Is my firewall hacked already ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Is my firewall hacked already ?

L1 Bithead

I have a PA3020 with 7.0.5-h2 PAN-os version.  I noticed that it have a lot of DNS traffic sent to strange IP address. 

when I running 

show system resources command. 

I found  strange process nginx and two syslog-ng there.  Is it normal, how to get rid of them ?

 

2797 nobody 20 0 53388 5712 3344 S 0.0 0.1 8:19.70 nginx

6804 nobody 20 0 107m 12m 6472 S 0.0 0.3 2:11.43 appweb3
6811 nobody 20 0 104m 10m 6704 S 0.0 0.3 2:06.39 appweb3

3282 20 0 16156 1308 472 S 0.0 0.0 0:00.00 syslog-ng
3283 20 0 16556 2988 1716 S 0.0 0.1 0:02.53 syslog-ng
3861 20 0 12468 4920 3016 S 0.0 0.1 64:36.48 packet_path_pin
6804 nobody 20 0 107m 12m 6472 S 0.0 0.3 2:11.43 appweb3
6811 nobody 20 0 104m 10m 6704 S 0.0 0.3 2:06.39 appweb3

5 REPLIES 5

L3 Networker

Hi Banny, 

 

If you want to know your end host is accessing malicious domains, please upgrade your firewall.

As per your firewall info, you are running an old version of PAN-OS. If you upgrade your firewall, the latest version supports DNS  malicious domain traffic using EDL or DNS security license.

And now pls use all security profiles and logs verify whether your firewall is hacked or not

 

 

Best Regards,
Suresh

Retired Member
Not applicable

@banny6 As previously said, you are not using supported PanOS version, which is likely probe to bugs and vulnerabilities. Apart from that nginx and syslog-ng are standard process required for the running of the firewall. 

Ok.

 

I think those are normal after the info I verified in my firewall, and I can see similar outputs, but I am not facing any issue with the firewall and Can you provide more info or complete logs

> show system resources and

> show running resource-monitoring

 

 output.png

 

Best Regards,
Suresh

Thanks. Here are the process info. 

I found PA-3020 box sent DNS traffic to two rogue DNS servers which I didn't configure them at all.  the rogue DNS traffic just less than 1M size. in the traffic session, even I clear it. this DNS session will re-connection again.

 

> show system resources | match syslog
1584 20 0 1888 640 528 S 0.0 0.0 1:24.62 syslogd
3282 20 0 16156 1308 472 S 0.0 0.0 0:00.00 syslog-ng
3283 20 0 16556 2988 1716 S 0.0 0.1 0:02.59 syslog-ng

> show system resources | match nginx
2410 20 0 38040 5984 4604 S 0.0 0.2 0:00.03 nginx
2797 nobody 20 0 53388 5760 3348 S 0.0 0.1 8:42.71 nginx

> show system resources | match app
1774 0 -20 48836 13m 4052 S 0.0 0.4 82:14.46 masterd_apps
6800 nobody 20 0 155m 50m 9080 S 0.0 1.3 78:49.51 appweb3
6804 nobody 20 0 107m 12m 6440 S 0.0 0.3 2:31.24 appweb3
6811 nobody 20 0 104m 10m 6656 S 0.0 0.3 2:25.38 appweb3

> show system resources | match packet
3861 20 0 12468 4920 3016 S 0.0 0.1 66:10.54 packet_path_pin

There are two DNS netstat UDP session always existed there.  

udp 0 0 192.168.1.250:49978 terror.inconifre:domain ESTABLISHED
udp 0 0 192.168.1.250:38490 hosted-by.leasew:domain ESTABLISHED

192.168.1.250 is my PA-3020 interface IP address,  from web GUI, if reset this DNS session, it will spawn new DNS session automatically.  but I never configure that two DNS server.

not sure which process launch this rogue  DNS session.

 

  • 2824 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!