Client trying to access WAN IP port 80 - Any explanation?

[chemlud]

Hy again!

Have here a linux client with a browser and mail client (used by my wife...) which I caught in the past repeatedly trying to access the WAN IP on port 80 of my OPNsense:

Code: [Select]

Aug 10 19:19:04 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,41360,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56286,80,0,S,3251809608,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:19:04 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,1342,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56288,80,0,S,4157671481,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:32 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,1341,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56288,80,0,S,4157671481,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:31 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,41359,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56286,80,0,S,3251809608,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:15 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,1340,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56288,80,0,S,4157671481,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:15 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,41358,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56286,80,0,S,3251809608,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:07 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,1339,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56288,80,0,S,4157671481,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:07 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,41357,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56286,80,0,S,3251809608,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:03 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,1338,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56288,80,0,S,4157671481,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:03 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,41356,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56286,80,0,S,3251809608,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:01 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,1337,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56288,80,0,S,4157671481,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:01 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,41355,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56286,80,0,S,3251809608,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:00 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,1336,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56288,80,0,S,4157671481,,64240,,mss;sackOK;TS;nop;wscale
Aug 10 19:18:00 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,41354,0,DF,6,tcp,60,10.10.0.22,WAN_IP,56286,80,0,S,3251809608,,64240,,mss;sackOK;TS;nop;wscale
As the user of this machine has no idea how the router works or how to access it (which is impossible via WAN anyway).

Is there any explanation why (a browser?) might access the WAN IP of the client via port 80?

Many thanks in advance

[ARCHmatux]

I've seen something similar before.

It's possible for malicious javascript to use CSRF to attempt an attack on a router/firewall from the inside.
This generally takes advantage of default credentials or UPNP to let an attacker in.

If it only happened once it's likely that a page currently open in the browser had something like the above embedded in it.
If it's ongoing I'd be on the hunt for a persistent threat, maybe a malicious browser plugin or similar.

[chemlud]

Browser is an up-to-date Palemoon with No-Script as only plugin. Some Startpage searches were performed over the afternoon.

I installed some weeks ago RKHunter and did a search, without findings (except for some "large memory sections" used by browser and Thunderbird, iirc).

Any suggestions how to proceed?

[ARCHmatux]

You could always use netstat on the client machine to see what process is causing this.

As an aside, seeing as Palemoon's archive server was breached for over 18 months before they noticed I'd be a bit concerned about relying on their software.

[chemlud]

You could always use netstat on the client machine to see what process is causing this.

Hmmm, but that will only work if I can get them with trousers down, or? It happenz really rarely for some seconds and I only see it in the OPNsense logs when it's over...

As an aside, seeing as Palemoon's archive server was breached for over 18 months before they noticed I'd be a bit concerned about relying on their software.

You mean this here:

https://www.bleepingcomputer.com/news/security/hackers-infect-pale-moon-archive-server-with-a-malware-dropper/

?

I like projects giving full disclosure of such events with an assessment of which versions were affected how. I don't see a major problem in this event. And besides these router attacks I have no alarms from suricata...

Any other ideas how to find the culprit? :-)

[chemlud]

...24h later:

Code: [Select]

Aug 11 19:18:30 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,23899,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57342,80,0,S,2803302157,,64240,,mss;sackOK;TS;nop;wscale
Aug 11 19:18:29 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,20517,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57340,80,0,S,204665404,,64240,,mss;sackOK;TS;nop;wscale
Aug 11 19:18:14 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,23898,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57342,80,0,S,2803302157,,64240,,mss;sackOK;TS;nop;wscale
Aug 11 19:18:13 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,20516,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57340,80,0,S,204665404,,64240,,mss;sackOK;TS;nop;wscale
Aug 11 19:18:05 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,23897,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57342,80,0,S,2803302157,,64240,,mss;sackOK;TS;nop;wscale
Aug 11 19:18:05 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,20515,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57340,80,0,S,204665404,,64240,,mss;sackOK;TS;nop;wscale
Aug 11 19:18:01 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,23896,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57342,80,0,S,2803302157,,64240,,mss;sackOK;TS;nop;wscale
Aug 11 19:18:01 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,20514,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57340,80,0,S,204665404,,64240,,mss;sackOK;TS;nop;wscale
Aug 11 19:17:59 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,23895,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57342,80,0,S,2803302157,,64240,,mss;sackOK;TS;nop;wscale
Aug 11 19:17:59 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,20513,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57340,80,0,S,204665404,,64240,,mss;sackOK;TS;nop;wscale
Aug 11 19:17:58 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,23894,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57342,80,0,S,2803302157,,64240,,mss;sackOK;TS;nop;wscale
Aug 11 19:17:58 filterlog: 93,,,0,igb0,match,block,in,4,0x0,,64,20512,0,DF,6,tcp,60,10.10.0.22,WAN_IP,57340,80,0,S,204665404,,64240,,mss;sackOK;TS;nop;wscale

Hmmmm.....

[chemlud]

Did a fresh install of linux and tried from other machines in different networks/routers. It's a hobby of Palemoon (28.6.1) and/or No-script (5.1.9) (I only tried the version of Palemoon running without installation, just from a directory after unzipping) to contact the local WAN address on port 80. Strange.

PS: Trying to ask some questions in the Palemoon forum, but they don't accept aol accounts for registration. OMG.

[fabian]

Sounds stupid but 80 may also be used for DNS based detection of a PAC file.

[chemlud]

I'm one step further, it's not Palemoon, but No-Script... Disabeling/enabeling the Add-On makes the traffic disappear/re-appear. Strange, but true.

I don't see any such traffic with Firefox (latest) and the "new" No-Script (combined with uMatrix, at least...).