Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Network trogan detected in snort logs

    Scheduled Pinned Locked Moved IDS/IPS
    24 Posts 6 Posters 8.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      godlyatheist
      last edited by

      Hi, I just checked my logs and the following message appears almost everyday.

      pfSense snort[74411]: [1:30918:1] BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent Mozilla [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 192.168.0.100:8658 -> 220.181.124.5:80

      pfSense is not even on the 192.168.0.x address range, it serves 192.168.1.x. Is this a real threat or some error?

      1 Reply Last reply Reply Quote 0
      • F
        fsansfil
        last edited by

        What is in front of your pfsense? Give us more info on the modem/router/server in front of pfSense… Or some basic topology of your network...

        Is the alert from your WAN Snort? Do you run Snort on both LAN and WAN? Any VLANS? What is your $HOME_NET, etc...

        Need more info here.

        But I would be worry...the IP in question 220.181.124.5 does have an history....

        https://www.virustotal.com/en/ip-address/220.181.124.5/information/

        F.

        1 Reply Last reply Reply Quote 0
        • G
          godlyatheist
          last edited by

          @fsansfil:

          What is in front of your pfsense? Give us more info on the modem/router/server in front of pfSense… Or some basic topology of your network...

          Is the alert from your WAN Snort? Do you run Snort on both LAN and WAN? Any VLANS? What is your $HOME_NET, etc...

          Need more info here.

          But I would be worry...the IP in question 220.181.124.5 does have an history....

          https://www.virustotal.com/en/ip-address/220.181.124.5/information/

          F.

          The setup is AT&T uverse gateway - pfsense - switch - wireless AP. There are a bunch of PC and 2 VoIP modem connected to the switch.

          Snort is only enabled for WAN.

          No VLAN.

          $HOME_NET is set to default, it has the following entries in the viewer:

          8.8.4.4
          8.8.8.8
          127.0.0.1
          192.168.0.1
          192.168.0.100
          192.168.1.0/24
          208.67.220.220
          208.67.222.222

          1 Reply Last reply Reply Quote 0
          • F
            fsansfil
            last edited by

            Well look at the rule:

            alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent Mozilla"; flow:to_server,established; content:"User-Agent: User-Agent: Mozilla/"; fast_pattern:only; http_header; content:!"Accept"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9ACA93AF73778E53993339/analysis/; classtype:trojan-activity; sid:30918; rev:1;)
            
            

            It says $HOME_NET to $EXTERNAL_NET, and yet… you say 192.168.0.100 isnt in your $HOME_NET...but it is

            8.8.4.4
            8.8.8.8
            127.0.0.1
            192.168.0.1
            192.168.0.100
            192.168.1.0/24
            208.67.220.220
            208.67.222.222

            Next step, capture the trafic from and to the IP…

            And when you see the IP reputation of 220.181.124.5, whats does it tells you?

            What are you expecting, a message from the Oracle?

            F.

            1 Reply Last reply Reply Quote 0
            • BBcan177B
              BBcan177 Moderator
              last edited by

              Well it is an IP from China. Here is some more Intel on that IP:

              https://www.projecthoneypot.org/ip_220.181.124.5

              http://www.herdprotect.com/ip-address-220.181.124.5.aspx

              http://www.tcpiputils.com/browse/ip-address/220.181.124.5

              "Experience is something you don't get until just after you need it."

              Website: http://pfBlockerNG.com
              Twitter: @BBcan177  #pfBlockerNG
              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

              1 Reply Last reply Reply Quote 0
              • G
                godlyatheist
                last edited by

                @fsansfil:

                Well look at the rule:

                alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent Mozilla"; flow:to_server,established; content:"User-Agent: User-Agent: Mozilla/"; fast_pattern:only; http_header; content:!"Accept"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9ACA93AF73778E53993339/analysis/; classtype:trojan-activity; sid:30918; rev:1;)
                
                

                It says $HOME_NET to $EXTERNAL_NET, and yet… you say 192.168.0.100 isnt in your $HOME_NET...but it is

                8.8.4.4
                8.8.8.8
                127.0.0.1
                192.168.0.1
                192.168.0.100
                192.168.1.0/24
                208.67.220.220
                208.67.222.222

                Next step, capture the trafic from and to the IP…

                And when you see the IP reputation of 220.181.124.5, whats does it tells you?

                What are you expecting, a message from the Oracle?

                F.

                I actually have no clue about networking, simply followed a guide to set up pfsense. Is it ok to delete 192.168.0.100 from $HOME_NET? I started a capture with Microsoft Network Monitor to see if my PC communications with anyone at all via 192.168.0.100

                1 Reply Last reply Reply Quote 0
                • S
                  Supermule Banned
                  last edited by

                  What is your wireless AP ip??

                  1 Reply Last reply Reply Quote 0
                  • G
                    godlyatheist
                    last edited by

                    @Supermule:

                    What is your wireless AP ip??

                    192.168.1.2 for AP
                    192.168.1.1 for pfsense

                    1 Reply Last reply Reply Quote 0
                    • G
                      godlyatheist
                      last edited by

                      I've attached the snort log dating back to 06/2014. Do the trojan detection entries mean a computer on the network is infected or the pfsense box itself is infected?

                      alert.txt

                      1 Reply Last reply Reply Quote 0
                      • S
                        Supermule Banned
                        last edited by

                        Who has this address 192.168.0.100??

                        1 Reply Last reply Reply Quote 0
                        • G
                          godlyatheist
                          last edited by

                          @Supermule:

                          Who has this address 192.168.0.100??

                          I have no idea who it is. It's listed in $HOME_NET and in the ARP table with a mac address on the WAN interface. That's all the information I can see  :'(

                          1 Reply Last reply Reply Quote 0
                          • S
                            Supermule Banned
                            last edited by

                            That looks like a Linksys internal IP from a modem of some kind?

                            Is that correct?

                            1 Reply Last reply Reply Quote 0
                            • MikeV7896M
                              MikeV7896
                              last edited by

                              @Supermule:

                              That looks like a Linksys internal IP from a modem of some kind?

                              Is that correct?

                              Cable modem IP's are usually 192.168.100.1. Since there's an AT&T Uverse gateway in front of pfSense, it might be something on that network? Maybe a cable box or some other device that Uverse uses?

                              The S in IOT stands for Security

                              1 Reply Last reply Reply Quote 0
                              • S
                                Supermule Banned
                                last edited by

                                Yes….could be so check your Mac addresses on your devices in the home...

                                1 Reply Last reply Reply Quote 0
                                • G
                                  godlyatheist
                                  last edited by

                                  I did an nmap scan of the 192.168.0.100 address and attached the results.

                                  The network starts with the Uverse gateway -> pfesnse box -> unmanaged switch -> DDwrt AP

                                  There are a bunch of Windows PC connected to the switch, a Cisco IP phone, and a Linksys VoiP modem.

                                  nmap_scan.jpg
                                  nmap_scan.jpg_thumb
                                  nmap_scan.jpg
                                  nmap_scan.jpg_thumb

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    Supermule Banned
                                    last edited by

                                    Thats good….have you tried http://192.168.0.100 in a browser?

                                    1 Reply Last reply Reply Quote 0
                                    • F
                                      fsansfil
                                      last edited by

                                      and paste the mac address of 192.168.0.100 in https://www.wireshark.org/tools/oui-lookup.html

                                      and tell us what device, if not spoofed, it is….

                                      F.

                                      1 Reply Last reply Reply Quote 0
                                      • G
                                        godlyatheist
                                        last edited by

                                        Wireshark says
                                        Result: 00:07:E9 Intel Corporation

                                        When I navigate to 192.168.0.100 it actually lands on the pfsense login page….but I have set pfsense to 192.168.1.1 so I don't know why it's like this. The pfsense box does have 2 Intel NIC but I don't know if that helps.

                                        1 Reply Last reply Reply Quote 0
                                        • F
                                          fsansfil
                                          last edited by

                                          Can you log in pfsense at 192.168.0.100 ?

                                          Is it the same as 192.168.1.1 ?

                                          Is the mac address of 192.168.0.100 one of your two Intel NICs or not ?

                                          F.

                                          1 Reply Last reply Reply Quote 0
                                          • G
                                            godlyatheist
                                            last edited by

                                            @fsansfil:

                                            Can you log in pfsense at 192.168.0.100 ?

                                            Is it the same as 192.168.1.1 ?

                                            Is the mac address of 192.168.0.100 one of your two Intel NICs or not ?

                                            F.

                                            Hmm I had a brain fart. Yes 192.168.0.100 is my WAN and the mac address match the NIC on it. So what do I do now?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.