168.0.100??
-
Who has this address 192.168.0.100??
I have no idea who it is. It's listed in $HOME_NET and in the ARP table with a mac address on the WAN interface. That's all the information I can see :'(
-
That looks like a Linksys internal IP from a modem of some kind?
Is that correct?
-
That looks like a Linksys internal IP from a modem of some kind?
Is that correct?
Cable modem IP's are usually 192.168.100.1. Since there's an AT&T Uverse gateway in front of pfSense, it might be something on that network? Maybe a cable box or some other device that Uverse uses?
-
Yes….could be so check your Mac addresses on your devices in the home...
-
I did an nmap scan of the 192.168.0.100 address and attached the results.
The network starts with the Uverse gateway -> pfesnse box -> unmanaged switch -> DDwrt AP
There are a bunch of Windows PC connected to the switch, a Cisco IP phone, and a Linksys VoiP modem.
-
Thats good….have you tried http://192.168.0.100 in a browser?
-
and paste the mac address of 192.168.0.100 in https://www.wireshark.org/tools/oui-lookup.html
and tell us what device, if not spoofed, it is….
F.
-
Wireshark says
Result: 00:07:E9 Intel CorporationWhen I navigate to 192.168.0.100 it actually lands on the pfsense login page….but I have set pfsense to 192.168.1.1 so I don't know why it's like this. The pfsense box does have 2 Intel NIC but I don't know if that helps.
-
Can you log in pfsense at 192.168.0.100 ?
Is it the same as 192.168.1.1 ?
Is the mac address of 192.168.0.100 one of your two Intel NICs or not ?
F.
-
Can you log in pfsense at 192.168.0.100 ?
Is it the same as 192.168.1.1 ?
Is the mac address of 192.168.0.100 one of your two Intel NICs or not ?
F.
Hmm I had a brain fart. Yes 192.168.0.100 is my WAN and the mac address match the NIC on it. So what do I do now?
