Need some help for hacked Pfsense Box
-
Couple things jump out at me.. For one why would wifi have access to firewall gui in the first place? If this is a place of business why not use something a bit stronger than psk.. For starters problem with psk no matter how strong you make the password is shared.. right there in the name pSk.. So you have no idea who might of written it down, gave it to billy, etc. etc..
So lets say I got access to your pfsense via your wifi.. So your saying they also know your pfsense password, or they "hacked" in? Lets say either of those got them in why would they change the password?? Create a different admin account, ok - but if what I wanted to do was gain information. The last thing I would do is change the default passwords..
What are you calling an Antenna that its password would get changed?? So your running stand alone AP??
I think someone been watching/reading too much "hacker" stories.. And their tinfoil hat is a bit tight if you ask me.
John, to be honest with you, I don't read hacker stories and I don't have or wear tin foil hats, and…I've resisted for years, the hacking scene despite constantly being asked to do this and do that...
There are two wifi networks. One for Ubiquiti antenna's that links our offices, and our office wifi, where the password is shared among users. The office wifi is on a vlan that is blocked from accessing other vlans/lans and the gui for the pfsense box itself, so precautions were taken.
But, technology is such that you can sit in your car, or in your friends office next door, sniff the wifi network, force a client to disassociate in order to capture the packets of the handshake. Decode that information, and eventually crack it, then you're in and what do you do from there? Don't you run a security scan looking for vulnerabilities on the network to exploit?
What would be the purpose of changing the gui password? Well, for one, a BOT didn't do this and if I didn't change the password, someone did, or..pfsense has a very serious problem and I doubt that.
So, Why? I'm actually not sure why. Perhaps to send a message or to erase your tracks, or to hide activity you could track via states or the system log. Maybe they erased a part of the log. I don't know.
If you ask me to prove that this was a hack, I couldn't. I have no proof other than I could not access the gui, and ssh was disabled.
I do know it happened, and I don't go on forums asking for help for made up stuff because I'm just too busy.
As to where in the world I am, we're in the Caribbean, where companies like Cable and Wireless made over 3 Billion dollars last year. We pay approx. 50 pounds for a 2 mbit internet connection, so don't complain for that 50Mbit connection you have at home because the people in the Caribbean and Latin America are paying so you could enjoy that.
-
so don't complain for that 50Mbit connection you have at home because the people in the Caribbean and Latin America are paying so you could enjoy that.
Bullshit.
-
How did this thread get so antagonistic so quickly??? :'(
-
So did you look in the logs for when the password was changed, or who connected to it - or are you saying they edited the logs, cleared them?
And again why is your firewall even able to be accessed from your wifi? You said they prob came in through wifi, but now you say the wifi can not even get to pfsense. So which is it? You keep bringing up how wifi can be hacked - you feel this is an issue, why is pfsense even able to be gotten to from wifi. Just block access to ssh and web gui from your wifi network..
Who said anything about a bot? One thing for sure not a very good "hacker" if they changed the password that they had access to something admins didn't all it could do it draw attention to something wrong and reset of the passwords like you did. Now they don't have access any more. Pretty stupid waste of time.
What is more logical you forgot the password, someone on your staff reset it. And old config was loaded with different password? Or you were hacked by some idiot that doesn't know enough not to change the password. But he cleared/edited the logs to cover his tracks of logging in and or changing the password, etc. OR were they completely cleared? You do know you can access the older logs vs just what is shown in the gui. Did the log reflect the last time you had logged in with your password and from where, or was that not in there either?
Are you saying ssh was enabled and then turned off? That points to old config being loaded or config being reset.. These hackers not very bright again, I would of been enabling ssh if it was off, or again creating an another account to use to access it, etc. etc. You don't remove modes of access to something you just hacked.. You add them!!
If you really believed you have been hacked in such a matter - first point of business would be to refresh that box so that your sure no back doors, etc. have been left after grabbing all the logs and or image of the machine for forensics to look at, etc.
-
50 pounds for a 2 mbit internet connection, so don't complain for that 50Mbit connection you have at home because the people in the Caribbean and Latin America are paying so you could enjoy that.
Only getting 5Mbps where I am, but its not unlike South Africa and other parts of the world, which is why I'd recommend a mesh network running on 900Mhz, an antenna 15metres high can have a maximum radius of 50Km, so may be worth pooling in the individuals costs for single a faster connection, if you want a work around. :)
-
Please describe the physical security environment in which this pfSense machine resides and who has physical access to the console.
-
(removes tinfoil hat, steps out of bunker, opens door to compound)
This may be a simple password file corruption. No need to go the conspiracy route. It happens, rarely.
If someone hacked your firewall, they'd take it down or reprogram it. What's the fun in just locking the admin out?
(puts tinfoil hat back on, closes door to compound, climbs back into bunker)
-
50 pounds for a 2 mbit internet connection, so don't complain for that 50Mbit connection you have at home because the people in the Caribbean and Latin America are paying so you could enjoy that.
In Germany are areas where you have only 6 MBit/s but to pay 34 € monthly for that!
Only getting 5Mbps where I am, but its not unlike South Africa and other parts of the world,
Yep, but in South Afrika they have not filters, you will be able to get the real Internet, not the 60% Internet
because all ISPs in Europe must filter the Internet to protect us all!!!! -
@BlueKobold:
50 pounds for a 2 mbit internet connection, so don't complain for that 50Mbit connection you have at home because the people in the Caribbean and Latin America are paying so you could enjoy that.
In Germany are areas where you have only 6 MBit/s but to pay 34 € monthly for that!
Only getting 5Mbps where I am, but its not unlike South Africa and other parts of the world,
Yep, but in South Afrika they have not filters, you will be able to get the real Internet, not the 60% Internet
because all ISPs in Europe must filter the Internet to protect us all!!!!I have relatives in United States that only have 2 mbps down / 768 kbps up for $25/mo. USD. So don't tell me someone else is paying for them to enjoy that.
-
Actually, someone else is going to be paying for them to go faster, eventually, but not the rest of the CONCACAF nations. It's all the poor suckers in the US paying the asinine FUSF fees. Which is pretty much everyone.
