topic Re: Is my firewall hacked already ? in General Topics

Is my firewall hacked already ?

banny6 — Sun, 26 Sep 2021 10:07:04 GMT

I have a PA3020 with 7.0.5-h2 PAN-os version. I noticed that it have a lot of DNS traffic sent to strange IP address.

when I running

show system resources command.

I found strange process nginx and two syslog-ng there. Is it normal, how to get rid of them ?

2797 nobody 20 0 53388 5712 3344 S 0.0 0.1 8:19.70 nginx

6804 nobody 20 0 107m 12m 6472 S 0.0 0.3 2:11.43 appweb3
6811 nobody 20 0 104m 10m 6704 S 0.0 0.3 2:06.39 appweb3

3282 20 0 16156 1308 472 S 0.0 0.0 0:00.00 syslog-ng
3283 20 0 16556 2988 1716 S 0.0 0.1 0:02.53 syslog-ng
3861 20 0 12468 4920 3016 S 0.0 0.1 64:36.48 packet_path_pin
6804 nobody 20 0 107m 12m 6472 S 0.0 0.3 2:11.43 appweb3
6811 nobody 20 0 104m 10m 6704 S 0.0 0.3 2:06.39 appweb3

Re: Is my firewall hacked already ?

Mudhireddy — Mon, 27 Sep 2021 01:56:15 GMT

Hi Banny,

If you want to know your end host is accessing malicious domains, please upgrade your firewall.

As per your firewall info, you are running an old version of PAN-OS. If you upgrade your firewall, the latest version supports DNS malicious domain traffic using EDL or DNS security license.

And now pls use all security profiles and logs verify whether your firewall is hacked or not

Re: Is my firewall hacked already ?

Retired Member — Mon, 27 Sep 2021 09:04:10 GMT

@banny6 As previously said, you are not using supported PanOS version, which is likely probe to bugs and vulnerabilities. Apart from that nginx and syslog-ng are standard process required for the running of the firewall.

Re: Is my firewall hacked already ?

Mudhireddy — Mon, 27 Sep 2021 17:10:46 GMT

Ok.

I think those are normal after the info I verified in my firewall, and I can see similar outputs, but I am not facing any issue with the firewall and Can you provide more info or complete logs

> show system resources and

> show running resource-monitoring

Re: Is my firewall hacked already ?

banny6 — Mon, 27 Sep 2021 21:39:54 GMT

Thanks. Here are the process info.

I found PA-3020 box sent DNS traffic to two rogue DNS servers which I didn't configure them at all. the rogue DNS traffic just less than 1M size. in the traffic session, even I clear it. this DNS session will re-connection again.

> show system resources | match syslog
1584 20 0 1888 640 528 S 0.0 0.0 1:24.62 syslogd
3282 20 0 16156 1308 472 S 0.0 0.0 0:00.00 syslog-ng
3283 20 0 16556 2988 1716 S 0.0 0.1 0:02.59 syslog-ng

> show system resources | match nginx
2410 20 0 38040 5984 4604 S 0.0 0.2 0:00.03 nginx
2797 nobody 20 0 53388 5760 3348 S 0.0 0.1 8:42.71 nginx

> show system resources | match app
1774 0 -20 48836 13m 4052 S 0.0 0.4 82:14.46 masterd_apps
6800 nobody 20 0 155m 50m 9080 S 0.0 1.3 78:49.51 appweb3
6804 nobody 20 0 107m 12m 6440 S 0.0 0.3 2:31.24 appweb3
6811 nobody 20 0 104m 10m 6656 S 0.0 0.3 2:25.38 appweb3

> show system resources | match packet
3861 20 0 12468 4920 3016 S 0.0 0.1 66:10.54 packet_path_pin

Re: Is my firewall hacked already ?

banny6 — Mon, 27 Sep 2021 21:37:18 GMT

There are two DNS netstat UDP session always existed there.

udp 0 0 192.168.1.250:49978 terror.inconifre:domain ESTABLISHED
udp 0 0 192.168.1.250:38490 hosted-by.leasew:domain ESTABLISHED

192.168.1.250 is my PA-3020 interface IP address, from web GUI, if reset this DNS session, it will spawn new DNS session automatically. but I never configure that two DNS server.

not sure which process launch this rogue DNS session.