Security breach? Netscan *:222 via OPNsense

[zimmo]

Hi Guys,

I have a OPNsense firewall installed on hyper-v on a server at Hetzner. Hetzner monitors Network activity from the servers.

This morning i got this message regarding the OPNsense unit:

#################

Dear Mr XXX,

We have indications that there was an attack from your server.
Please take all necessary measures to avoid this in the future and to solve the issue.

We also request that you send a short response to us. This response should contain information about how this could have happened and what you intend to do about it........

##################
The Log with my ip changed:

##########################################################################
#               Netscan detected from host  138.111.111.111               #
##########################################################################

time                protocol src_ip src_port          dest_ip dest_port
---------------------------------------------------------------------------
Tue Apr 24 23:59:23 2018 TCP  138.111.111.111 3233  =>      45.125.4.9 222 
Tue Apr 24 23:59:24 2018 TCP  138.111.111.111 3233  =>      45.125.4.9 222 
Tue Apr 24 23:59:26 2018 TCP  138.111.111.111 3233  =>      45.125.4.9 222 
Tue Apr 24 23:59:30 2018 TCP  138.111.111.111 3233  =>      45.125.4.9 222 
Tue Apr 24 23:58:36 2018 TCP  138.111.111.111 48708 =>    45.125.4.118 222 
Tue Apr 24 23:58:37 2018 TCP  138.111.111.111 48708 =>    45.125.4.118 222 
Tue Apr 24 23:58:39 2018 TCP  138.111.111.111 48708 =>    45.125.4.118 222 
Tue Apr 24 23:58:43 2018 TCP  138.111.111.111 48708 =>    45.125.4.118 222 
Tue Apr 24 23:59:27 2018 TCP  138.111.111.111 6487  =>    45.125.4.157 222 
Tue Apr 24 23:59:28 2018 TCP  138.111.111.111 6487  =>    45.125.4.157 222 
Tue Apr 24 23:59:30 2018 TCP  138.111.111.111 6487  =>    45.125.4.157 222 
Tue Apr 24 23:59:35 2018 TCP  138.111.111.111 6487  =>    45.125.4.157 222 
Tue Apr 24 23:59:17 2018 TCP  138.111.111.111 54008 =>    45.125.5.128 222 
Tue Apr 24 23:59:18 2018 TCP  138.111.111.111 54008 =>    45.125.5.128 222 
Tue Apr 24 23:59:20 2018 TCP  138.111.111.111 54008 =>    45.125.5.128 222 
Tue Apr 24 23:59:24 2018 TCP  138.111.111.111 54008 =>    45.125.5.128 222 
Tue Apr 24 23:58:31 2018 TCP  138.111.111.111 46869 =>     45.125.7.49 222 
Tue Apr 24 23:58:32 2018 TCP  138.111.111.111 46869 =>     45.125.7.49 222 
Tue Apr 24 23:58:34 2018 TCP  138.111.111.111 46869 =>     45.125.7.49 222 
Tue Apr 24 23:58:39 2018 TCP  138.111.111.111 46869 =>     45.125.7.49 222 
Tue Apr 24 23:58:42 2018 TCP  138.111.111.111 52066 =>    45.125.7.206 222 
Tue Apr 24 23:58:43 2018 TCP  138.111.111.111 52066 =>    45.125.7.206 222 
Tue Apr 24 23:58:45 2018 TCP  138.111.111.111 52066 =>    45.125.7.206 222 
Tue Apr 24 23:58:49 2018 TCP  138.111.111.111 52066 =>    45.125.7.206 222 
Tue Apr 24 23:59:47 2018 TCP  138.111.111.111 39996 =>    45.125.7.232 222 
Tue Apr 24 23:59:48 2018 TCP  138.111.111.111 39996 =>    45.125.7.232 222 
Tue Apr 24 23:59:50 2018 TCP  138.111.111.111 39996 =>    45.125.7.232 222 
Tue Apr 24 23:59:54 2018 TCP  138.111.111.111 39996 =>    45.125.7.232 222 
Tue Apr 24 23:58:28 2018 TCP  138.111.111.111 23450 =>   67.230.184.63 222 
Tue Apr 24 23:58:29 2018 TCP  138.111.111.111 23450 =>   67.230.184.63 222 
Tue Apr 24 23:58:31 2018 TCP  138.111.111.111 23450 =>   67.230.184.63 222 
Tue Apr 24 23:58:36 2018 TCP  138.111.111.111 23450 =>   67.230.184.63 222 
Tue Apr 24 23:59:23 2018 TCP  138.111.111.111 43116 =>    69.49.176.86 222 
Tue Apr 24 23:59:24 2018 TCP  138.111.111.111 43116 =>    69.49.176.86 222 
Tue Apr 24 23:59:26 2018 TCP  138.111.111.111 43116 =>    69.49.176.86 222 
Tue Apr 24 23:59:30 2018 TCP  138.111.111.111 43116 =>    69.49.176.86 222 
Wed Apr 25 00:00:01 2018 TCP  138.111.111.111 19270 =>    69.49.177.61 222 
Wed Apr 25 00:00:02 2018 TCP  138.111.111.111 19270 =>    69.49.177.61 222 
Wed Apr 25 00:00:04 2018 TCP  138.111.111.111 19270 =>    69.49.177.61 222 
Tue Apr 24 23:58:16 2018 TCP  138.111.111.111 55761 =>    69.49.178.83 222 
Tue Apr 24 23:58:17 2018 TCP  138.111.111.111 55761 =>    69.49.178.83 222 
Tue Apr 24 23:58:19 2018 TCP  138.111.111.111 55761 =>    69.49.178.83 222 
Tue Apr 24 23:58:23 2018 TCP  138.111.111.111 55761 =>    69.49.178.83 222 
Tue Apr 24 23:59:55 2018 TCP  138.111.111.111 46428 =>   69.49.179.246 222 
Tue Apr 24 23:59:56 2018 TCP  138.111.111.111 46428 =>   69.49.179.246 222 
Tue Apr 24 23:59:58 2018 TCP  138.111.111.111 46428 =>   69.49.179.246 222 
Wed Apr 25 00:00:02 2018 TCP  138.111.111.111 46428 =>   69.49.179.246 222 
Tue Apr 24 23:59:38 2018 TCP  138.111.111.111 26090 =>   69.49.182.195 222 
Tue Apr 24 23:59:39 2018 TCP  138.111.111.111 26090 =>   69.49.182.195 222 
Tue Apr 24 23:59:41 2018 TCP  138.111.111.111 26090 =>   69.49.182.195 222 
Tue Apr 24 23:59:45 2018 TCP  138.111.111.111 26090 =>   69.49.182.195 222 
Tue Apr 24 23:58:41 2018 TCP  138.111.111.111 65145 =>   69.49.182.220 222 
Tue Apr 24 23:58:42 2018 TCP  138.111.111.111 65145 =>   69.49.182.220 222 
Tue Apr 24 23:58:44 2018 TCP  138.111.111.111 65145 =>   69.49.182.220 222 
Tue Apr 24 23:58:48 2018 TCP  138.111.111.111 65145 =>   69.49.182.220 222 
Tue Apr 24 23:58:54 2018 TCP  138.111.111.111 41932 =>   69.49.183.236 222 
Tue Apr 24 23:58:56 2018 TCP  138.111.111.111 41932 =>   69.49.183.236 222 
Tue Apr 24 23:59:00 2018 TCP  138.111.111.111 41932 =>   69.49.183.236 222 
Tue Apr 24 23:58:46 2018 TCP  138.111.111.111 25570 =>   70.37.224.179 222 
Tue Apr 24 23:58:47 2018 TCP  138.111.111.111 25570 =>   70.37.224.179 222 
Tue Apr 24 23:58:49 2018 TCP  138.111.111.111 25570 =>   70.37.224.179 222 
Tue Apr 24 23:58:53 2018 TCP  138.111.111.111 25570 =>   70.37.224.179 222 
Tue Apr 24 23:59:01 2018 TCP  138.111.111.111 27554 =>    70.37.226.11 222 
Tue Apr 24 23:59:02 2018 TCP  138.111.111.111 27554 =>    70.37.226.11 222 
Tue Apr 24 23:59:04 2018 TCP  138.111.111.111 27554 =>    70.37.226.11 222 
Tue Apr 24 23:59:08 2018 TCP  138.111.111.111 27554 =>    70.37.226.11 222 
Tue Apr 24 23:58:34 2018 TCP  138.111.111.111 10035 =>    70.37.231.70 222 
Tue Apr 24 23:58:35 2018 TCP  138.111.111.111 10035 =>    70.37.231.70 222 
Tue Apr 24 23:58:37 2018 TCP  138.111.111.111 10035 =>    70.37.231.70 222 
Tue Apr 24 23:58:41 2018 TCP  138.111.111.111 10035 =>    70.37.231.70 222 
Tue Apr 24 23:59:21 2018 TCP  138.111.111.111 38398 =>   70.37.231.156 222 
Tue Apr 24 23:59:22 2018 TCP  138.111.111.111 38398 =>   70.37.231.156 222 
Tue Apr 24 23:59:24 2018 TCP  138.111.111.111 38398 =>   70.37.231.156 222 
Tue Apr 24 23:59:28 2018 TCP  138.111.111.111 38398 =>   70.37.231.156 222 
Tue Apr 24 23:58:30 2018 TCP  138.111.111.111 7300  =>    70.37.233.47 222 
Tue Apr 24 23:58:31 2018 TCP  138.111.111.111 7300  =>    70.37.233.47 222 
Tue Apr 24 23:58:33 2018 TCP  138.111.111.111 7300  =>    70.37.233.47 222 
Tue Apr 24 23:58:37 2018 TCP  138.111.111.111 7300  =>    70.37.233.47 222 
Tue Apr 24 23:58:37 2018 TCP  138.111.111.111 2946  =>    70.37.233.69 222 
Tue Apr 24 23:58:38 2018 TCP  138.111.111.111 2946  =>    70.37.233.69 222 
Tue Apr 24 23:58:44 2018 TCP  138.111.111.111 2946  =>    70.37.233.69 222 
Tue Apr 24 23:58:11 2018 TCP  138.111.111.111 9153  =>   70.37.233.140 222 
Tue Apr 24 23:58:45 2018 TCP  138.111.111.111 39610 =>   70.37.234.191 222 
Tue Apr 24 23:58:46 2018 TCP  138.111.111.111 39610 =>   70.37.234.191 222 
Tue Apr 24 23:58:48 2018 TCP  138.111.111.111 39610 =>   70.37.234.191 222 
Tue Apr 24 23:58:52 2018 TCP  138.111.111.111 39610 =>   70.37.234.191 222 
Wed Apr 25 00:00:06 2018 TCP  138.111.111.111 52263 =>   70.37.235.195 222 
Tue Apr 24 23:59:53 2018 TCP  138.111.111.111 60292 =>   70.37.235.225 222 

Full log attached.


############################
OPNsense Version:
OPNsense 17.7-amd64
FreeBSD 11.0-RELEASE-p11
OpenSSL 1.0.2l 25 May 2017
############################

I have no idea what it could be.
Behind OPNsense i have:
2 test Windows 2016 Servers, with very limited port open for RDP and Navision 2009 and 2016
1 fairly new Ubuntu running a web test environment.

###########################

Following Nat rules where set, not much:
LAN    TCP    *    *    LAN address    
         WAN    TCP    *    *    WAN address    8080    10.10.10.2    8080    NAV 8080    
         WAN    TCP    *    *    WAN address    49000    10.10.10.2    49000    NAV 49000    
         WAN    TCP    *    *    WAN address    7046    10.10.10.2    7046    NAV WAN 7046    
         WAN    TCP    *    *    WAN address    444    127.0.0.1    443 (HTTPS)    444   
         WAN    TCP    *    *    WAN address    80 (HTTP)    10.10.10.10    80 (HTTP)    XXX http    
         WAN    TCP    *    *    WAN address    22 (SSH)    10.10.10.10    22 (SSH)    XXX ssh    
         WAN    TCP    *    *    WAN address    443 (HTTPS)    10.10.10.10    443 (HTTPS)    XXX https    
         WAN    TCP    *    *    WAN address    3389 (MS RDP)    10.10.10.12    3389 (MS RDP)    XXX - RDP    
         WAN    TCP    *    *    WAN address    3390    10.10.10.2    3389 (MS RDP)       

##############################

I am not sure what to make of it.

Note that the state table was full when i logged in the first time and the firewall was not very responsive. From OPNsense I could not ping the Google DNS and I could not check for updates.

I have done the following:
Made a floating firewall block rule:
    IPv4 TCP/UDP    *    *    *    222    *       XXX-SECURITY
Done a reboot (After this i could ping Google DNS again).
Updated to OPNsense 18.1.6

############################

Should I do more?
Does anybody recognize the netscan, destination ip or anything?
Could it be the OPNsense system trying to do some faulty callback via an alternative SSH port(Or the ubuntu server behind it)?

I will be thankful for any constructive feedback.

Sorry if I am missing something obvious.

Best regards Zimmo.

[franco]

You need to find out what tries to open port 222 via the box and / or where this request comes from if its not local (could be via your configured VPN if you have one).

Blocking the port will only buy you a little bit of time and trouble with Hetzner.


Cheers,
Franco

[zimmo]

Hi Franco,

Thanks for your reply.

I have made a block-rule that writes to the log. I have not gotten anything in the log. So i can't track it yet.

I don't think i is from one of the machines on the "LAN" network. There is only 3 as described i my first post. I have no VPN to the router.

What i though is that the firewall went into an unwanted state where it does a call back of some sort. It look like it is doing SSH to a fixed list of servers. But i really don't know.

But now the router is updated so it will probably not happen again.

Best Regards

[Julien]

I see also that you are using RDP over the WAN which is really risky lately.
i would check the internal servers if they are patched and check the log of the RDP servers.
port 222 can be used for trojans and rsh-spx.

Configure VPN for the extern users in order to log in to the RDP server which is safer.