Is my Untangle box infected with an exploit?
I was informed that my IP was responsible for an SSH attack. Analyzing the packets confirmed that it was coming from Untangle rather than the PC behind it. The email performance took quite a hit as well. Would anyone care to weigh in on the issue?
Thanks!
Hi,
more info would be nice.
What version of untangle are you running?
What modules are you running?
What coustom installations/mods have you done?
And have you taken the box out of your production env?
Do you have ssh open for outside access? Maybe it was brute forced??
Run the command "last" on your UT box. It will show you the recent logins and the IP address from which they were initiated.
Vote here to have wireless included in Untangle.
I'm curious what packet analysis could determine that? There is no way to tell if a packet is coming from an untangle or a server behind it unless you have tcpdumps going on both sides.
However, if you suspect it, and you've had ssh open, and it wasn't secured by a packet filter, you should just rebuild the box.
m.
Big Frickin Disclaimer:
While I'm pretty sure, I can't guarantee that I know what I'm doing. There might be a better way to do this, and this way might actually suck. Make sure you understand the implications of what you're doing before trying to follow these directions.
It often helps troubleshooting if you have a good network map. Look here if you want my advice on how to draw one.
Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
If you need Untangle support please call or email support@untangle.com
Thanks for replying. The version is Build 7.0.1~svn20091019r24846release7.0-1lenny. The only modules are spam blocker, phish blocker, virus blocker, attack blocker, and reports. We're using it to filter mail - only the mail server is behind it. There are no custom mods.Originally Posted by WebFooL
My tech used wire shark. He first listened on the LAN side but saw nothing unusual. Then he joined the WAN side and saw tons of outgoing traffic. We were alerted to the problem by another technician diagnosing our attack on his router. We removed the Untangle from the circuit to quiet the situation down until we could fix or reinstall it.
The WAN adapter was exposed to the public internet, there was no firewall in front of it. We've never opened SSH - I don't even know how!
I don't have access to the box remotely at the moment but I'll try that command as soon as I do. How do you open ssh for outside access? I'm not the only admin so it's possible someone else opened it.
I recently had a similar issue, we were contacted by our ISP that one of there honey pot's were attacked by something from our IP address. I was unable to find any source for this other than this was on 7.0 with the CLAMAV issues.
Now if we just had real-time monitoring
Thanks for chiming in. I guess I'll be reinstalling. I thought for sure someone from Untangle would want to get involved...I recently had a similar issue, we were contacted by our ISP that one of there honey pot's were attacked by something from our IP address. I was unable to find any source for this other than this was on 7.0 with the CLAMAV issues.
Now if we just had real-time monitoring
If you have support give them a call.
If you reinstall do not enable ssh.
Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
If you need Untangle support please call or email support@untangle.com
Posting Permissions
LinkBack URL
About LinkBacks