[SOLVED] ISP hacked OPNSense Router

Started by peterwkc, November 27, 2024, 09:23:29 AM

Previous topic - Next topic
Print
Go Down Pages 1 ... 3 4 5 6
User actions
January 08, 2025, 08:41:39 AM #60
My LAN Windows PC was affected where the pc change background and word document mess up.
January 08, 2025, 08:51:53 AM #61
Quote from: peterwkc on January 08, 2025, 08:41:39 AMMy LAN Windows PC was affected where the pc change background and word document mess up.

So far, so bad. You will need to investigate how that happened. But it does in no way imply that

- your OPNsense was compromised
- your ISP did it

Both things are highly unlikely even in the case of a breached Windows PC.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 10, 2025, 07:16:28 AM #62
Let me monitor few days and see.
January 10, 2025, 07:56:52 AM #63
Hackers might use your hardware as part of a botnet or for mining, discretely.
Or they might encrypt all your data for ransom. Or just steal it if it's valuable to them.

Announcing their presence with something as visible as a background change and messing with one file doesn't quite fit.
January 10, 2025, 08:16:04 AM #64 Last Edit: January 10, 2025, 08:19:34 AM by peterwkc
I have several cron job to periodic reset wan interface and now it is not working anymore. It doesn't renew my wan ip address anymore.
January 10, 2025, 09:27:14 AM #65
Quote from: peterwkc on January 10, 2025, 08:16:04 AMI have several cron job to periodic reset wan interface
Why?

Perhaps your ISP's system is slow to reconnect a system you have made appear flaky with resets.
Deciso DEC697
+crowdsec +wireguard
January 10, 2025, 09:55:20 AM #66
Quote from: peterwkc on January 10, 2025, 08:16:04 AMI have several cron job to periodic reset wan interface and now it is not working anymore. It doesn't renew my wan ip address anymore.
Quote from: peterwkc on December 28, 2024, 04:02:53 AMRecently my OPNSense reboot randomly. Possible of KVM over IP hack? Is it a hardware based remote access.

How to block/disable this?
Why do we keep returning to this thread, it's like a car crash thing. Guess the histerics of title and posts.
Anyways OP, check dmesg for hints. There's a good chance you have hardware problems, as told before. Nothing malign, just simple bad hardware. By the way, what is your hardware including NIC make, model? If reaktek, which driver are you using, the OPN default or another, which?
January 10, 2025, 07:44:41 PM #67
Check if your reboots are not related to kernel panic's, there have been several threads on this topic recently.
January 11, 2025, 11:45:17 AM #68
Quote from: borys.ohnsorge on January 10, 2025, 07:44:41 PMCheck if your reboots are not related to kernel panic's, there have been several threads on this topic recently.

I do have crash issue in the /var/log/dmesg. I using latest version.
January 11, 2025, 11:58:53 AM #69
Then why don't you post the "crash issue" here? None of us owns a crystal ball. The cause for your crashes is in that text!
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 13, 2025, 10:09:02 AM #70
@peterwkc You should have something similar to this:
Code Select
<45>1 2025-01-10T02:33:17+01:00 opnsense2 syslog-ng 28239 - [meta sequenceId="1"] syslog-ng starting up; version='4.8.1'
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="2"] Fatal trap 12: page fault while in kernel mode
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="3"] cpuid = 3; apic id = 03
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="4"] fault virtual address     = 0x0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="5"] fault code                = supervisor write data, page not present
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="6"] instruction pointer       = 0x20:0xffffffff80f3c00f
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="7"] stack pointer             = 0x28:0xfffffe000edf1d10
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="8"] frame pointer             = 0x28:0xfffffe000edf1d50
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="9"] code segment              = base 0x0, limit 0xfffff, type 0x1b
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="10"]                  = DPL 0, pres 1, long 1, def32 0, gran 1
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="11"] processor eflags = interrupt enabled, resume, IOPL = 0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="12"] current process          = 0 (thread taskq)
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="13"] rdi: fffffe008ea60400 rsi: 0000000000000000 rdx: 000000000000002e
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="14"] rcx: 0000000000000000  r8: 0000000000000000  r9: fffff80005c2f480
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="15"] rax: 0000000000000000 rbx: 0000000000000000 rbp: fffffe000edf1d50
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="16"] r10: fffff80005c2f480 r11: 00000000802e6e20 r12: fffff801c6694fe0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="17"] r13: fffffe008ea60400 r14: fffff801c6694318 r15: fffff80005c2f540
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="18"] trap number              = 12
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="19"] panic: page fault
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="20"] cpuid = 3
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="21"] time = 1736472729
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="22"] KDB: stack backtrace:
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="23"] db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe000edf1a00
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="24"] vpanic() at vpanic+0x131/frame 0xfffffe000edf1b30
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="25"] panic() at panic+0x43/frame 0xfffffe000edf1b90
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="26"] trap_fatal() at trap_fatal+0x40b/frame 0xfffffe000edf1bf0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="27"] trap_pfault() at trap_pfault+0x46/frame 0xfffffe000edf1c40
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="28"] calltrap() at calltrap+0x8/frame 0xfffffe000edf1c40
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="29"] --- trap 0xc, rip = 0xffffffff80f3c00f, rsp = 0xfffffe000edf1d10, rbp = 0xfffffe000edf1d50 ---
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="30"] zone_release() at zone_release+0x1df/frame 0xfffffe000edf1d50
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="31"] bucket_drain() at bucket_drain+0xb9/frame 0xfffffe000edf1d80
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="32"] bucket_cache_reclaim_domain() at bucket_cache_reclaim_domain+0x2ff/frame 0xfffffe000edf1de0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="33"] zone_timeout() at zone_timeout+0x2eb/frame 0xfffffe000edf1e20
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="34"] uma_timeout() at uma_timeout+0x58/frame 0xfffffe000edf1e40
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="35"] taskqueue_run_locked() at taskqueue_run_locked+0x182/frame 0xfffffe000edf1ec0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="36"] taskqueue_thread_loop() at taskqueue_thread_loop+0xc2/frame 0xfffffe000edf1ef0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="37"] fork_exit() at fork_exit+0x7f/frame 0xfffffe000edf1f30
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="38"] fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe000edf1f30
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="39"] --- trap 0, rip = 0, rsp = 0, rbp = 0 ---
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="40"] KDB: enter: panic
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="41"] ---<<BOOT>>---

Copy it with to lines before "Fatal trap 12:..." and paste it here as a "code".
January 13, 2025, 01:01:53 PM #71
Quote from: Patrick M. Hausen on January 11, 2025, 11:58:53 AMThen why don't you post the "crash issue" here? None of us owns a crystal ball. The cause for your crashes is in that text!

Here it is the dmesg text.
 
January 13, 2025, 05:15:29 PM #72
1.: Disable Suricata on PPPoE interface
2.: run Memtest86+ to check for faulty ram modules. (Download the iso here: https://www.memtest.org/)
3.: replace Harddisk and reinstall OPNsense
i want all services to run with wirespeed and therefore run this dedicated hardware configuration:

AMD Ryzen 7 9700x
ASUS Pro B650M-CT-CSM
64GB DDR5 ECC (2x KSM56E46BD8KM-32HA)
Intel XL710-BM1
Intel i350-T4
2x SSD with ZFS mirror
PiKVM for remote maintenance

private user, no business use
January 14, 2025, 09:22:41 AM #73
Quote from: seed on January 13, 2025, 05:15:29 PM1.: Disable Suricata on PPPoE interface
2.: run Memtest86+ to check for faulty ram modules. (Download the iso here: https://www.memtest.org/)
3.: replace Harddisk and reinstall OPNsense

I have Suricata IDS on PPPOE interface only.
January 14, 2025, 09:29:38 AM #74
IPS is not supported for PPPoE, only IDS.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages 1 ... 3 4 5 6
User actions