Possible malware infection on opnsense router.

Started by Siarap, September 24, 2025, 06:45:20 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
September 24, 2025, 09:37:18 PM #15 Last Edit: September 24, 2025, 09:39:34 PM by Siarap
this is small part of queries. (screen from maltrail plugin)

https://imgur.com/a/vnVEavj
September 24, 2025, 09:43:06 PM #16
Please attach on this forum. I block external image hosting sites.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 24, 2025, 09:46:45 PM #17
Quote from: Patrick M. Hausen on September 24, 2025, 09:43:06 PMPlease attach on this forum. I block external image hosting sites.

When i try post image it asks me for https link.
September 24, 2025, 09:47:44 PM #18
Click on "Preview" and you can upload images directly to the forum.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 24, 2025, 09:51:06 PM #19
Smart part. There was hundreds of them in 3 minutes. This is screen from maltrail plugin.
September 24, 2025, 09:53:44 PM #20 Last Edit: September 24, 2025, 09:56:56 PM by meyergru
On a first look, these seem to be requests for the Mirai botnet, which mostly attacks IoT devices, potentially also other Linux hosts. You could very easily isolate if this is the case by just capping off your LAN network, attach a Windows PC to your OpnSense and then see if those accesses stop.

Once devices have been infected, there are usually free rider malwares that add on to that, which could explain the other malware signatures that are found.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
September 24, 2025, 10:02:33 PM #21
How to identyfi specific device? Maltrail shows WAN as sourve of traffic not lan/vlan device.

I got iptv decoder maded in china from my isp i cant change it. I cant unplug devices my family uses internet/tv.

Is there way to identyfi device without unpluging?

Why my dns setup still leaking?
September 24, 2025, 10:12:36 PM #22
Do a tcpdump on the LAN port. I would argue either there WAN requests are directly NATed from there or proxied via one of your DNS services on the firewall. Just listen on any port those services expose.

Another potential would be a web proxy on your firewall that is used by your LAN clients and making those requests on behalf of them.

In that case, look at the proxy logs.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
September 24, 2025, 10:50:00 PM #23 Last Edit: September 24, 2025, 10:57:56 PM by BrandyWine
Quote from: meyergru on September 24, 2025, 07:11:11 PMAre you sure about that? When your internal clients use DNS via port 53 to a specific DNS server, then obviously those requests go via the WAN IP via NAT. It seems ~10x more likely that some client has been infected than OpnSense...
Yep.

This is why it's best to dst NAT (WAN out rule) any outbound DNS to 9.9.9.11 or the like. Because OPNsense has that default "allow from self", so to protect against self (malware) using some other DNS that would return malware IP from query, forcing it with NAT to a malware blocking DNS service would help. Not 100%, but helps.

All DNS settings should be using malware blocking DNS service, and, WAN out NAT rule to force all DNS to a specific server, even if it's the same as dns from dhcp or hard set on hosts.

Another tip for OP, connect all your IoT things (streaming devices like roku /crappleTV, TV's , T-stats, fridge, washing machine, etc etc) to a different fw LAN port to isolate that crud from your computer stuff. I have a separate wifi AP for all the IoT crud in my house.
Mini-pc N150 i226-V, GOD BLESS CHARLIE KIRK
September 24, 2025, 11:29:36 PM #24 Last Edit: September 25, 2025, 01:48:23 AM by Siarap
Quote from: BrandyWine on September 24, 2025, 10:50:00 PM
Quote from: meyergru on September 24, 2025, 07:11:11 PMAre you sure about that? When your internal clients use DNS via port 53 to a specific DNS server, then obviously those requests go via the WAN IP via NAT. It seems ~10x more likely that some client has been infected than OpnSense...
Yep.

This is why it's best to dst NAT (WAN out rule) any outbound DNS to 9.9.9.11 or the like. Because OPNsense has that default "allow from self", so to protect against self (malware) using some other DNS that would return malware IP from query, forcing it with NAT to a malware blocking DNS service would help. Not 100%, but helps.

All DNS settings should be using malware blocking DNS service, and, WAN out NAT rule to force all DNS to a specific server, even if it's the same as dns from dhcp or hard set on hosts.

Can you tell me how to do this? Im newbie. And thanks for info im using 9.9.9.11 over tls but there are leaks currently.
I got port forward rule on lan side like this:
       LAN    TCP/UDP    *    *    *    53 (DNS)    127.0.0.1    53 (DNS)    
and mallwares do what they want. and there are leaks.

This below is good?

WAN    TCP/UDP    *    *    WAN address    53 (DNS)    9.9.9.11    53 (DNS)    

I got important question. What if malware starts using dns over https?

Botnet solved partially. At the end i blocked all outgoing trafic from wan directed to dns port 53 and i have dns over tls directed to 9.9.9.11

Now i dont see warnings related to dns and botnets.
September 25, 2025, 06:42:29 AM #25
Quote from: Siarap on September 24, 2025, 11:29:36 PMI got important question. What if malware starts using dns over https?
This nat trick is in another thread, I have to find it.

You add a NAT rule as a WANout rule, src-any dst-any dst-port tcp/udp-53, nat dst-IP to 9.9.9.11
You do also want your std access LAN rule for dns, allowing your LAN net to 9.9.9.11 tcp/udp-53

DNS over HTTPS? Well, there are two ways (mostly) to get to a site, direct IP and FQDN. If it's FQDN then nat trick still helps. If its direct IP and you allow dst-Any for tcp-443, then there's a challenge. For that issue you have to look at suricata IDS, apply it's function to WAN and LAN. It helps, but not 100%
Mini-pc N150 i226-V, GOD BLESS CHARLIE KIRK
September 25, 2025, 08:39:53 AM #26
Quote from: Siarap on September 24, 2025, 11:29:36 PMBotnet solved partially. At the end i blocked all outgoing trafic from wan directed to dns port 53 and i have dns over tls directed to 9.9.9.11

Now i dont see warnings related to dns and botnets.

Well, "solved" would be to find the root cause and eliminating it. As long as you have infected clients in your LAN, this is not over. Even more so with the observation that already, multiple trojans seem to have invaded your network and it seems not to be segmented into different levels of security by VLANs. Such as it is, the bots are free to spread in your network - you just do not see that any more.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
September 25, 2025, 02:15:52 PM #27
How is your Maltrail configured now, e.g. are you using firewall rules to block packets on WAN and LAN, IN and/or OUT, and on which interfaces?
Minisforum UN100D, N100, 8GB, 256GB nVME w/ZFS
September 25, 2025, 02:35:46 PM #28 Last Edit: September 25, 2025, 03:11:18 PM by Siarap
Quote from: BrandyWine on September 25, 2025, 06:42:29 AM
Quote from: Siarap on September 24, 2025, 11:29:36 PMI got important question. What if malware starts using dns over https?
This nat trick is in another thread, I have to find it.

You add a NAT rule as a WANout rule, src-any dst-any dst-port tcp/udp-53, nat dst-IP to 9.9.9.11
You do also want your std access LAN rule for dns, allowing your LAN net to 9.9.9.11 tcp/udp-53


I just set dns over tls to quad9 in unbound and blocked all outgoing from wan to port 53 using firewall rule. I dont see any leaks now in maltrail. But my blocklist for blocking dns over https started to block more and more.
Quote from: allenlook on September 25, 2025, 02:15:52 PMHow is your Maltrail configured now, e.g. are you using firewall rules to block packets on WAN and LAN, IN and/or OUT, and on which interfaces?


Im using fail2ban from maltrail in on wan and out on lan. My other blocklists have over 15 milions unique ip addresses. Fight never end.

Quote from: meyergru on September 25, 2025, 08:39:53 AMWell, "solved" would be to find the root cause and eliminating it. As long as you have infected clients in your LAN, this is not over. Even more so with the observation that already, multiple trojans seem to have invaded your network and it seems not to be segmented into different levels of security by VLANs. Such as it is, the bots are free to spread in your network - you just do not see that any more.


Nothing spreads because i have vlan separation . Formated all drives in my gaming machine. Scaned other client with linux using clamav with no detections. I just cant scan/format my iptv decoder. Iptv decoder is made in china. Nobody knows what this device can do. I got this iptv from isp and cant change it,
Print
Go Up Pages 1 2
User actions