Client trying to access WAN IP port 80 - Any explanation?

chemlud · August 10, 2019, 09:50:36 PM

Hy again!

Have here a linux client with a browser and mail client (used by my wife...) which I caught in the past repeatedly trying to access the WAN IP on port 80 of my OPNsense:

Code Select

Aug 10 19:19:04 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,41360,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56286,80,0,S,3251809608,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:19:04 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,1342,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56288,80,0,S,4157671481,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:32 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,1341,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56288,80,0,S,4157671481,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:31 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,41359,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56286,80,0,S,3251809608,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:15 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,1340,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56288,80,0,S,4157671481,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:15 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,41358,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56286,80,0,S,3251809608,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:07 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,1339,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56288,80,0,S,4157671481,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:07 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,41357,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56286,80,0,S,3251809608,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:03 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,1338,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56288,80,0,S,4157671481,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:03 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,41356,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56286,80,0,S,3251809608,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:01 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,1337,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56288,80,0,S,4157671481,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:01 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,41355,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56286,80,0,S,3251809608,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:00 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,1336,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56288,80,0,S,4157671481,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:00 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,41354,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56286,80,0,S,3251809608,,64240,,mss;sackOK;TS;nop;wscale

As the user of this machine has no idea how the router works or how to access it (which is impossible via WAN anyway).

Is there any explanation why (a browser?) might access the WAN IP of the client via port 80?

Many thanks in advance

ARCHmatux · August 10, 2019, 10:27:30 PM

I've seen something similar before.

It's possible for malicious javascript to use CSRF to attempt an attack on a router/firewall from the inside.
This generally takes advantage of default credentials or UPNP to let an attacker in.

If it only happened once it's likely that a page currently open in the browser had something like the above embedded in it.
If it's ongoing I'd be on the hunt for a persistent threat, maybe a malicious browser plugin or similar.

chemlud · August 10, 2019, 10:57:13 PM

Browser is an up-to-date Palemoon with No-Script as only plugin. Some Startpage searches were performed over the afternoon.

I installed some weeks ago RKHunter and did a search, without findings (except for some "large memory sections" used by browser and Thunderbird, iirc).

Any suggestions how to proceed?

ARCHmatux · August 11, 2019, 01:13:19 AM

You could always use netstat on the client machine to see what process is causing this.

As an aside, seeing as Palemoon's archive server was breached for over 18 months before they noticed I'd be a bit concerned about relying on their software.

chemlud · August 11, 2019, 09:08:47 AM

Quote from: ARCHmatux on August 11, 2019, 01:13:19 AM
You could always use netstat on the client machine to see what process is causing this.

Hmmm, but that will only work if I can get them with trousers down, or? It happenz really rarely for some seconds and I only see it in the OPNsense logs when it's over...

Quote
As an aside, seeing as Palemoon's archive server was breached for over 18 months before they noticed I'd be a bit concerned about relying on their software.

You mean this here:

https://www.bleepingcomputer.com/news/security/hackers-infect-pale-moon-archive-server-with-a-malware-dropper/

?

I like projects giving full disclosure of such events with an assessment of which versions were affected how. I don't see a major problem in this event. And besides these router attacks I have no alarms from suricata...

Any other ideas how to find the culprit? :-)

chemlud · August 11, 2019, 08:13:07 PM

...24h later:

Code Select

Aug 11 19:18:30 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,23899,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57342,80,0,S,2803302157,,64240,,mss;sackOK;TS;nop;wscale
Aug 11 19:18:29 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,20517,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57340,80,0,S,204665404,,64240,,mss;sackOK;TS;nop;wscale
Aug 11 19:18:14 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,23898,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57342,80,0,S,2803302157,,64240,,mss;sackOK;TS;nop;wscale
Aug 11 19:18:13 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,20516,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57340,80,0,S,204665404,,64240,,mss;sackOK;TS;nop;wscale
Aug 11 19:18:05 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,23897,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57342,80,0,S,2803302157,,64240,,mss;sackOK;TS;nop;wscale
Aug 11 19:18:05 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,20515,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57340,80,0,S,204665404,,64240,,mss;sackOK;TS;nop;wscale
Aug 11 19:18:01 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,23896,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57342,80,0,S,2803302157,,64240,,mss;sackOK;TS;nop;wscale
Aug 11 19:18:01 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,20514,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57340,80,0,S,204665404,,64240,,mss;sackOK;TS;nop;wscale
Aug 11 19:17:59 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,23895,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57342,80,0,S,2803302157,,64240,,mss;sackOK;TS;nop;wscale
Aug 11 19:17:59 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,20513,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57340,80,0,S,204665404,,64240,,mss;sackOK;TS;nop;wscale
Aug 11 19:17:58 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,23894,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57342,80,0,S,2803302157,,64240,,mss;sackOK;TS;nop;wscale
Aug 11 19:17:58 	filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,20512,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57340,80,0,S,204665404,,64240,,mss;sackOK;TS;nop;wscale

Hmmmm.....

chemlud · August 12, 2019, 06:21:14 PM

Did a fresh install of linux and tried from other machines in different networks/routers. It's a hobby of Palemoon (28.6.1) and/or No-script (5.1.9) (I only tried the version of Palemoon running without installation, just from a directory after unzipping) to contact the local WAN address on port 80. Strange.

PS: Trying to ask some questions in the Palemoon forum, but they don't accept aol accounts for registration. OMG.

fabian · August 12, 2019, 07:39:39 PM

Sounds stupid but 80 may also be used for DNS based detection of a PAC file.

chemlud · August 12, 2019, 07:46:47 PM

I'm one step further, it's not Palemoon, but No-Script... Disabeling/enabeling the Add-On makes the traffic disappear/re-appear. Strange, but true.

I don't see any such traffic with Firefox (latest) and the "new" No-Script (combined with uMatrix, at least...).

Client trying to access WAN IP port 80 - Any explanation?

chemlud

August 10, 2019, 09:50:36 PM

ARCHmatux

August 10, 2019, 10:27:30 PM #1

chemlud

August 10, 2019, 10:57:13 PM #2

ARCHmatux

August 11, 2019, 01:13:19 AM #3

chemlud

August 11, 2019, 09:08:47 AM #4

chemlud

August 11, 2019, 08:13:07 PM #5

chemlud

August 12, 2019, 06:21:14 PM #6 Last Edit: August 12, 2019, 06:27:08 PM by chemlud

fabian

August 12, 2019, 07:39:39 PM #7

chemlud

August 12, 2019, 07:46:47 PM #8