Is my opnsense machine compromised?

[opnuser1]

I set up wireguard according to the opnsense road warrior tutorial.  But whenever I enable the WAN rule, all my computer tells me that there is a tcp port scanning attack (generic botnet).  Now I think my opnsense machine is compromised, it is coming from the opnsense ip and there are no other machines.  Am I missing something?  Thank you.

[Patrick M. Hausen]

Show the details of your WAN rule. And possibly some more information about those botnet warnings. What software is this which is sounding the alarm?

[opnuser1]

Eset is giving the alarm like this:
4/4/2025 3:03:09 AM;TCP Port Scanning attack;Blocked;192.168.1.1:34643;192.168.1.111:143;TCP;Win32/Botnet.generic;;;;;;;


This is the WAN rule (in the picture).

Thank you.

[patient0]

I'm not sure if you are serious with your screenshot, lovely colors but not a shred of information in it. Ok, you allowed us to see one rule, udp/51837. That a normal rule to allow Wireguard, that can't be the source of the Eset alarm.

What do the other rules do?

As for the Eset alarm: If you do expose and port tcp/143 (IMAP) on WAN and forward it to your client 192.168.1.111 then it's all good.
If you run an IMAP server on .1.111 then it is to be expected.
If you do forward all port on WAN to a client then you should think it over again.

[opnuser1]

Sorry, let me clarify.  (that's the opnsense dark theme!)
All those other rules are disabled, I don't use them, I should delete them.  But when I enable the wireguard rule, I immediately get port scanning attacks.  here are some others they are similar:
3/31/2025 9:24:44 PM;TCP Port Scanning attack;Blocked;192.168.1.1:52872;192.168.1.111:139;TCP;Win32/Botnet.generic;;;;;;;
3/30/2025 7:02:16 AM;TCP Port Scanning attack;Blocked;192.168.1.1:47268;192.168.1.111:8888;TCP;Win32/Botnet.generic;;;;;;;

192.168.1.111 is my laptop getting these alerts.  192.168.1.1 is opnsense.
I don't run any IMAP server or anything.
There is another machine on the network and it also gets the alert as soon as I enable that rule.
And I have recently stopped a ransomware attack, so I am on the lookout for where the breach is and seeing as how the laptop and opnsense are the only machines on the network, I think opnsense is compromised but I am not sure.

I don't have any other custom rules or anything in the firewall I don't think other than the items from the Wireguard Roadwarrior instructions.  That's why I posted about that WAN rule because that is the one where if I enable it the alerts start.

I'm thinking of pulling the opnsense drive out and scanning it somehow, or just formatting it and starting over?  I just wanted your guys' opinion in case I am missing something.  Thank you.

[opnuser1]

Update...scanned the opnsense drive and it was compromised.  Damn.

[patient0]

All those other rules are disabled, I don't use them, I should delete them.  But when I enable the wireguard rule, I immediately get port scanning attacks.

In the screenhost all rules are disabled, that was confusing.

If you only enable the Wireguard rule, then only port udp/51837 is open, nothing else. Do you have any Wireguard connections configured and running? Or any NAT port forwarding rules

You can check the open connections on OPNsense, Firewall: Diagnostics: States. And enter your IP 192.168.1.111 in the search field to see all the open connections to your client and the associated rules. And/or search for your WAN IP to see if there are incomming connection to port 143 or whatever other port Eset reports.

What other packages do you have installed on OPNsense? How is OPNsense connected to the internet, does it get a public IP or is it behind another router/modem and get's an private IP?

If you're comfortable with the command line, it would be interesting to see the running processes. SSH/console into OPNsense and run

Code Select Expand

ps auxw > /tmp/ps-auxw.txt
You then look at that file using 'less /tmp/ps-auxw.txt' and check for processes you would not expect. Granted, for that you have to know what to expect. In the 'COMMAND' column I guess you can ignore all the ones that start with [ and end in ], php-cgi, dhcpd, radvd, sshd

Other than that, your would wipe the OPNsense disk and reinstall.

But maybe @Patrick M. Hausen got another idea or heard of OPNsense boxed that got infected.

[patient0]

Update...scanned the opnsense drive and it was compromised.  Damn.

How, can you provide more information? What executable was installed and where on OPNsense (which OPNsense version do you run, btw)? Did you save it away for inspection?

And what I totally forgot: can you run System: Firmware > Run an audit > Health and check the output?

[opnuser1]

Sorry, I did not save it.  However, I did run the audit health before I destroyed that machine but it didn't detect anything. But I still suspected that the port scanning was coming from that drive so I removed the disk from the machine and scanned it with an AV.  I immediately got some detections in the opt folder so I just destroyed it.

Code Select Expand

4/4/2025 9:57:14 PM;Real-time file system protection;file;C:\av_test\Root\opt\npc\npc;a variant of Linux/Riskware.Nps.A application;cleaned by deleting
4/4/2025 9:57:47 PM;Real-time file system protection;file;C:\av_test\Root\usr\bin\npc-update;a variant of Linux/Riskware.Nps.A application;cleaned by deleting

I reinstalled opnsense from scratch and now no more port scanning attacks so I'm pretty sure it was compromised.

[Greg_E]

What AV did you run, and how did you run it? Is it a bootable device that has XYZ AV available? Asking because it's kind of important and something that would be nice to know about. Would also be nice to know how the virus got there, but that's elusive by nature.