• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

PF Intrusion attempt ?

dlegrand

Active Member

Thanks: 42
Messages: 148

#1
Dear FreeBSD users,

My home network is behind an old Zyxel router doing NAT to access the Internet.
I recently saw in my PF log the following lines :
Code:
16:20:58.878937 rule 0/0(match): block in on rl0: 125.64.94.208.57033 > 192.168.1.10.13215: UDP, length 0
16:20:58.878947 rule 0/0(match): block in on rl0: 125.64.94.208.57033 > 192.168.1.10.13215: UDP, length 0
16:20:58.879914 rule 0/0(match): block in on rl0: 125.64.94.208.57033 > 192.168.1.10.13215: UDP, length 0
The Internet NAT router is redirecting only tcp ports 7547,80,443 to my FreeBSD desktop machine (192.168.1.10), so I am surprised to see an attempt to connect to port 13215 which is normally not redirected. Also I don't remember having initiated a connection to this Web site.
This public IP 125.64.94.208 is from China. Do you think my router has been hacked ?
 

Eric A. Borisch

Well-Known Member

Thanks: 162
Messages: 262

#2
Have you been hacked? Signs point to no. (It was blocked, after all.) Is someone trying to hack you? If you are connected to the internet, yes.

Attackers scan for open ports constantly. Looks like there was a recent uptick in this port: https://isc.sans.edu/port.html?port=13215 , and the same IP has poked at me:

Code:
2018-01-23 03:12:08.899260 rule 13/0(match): block in on cable: (tos 0x0, ttl 231, id 54321, offset 0, flags [none], proto TCP (6), length 40)
    125.64.94.208.58377 > x.x.x.x.1001: Flags , cksum 0x02b1 (correct), seq 1275943910, win 65535, length 0
2018-01-24 04:17:16.838505 rule 10/0(match): block in on cable: (tos 0x0, ttl 231, id 54321, offset 0, flags [none], proto TCP (6), length 40)
    125.64.94.208.36893 > X.X.X.X.5007: Flags , cksum 0xd328 (correct), seq 1286000411, win 65535, length 0
2018-01-25 20:21:26.135456 rule 13/0(match): block in on cable: (tos 0x0, ttl 230, id 54321, offset 0, flags [none], proto TCP (6), length 40)
    125.64.94.208.43228 > x.x.x.x.8000: Flags , cksum 0x241e (correct), seq 913076208, win 65535, length 0
2018-01-26 01:57:17.846080 rule 10/0(match): block in on cable: (tos 0x0, ttl 230, id 54321, offset 0, flags [none], proto TCP (6), length 40)
    125.64.94.208.57525 > X.X.X.X.2222: Flags , cksum 0x9238 (correct), seq 2584378608, win 65535, length 0

I put unexpected connection attempts into a ~24-hour (rule 10) block-drop list. Sure looks like a slow-and-steady scanner.
 

Datapanic

Active Member

Thanks: 100
Messages: 182

#3
That IP hit me too:

Code:
Jan 25 06:58:19 gateway03 pf[768]: rule 29/0(match): pass in on em0: 125.64.94.208.55514 > xx.xx.xx.xx.1001: Flags , seq 2302889774, win 29200, options [mss 1460,sackOK,TS val 955675733 ecr 0,nop,wscale 7], length 0
Jan 25 07:02:06 gateway03 pf[768]: rule 19/0(match): block in on em0: 125.64.94.208.55514 > xx.xx.xx.xx.1001: Flags [.], ack 549391745, win 29200, length 0
I have some special antiscan pf rules that pick up on SYN connects and then add them to a table which blocks them to ANY port for 10 days. You can see the first line passes in their SYN request, and then pf picks it up and adds them to my dynamic "scanners" table and they are subsequently blocked on any port.
 

dlegrand

Active Member

Thanks: 42
Messages: 148

#4
Have you been hacked? Signs point to no. (It was blocked, after all.) Is someone trying to hack you? If you are connected to the internet, yes.
What I don't understand is how my FreeBSD machine can receive connection attempt from my NAPT router which should not redirect this port number ?
So that's why I am asking if there is a possibility that this NAPT router has been hacked.

Sorry if I didn't choose the right section on this forum. My problem is not about PF which is doing a good job, but my NAPT router which has neither FreeBSD nor PF. It's a ZyXEL AMG1001-T10A.
PF on my FreeBSD machine allowed me to see this unwanted connection attempt.
 

Eric A. Borisch

Well-Known Member

Thanks: 162
Messages: 262

#6
What I don't understand is how my FreeBSD machine can receive connection attempt from my NAPT router which should not redirect this port number ?
So that's why I am asking if there is a possibility that this NAPT router has been hacked.

Sorry if I didn't choose the right section on this forum. My problem is not about PF which is doing a good job, but my NAPT router which has neither FreeBSD nor PF. It's a ZyXEL AMG1001-T10A.
PF on my FreeBSD machine allowed me to see this unwanted connection attempt.
Ah, sorry, I didn't quite parse your layout initially. This might be better served on a ZyXEL forum? The fact that PF blocked it (implies there had not been a recent outbound connection & wasn't in the state table of your PF machine) yet your upstream supposed-to-be-a-firewall box passed it would make me double-check the upstream settings, and consider replacing it if everything seems in order.

With the extremely short packet delay, the sender certainly didn't know the prior packets had been blocked before sending the subsequent one. In addition, the IP has been reported for scanning: https://www.abuseipdb.com/check/125.64.94.208 ... I'd say the likelihood that this was not desirable traffic is high; why it got through the ZyXEL is a good question for them.