7 Replies Latest reply on Feb 6, 2011 7:10 PM by rcamm

    Compromised SG580 - Confirmation? Suggestions? Any Ideas welcome!

      Best I can figure, our SG580 has been compromised but I'd really appreciate a second opinion. It looks like it's being used as a proxy but I can't tell exactly what's going on.

       

       

      Version SecureComputing/SG580 Version 3.1.5u2 -- Mon, 13 Aug 2007 19:00:30 +1000

       

      Apologies in advance about the formatting, I've made it as clear as I could. Little help mods?

       

       

       

       

      Here are the logs from bootup.

      Jan 25 12:04:38 syslogd started: BusyBox v1.00 (2007.08.13-12:04+0000)

      syslogd: cannot write to remote file handle on xx.xx.xx.xx:514 - Network is unreachable

      Jan 25 12:04:38 kernel: klogd started: BusyBox v1.00 (2007.08.13-12:04+0000)

      Jan 25 12:04:38 kernel: Linux version 2.4.31-uc0 (build@sgbuild) (gcc version 3.3.2) #1 Mon Aug 13 21:55:19 EST 2007

      Jan 25 12:04:38 kernel: CPU: XScale-IXP4xx/IXC11xx revision 2

      Jan 25 12:04:38 kernel: Machine: CyberGuard/SG580

      Jan 25 12:04:38 kernel: alloc_bootmem_low

      Jan 25 12:04:38 kernel: memtable_init

      Jan 25 12:04:38 kernel: On node 0 totalpages: 16384

      Jan 25 12:04:38 kernel: zone(0): 16384 pages.

      Jan 25 12:04:38 kernel: zone(1): 0 pages.

      Jan 25 12:04:38 kernel: zone(2): 0 pages.

      Jan 25 12:04:38 kernel: Kernel command line: console=null serialnum=0601451109290786

      Jan 25 12:04:38 kernel: Relocating machine vectors to 0xffff0000

      Jan 25 12:04:38 kernel: Calibrating delay loop... 527.56 BogoMIPS

      Jan 25 12:04:38 kernel: Memory: 64MB = 64MB total

      Jan 25 12:04:38 kernel: Memory: 62472KB available (1731K code, 347K data, 244K init)

      Jan 25 12:04:38 kernel: Dentry cache hash table entries: 8192 (order: 4, 65536 bytes)

      Jan 25 12:04:38 kernel: Inode cache hash table entries: 4096 (order: 3, 32768 bytes)

      Jan 25 12:04:38 kernel: Mount cache hash table entries: 512 (order: 0, 4096 bytes)

      Jan 25 12:04:38 kernel: Buffer cache hash table entries: 4096 (order: 2, 16384 bytes)

      Jan 25 12:04:38 kernel: Page-cache hash table entries: 16384 (order: 4, 65536 bytes)

      Jan 25 12:04:38 kernel: POSIX conformance testing by UNIFIX

      Jan 25 12:04:38 kernel: Linux NET4.0 for Linux 2.4

      Jan 25 12:04:38 kernel: Based upon Swansea University Computer Society NET3.039

      Jan 25 12:04:38 kernel: Initializing RT netlink socket

      Jan 25 12:04:38 kernel: Starting kswapd

      Jan 25 12:04:38 kernel: Squashfs 2.2-r2 (released 2005/09/08) (C) 2002-2005 Phillip Lougher

      Jan 25 12:04:38 kernel: Squashfs includes LZMA decompression support

      Jan 25 12:04:38 kernel: pty: 2048 Unix98 ptys configured

      Jan 25 12:04:38 kernel: Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled

      Jan 25 12:04:38 kernel: ttyS00 at 0xff000003 (irq = 15) is a XScale UART

      Jan 25 12:04:38 kernel: ttyS01 at 0xff001003 (irq = 13) is a XScale UART

      Jan 25 12:04:38 kernel: ledman: Copyright (C) SnapGear, 2000-2003.

      Jan 25 12:04:38 kernel: LED: registered ERASE switch on IRQ26

      Jan 25 12:04:38 kernel: M41T11M6: Real Time Clock driver

      Jan 25 12:04:38 kernel: snapdog: HW/SW watchdog timer for SnapGear/Others

      Jan 25 12:04:38 kernel: SLIP: version 0.8.4-NET3.019-NEWTTY (dynamic channels, max=256).

      Jan 25 12:04:38 kernel: CSLIP: code copyright 1989 Regents of the University of California.

      Jan 25 12:04:38 kernel: RAMDISK driver initialized: 16 RAM disks of 16384K size 1024 blocksize

      Jan 25 12:04:38 kernel: PPP generic driver version 2.4.2

      Jan 25 12:04:38 kernel: PPP MPPE compression module registered

      Jan 25 12:04:38 kernel: PPP Deflate Compression module registered

      Jan 25 12:04:38 kernel: PPP BSD Compression module registered

      Jan 25 12:04:38 kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky

      Jan 25 12:04:38 kernel: SnapGear: MTD flash setup

      Jan 25 12:04:38 kernel: cfi_cmdset_0001: Erase suspend on write enabled

      Jan 25 12:04:38 kernel: 0: offset=0x0,size=0x20000,blocks=128

      Jan 25 12:04:38 kernel: Using buffer write method

      Jan 25 12:04:38 kernel: SnapGear: SnapGear Intel/StrataFlash device size = 16384K

      Jan 25 12:04:38 kernel: Creating 4 MTD partitions on "SnapGear Intel/StrataFlash":

      Jan 25 12:04:38 kernel: 0x00000000-0x00020000 : "SnapGear Boot Loader"

      Jan 25 12:04:38 kernel: 0x00020000-0x00120000 : "SnapGear non-volatile configuration"

      Jan 25 12:04:38 kernel: 0x00120000-0x01000000 : "SnapGear image"

      Jan 25 12:04:38 kernel: 0x00000000-0x01000000 : "SnapGear Intel/StrataFlash"

      Jan 25 12:04:38 kernel: IPv6 v0.8 (usagi-cvs) for NET4.0

      Jan 25 12:04:38 kernel: IPv6 over IPv4 tunneling driver

      Jan 25 12:04:38 kernel: NET4: Linux TCP/IP 1.0 for NET4.0

      Jan 25 12:04:38 kernel: IP Protocols: ICMP, UDP, TCP, IGMP

      Jan 25 12:04:38 kernel: IP: routing cache hash table of 4096 buckets, 32Kbytes

      Jan 25 12:04:38 kernel: TCP: Hash tables configured (established 4096 bind 8192)

      Jan 25 12:04:38 kernel: IPv4 over IPv4 tunneling driver

      Jan 25 12:04:38 kernel: GRE over IPv4 tunneling driver

      Jan 25 12:04:38 kernel: ip_conntrack version 2.1 (19239 buckets, 153912 max) - 436 bytes per conntrack

      Jan 25 12:04:38 kernel: ip_tables: (C) 2000-2002 Netfilter core team

      Jan 25 12:04:38 kernel: ipt_time loading

      Jan 25 12:04:38 kernel: ipt_recent v0.3.1: Stephen Frost <sfrost@snowman.net>.  http://snowman.net/projects/ipt_recent/

      Jan 25 12:04:38 kernel: NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.

      Jan 25 12:04:38 kernel: ip6_tables: (C) 2000-2002 Netfilter core team

      Jan 25 12:04:38 kernel: registering ipv6 mark target

      Jan 25 12:04:38 kernel: Ebtables v2.0 registered

      Jan 25 12:04:38 kernel: NET4: Ethernet Bridge 008 for NET4.0

      Jan 25 12:04:38 kernel: Bridge firewalling registered

      Jan 25 12:04:38 kernel: 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>

      Jan 25 12:04:38 kernel: Other stuff added by David S. Miller <davem@redhat.com>

      Jan 25 12:04:38 kernel: NetWinder Floating Point Emulator V0.97 (double precision)

      Jan 25 12:04:38 kernel: VFS: Mounted root (squashfs filesystem) readonly.

      Jan 25 12:04:38 kernel: Freeing init memory: 244K

      Jan 25 12:04:38 kernel: Warning: unable to open an initial console.

      Jan 25 12:04:38 kernel: snapdog: user servicing enabled (short=60,long=300).

      Jan 25 12:04:38 kernel: Clock: old time 1970/01/01 - 00:00:02 GMT

      Jan 25 12:04:38 kernel: Clock: new time 2001/01/25 - 01:04:28 GMT

      Jan 25 12:04:38 kernel: Module init.

      Jan 25 12:04:38 kernel: ixp425_eth: 

      Jan 25 12:04:38 kernel: Initializing IXP425 NPE Ethernet driver software v. 1.1+ 

      Jan 25 12:04:38 kernel: ixp425_eth: CPU clock speed (approx) = 0 MHz

      Jan 25 12:04:38 kernel: ixp425_eth: eth0 is using the PHY at address 5

      Jan 25 12:04:38 kernel: ixp425_eth: eth1 is using the PHY at address 4

      Jan 25 12:04:38 kernel: .97

      Jan 25 12:04:38 kernel: klips_info:ipsec_alg_init: KLIPS alg v=0.7.3-1 (EALG_MAX=255, AALG_MAX=15)

      Jan 25 12:04:38 kernel: klips_info:ipsec_alg_init: calling ipsec_alg_static_init()

      Jan 25 12:04:38 kernel: ipsec_aes_init(alg_type=15 alg_id=12 name=aes): ret=0

      Jan 25 12:04:38 kernel: klips_debug: experimental ipsec_alg_AES_MAC not registered [Ok] (auth_id=0)

      Jan 25 12:04:38 kernel: ip_conntrack_pptp version $Revision: 1.8 $ loaded

      Jan 25 12:04:38 kernel: ip_nat_pptp version $Revision: 1.4 $ loaded

      Jan 25 12:04:38 ifmond[108]: firewall was down and is now starting

      Jan 25 12:04:39 proxy80[113]: web proxy started.

      Jan 25 12:04:40 authd[111]: no Webwasher categories defined

      Jan 25 12:04:40 ifmond[108]: netif-eth0 was down and is now starting

      Jan 25 12:04:40 pptpd[114]: MGR: Manager process started

      Jan 25 12:04:40 idb[115]: IDB starting

      Jan 25 12:04:40 ifmond[108]: conn-eth0 was down and is now waiting-to-start

      Jan 25 12:04:40 ifmond[108]: netif-eth1 was down and is now starting

      Jan 25 12:04:40 ifmond[108]: conn-eth1 was down and is now waiting-to-start

      Jan 25 12:04:40 ifmond[108]: netif-br0 was down and is now starting

      Jan 25 12:04:41 snort-starter[109]: running snort on eth0.2

      Jan 25 12:04:41 ifmond[108]: conn-br0 was down and is now waiting-to-start

      Jan 25 12:04:41 ifmond[108]: conn-br0_0 was down and is now waiting-to-start

      Jan 25 12:04:41 ifmond[108]: netif-br0 was starting and is now up

      Jan 25 12:04:41 ifmond[108]: netif-eth1 was starting and is now up

      Jan 25 12:04:41 ifmond[108]: firewall was starting and is now up

      Jan 25 12:04:41 ifmond[108]: conn-eth1 was waiting-to-start and is now starting

      Jan 25 12:04:42 kernel: ixp425_eth: eth1: Entering promiscuous mode

      Jan 25 12:04:42 kernel: device eth1 entered promiscuous mode

      Jan 25 12:04:42 kernel: br0: port 1(eth1) entering learning state

      Jan 25 12:04:42 kernel: br0: port 1(eth1) entering forwarding state

      Jan 25 12:04:42 kernel: br0: topology change detected, propagating

      Jan 25 12:04:42 idb[115]: listening on tcp port 1

      Jan 25 12:04:42 ifmond[108]: conn-eth1 was starting and is now up

      Jan 25 12:04:42 idb[115]: listening on tcp port 11

      Jan 25 12:04:42 idb[115]: listening on tcp port 15

      Jan 25 12:04:42 idb[115]: listening on tcp port 79

      Jan 25 12:04:42 idb[115]: listening on tcp port 111

      Jan 25 12:04:42 idb[115]: listening on tcp port 119

      Jan 25 12:04:42 idb[115]: listening on tcp port 143

      Jan 25 12:04:42 idb[115]: listening on tcp port 540

      Jan 25 12:04:42 idb[115]: listening on tcp port 635

      Jan 25 12:04:42 idb[115]: listening on tcp port 1080

      Jan 25 12:04:42 idb[115]: listening on tcp port 1524

      Jan 25 12:04:42 idb[115]: listening on tcp port 2000

      Jan 25 12:04:42 idb[115]: listening on tcp port 5742

      Jan 25 12:04:42 idb[115]: listening on tcp port 6667

      Jan 25 12:04:42 idb[115]: listening on tcp port 12345

      Jan 25 12:04:42 idb[115]: listening on tcp port 12346

      Jan 25 12:04:42 idb[115]: listening on tcp port 20034

      Jan 25 12:04:42 idb[115]: listening on tcp port 31337

      Jan 25 12:04:42 idb[115]: listening on tcp port 32771

      Jan 25 12:04:42 idb[115]: listening on tcp port 32772

      Jan 25 12:04:42 idb[115]: listening on tcp port 32773

      Jan 25 12:04:42 idb[115]: listening on tcp port 32774

      Jan 25 12:04:42 idb[115]: listening on tcp port 40421

      Jan 25 12:04:42 idb[115]: listening on tcp port 49724

      Jan 25 12:04:42 idb[115]: listening on tcp port 54320

      Jan 25 12:04:42 idb[115]: listening on udp port 1

      Jan 25 12:04:42 idb[115]: listening on udp port 7

      Jan 25 12:04:42 idb[115]: listening on udp port 9

      Jan 25 12:04:42 idb[115]: listening on udp port 69

      Jan 25 12:04:42 idb[115]: listening on udp port 513

      Jan 25 12:04:42 idb[115]: listening on udp port 635

      Jan 25 12:04:42 idb[115]: listening on udp port 640

      Jan 25 12:04:42 idb[115]: listening on udp port 641

      Jan 25 12:04:42 idb[115]: listening on udp port 700

      Jan 25 12:04:42 idb[115]: listening on udp port 31337

      Jan 25 12:04:42 idb[115]: listening on udp port 32770

      Jan 25 12:04:42 idb[115]: listening on udp port 32771

      Jan 25 12:04:42 idb[115]: listening on udp port 32772

      Jan 25 12:04:42 idb[115]: listening on udp port 32773

      Jan 25 12:04:42 idb[115]: listening on udp port 32774

      Jan 25 12:04:42 idb[115]: listening on udp port 54321

      Jan 25 12:04:42 snort-starter[110]: running snort-inline

      Jan 25 12:04:45 proxy80[113]: Failed to lock pid file '/var/run/config.lock' after 5 seconds (locked by 136 ): Resource temporarily unavailable

      Jan 25 12:04:45 proxy80[113]: Pid 136 is /bin/firewall

      Jan 25 12:04:45 proxy80[113]: Failed to acquire lock on /var/run/config.lock in 5 seconds 

      Jan 25 12:04:45 kernel: proxy80[113] killed because of sig - 11

      Jan 25 12:04:45 kernel: STACK DUMP:

      Jan 25 12:04:45 kernel: 0xbffffd20: 00000000 00000000 40074078 00010000 00000000 00000000 00000000

      Jan 25 12:04:45 kernel: 0xbffffd3c: bffffd84 00000000 00000000 40031748 40074078 00010000 00000000

      Jan 25 12:04:45 kernel: 0xbffffd58: 00000000 00000000 00010000 00000000 00000000 00000000 bffffdc4

      Jan 25 12:04:45 kernel: 0xbffffd74: 00000000 00000000 00008f58 40032984 40074078 00010000 00000000

      Jan 25 12:04:45 kernel: 0xbffffd90: 00000000 00000000 00000000 0000ed60 40074088 00010000 00000000

      Jan 25 12:04:45 kernel: 0xbffffdac: 00000000 00000000 40074088 00010000 00000000 00000000 00000000

      Jan 25 12:04:45 kernel: 0xbffffdc8: bffffdf0 00017c3c 4014f4a8 0000d2e0 40074078 00010000 00000000

      Jan 25 12:04:45 kernel: 0xbffffde4: 00000000 00000000 0000ed60 40074078 00010000 00000000 00000000

      Jan 25 12:04:45 kernel: 0xbffffe00: 00000000 bffffe20 bffffe78 00000000 0000b478 bfffff98 bffffe78

      Jan 25 12:04:45 kernel: 0xbffffe1c: bfffff1c 40074808 00010000 00000000 00000000 00000000 bfffff98

      Jan 25 12:04:45 kernel: pc : [<00000000>]    lr : [<400316f8>]    Not tainted

      Jan 25 12:04:45 kernel: sp : bffffd20  ip : 00000000  fp : 00000000

      Jan 25 12:04:45 kernel: r10: 400858d4  r9 : 00000001  r8 : bfffff14

      Jan 25 12:04:45 kernel: r7 : 00000000  r6 : 00000000  r5 : bffffd28  r4 : 400940f0

      Jan 25 12:04:45 kernel: r3 : 400940e4  r2 : 0000e810  r1 : bffffd28  r0 : 400940f0

      Jan 25 12:04:45 kernel: Flags: nzCv  IRQs on  FIQs on  Mode USER_32  Segment user

      Jan 25 12:04:45 kernel: Control: 39FF  Table: 035DC000  DAC: 00000015

      Jan 25 12:04:45 kernel: 00008000-00010000 r-xp 00000000 1f:02 743 /bin/proxy80

      Jan 25 12:04:45 kernel: 00017000-00018000 rw-p 00007000 1f:02 743 /bin/proxy80

      Jan 25 12:04:45 kernel: 00018000-00019000 rwxp 00000000 1f:02 743 

      Jan 25 12:04:45 kernel: 40000000-40005000 r-xp 00000000 1f:02 1241509 /lib/ld-uClibc-0.9.27.so

      Jan 25 12:04:45 kernel: 40005000-40006000 rw-p 00000000 1f:02 1241509 

      Jan 25 12:04:45 kernel: 4000c000-4000d000 rw-p 00004000 1f:02 1241509 /lib/ld-uClibc-0.9.27.so

      Jan 25 12:04:45 kernel: 4000d000-4006d000 r-xp 00000000 1f:02 1241572 /lib/libconfig.so

      Jan 25 12:04:45 kernel: 4006d000-40074000 ---p 00060000 1f:02 1241572 

      Jan 25 12:04:45 kernel: 40074000-40095000 rw-p 0005f000 1f:02 1241572 /lib/libconfig.so

      Jan 25 12:04:45 kernel: 40095000-400b4000 r-xp 00000000 1f:02 1241889 /lib/libtcl.so

      Jan 25 12:04:45 kernel: 400b4000-400bc000 ---p 0001f000 1f:02 1241889 

      Jan 25 12:04:45 kernel: 400bc000-400be000 rw-p 0001f000 1f:02 1241889 /lib/libtcl.so

      Jan 25 12:04:45 kernel: 400be000-400bf000 rw-p 00000000 1f:02 1241889 

      Jan 25 12:04:45 kernel: 400bf000-400d2000 r-xp 00000000 1f:02 1241872 /lib/libsnapgear.so

      Jan 25 12:04:45 kernel: 400d2000-400da000 ---p 00013000 1f:02 1241872 

      Jan 25 12:04:45 kernel: 400da000-400db000 rw-p 00013000 1f:02 1241872 /lib/libsnapgear.so

      Jan 25 12:04:45 kernel: 400db000-400de000 r-xp 00000000 1f:02 1241586 /lib/libcrypt-0.9.27.so

      Jan 25 12:04:45 kernel: 400de000-400e5000 ---p 00003000 1f:02 1241586 

      Jan 25 12:04:45 kernel: 400e5000-400e6000 rw-p 00002000 1f:02 1241586 /lib/libcrypt-0.9.27.so

      Jan 25 12:04:45 kernel: 400e6000-400f7000 rw-p 00000000 1f:02 1241586 

      Jan 25 12:04:45 kernel: 400f7000-400f9000 r-xp 00000000 1f:02 1241620 /lib/libdl-0.9.27.so

      Jan 25 12:04:45 kernel: 400f9000-40100000 ---p 00002000 1f:02 1241620 

      Jan 25 12:04:45 kernel: 40100000-40101000 rw-p 00001000 1f:02 1241620 /lib/libdl-0.9.27.so

      Jan 25 12:04:45 kernel: 40101000-40147000 r-xp 00000000 1f:02 1241904 /lib/libuClibc-0.9.27.so

      Jan 25 12:04:45 kernel: 40147000-4014e000 ---p 00046000 1f:02 1241904 

      Jan 25 12:04:45 kernel: 4014e000-40151000 rw-p 00045000 1f:02 1241904 /lib/libuClibc-0.9.27.so

      Jan 25 12:04:45 kernel: 40151000-40153000 rw-p 00000000 1f:02 1241904 

      Jan 25 12:04:45 kernel: bfffe000-c0000000 rwxp fffff000 1f:02 1241904 

      Jan 25 12:04:45 proxy80[154]: web proxy started.

      Jan 25 12:04:45 kernel: eth0.2: add 33:33:00:00:00:01 mcast address to master interface

      Jan 25 12:04:45 kernel: eth0.2: add 33:33:ff:0a:a0:3b mcast address to master interface

      Jan 25 12:04:45 ifmond[108]: netif-eth0 was starting and is now up

      Jan 25 12:04:46 ifmond[108]: conn-eth0 was waiting-to-start and is now starting

      Jan 25 12:04:46 kernel: eth0.2: dev_set_promiscuity(master, 1)

      Jan 25 12:04:46 kernel: ixp425_eth: eth0: Entering promiscuous mode

      Jan 25 12:04:46 kernel: device eth0 entered promiscuous mode

      Jan 25 12:04:46 kernel: device eth0.2 entered promiscuous mode

      Jan 25 12:04:46 kernel: br0: port 2(eth0.2) entering learning state

      Jan 25 12:04:46 kernel: br0: port 2(eth0.2) entering forwarding state

      Jan 25 12:04:46 kernel: br0: topology change detected, propagating

      Jan 25 12:04:46 kernel: eth0.2: add 01:00:5e:00:00:01 mcast address to master interface

      Jan 25 12:04:46 ifmond[108]: conn-eth0 was starting and is now up

      Jan 25 12:04:46 ifmond[108]: conn-br0 was waiting-to-start and is now starting

      Jan 25 12:04:47 firewall[136]: executing firewall rules

      Jan 25 12:04:47 ifmond[108]: conn-br0 was starting and is now up

      Jan 25 12:04:47 ifmond[108]: conn-br0_0 was waiting-to-start and is now starting

      Jan 25 12:04:47 ifmond[108]: conn-br0_0 was starting and is now up


      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

      Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

      Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

      Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1


      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

      Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

      Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

      Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

      Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

      Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

      Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

      Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

      Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

      Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

      Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

      Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

       

      Jan 25 12:04:49 authd[111]: blocked web request for http://www.vastdata.net/

      Jan 25 12:04:49 authd[111]: src=178.162.148.27 dest=173.236.87.78 code=11 user=<null-user> cats= download=0 upload=0 uri=http://www.vastdata.net/

      Jan 25 12:04:50 ipsecctl[206]: restarting ipsec

       

      Jan 25 12:04:50 kernel: eth1: no IPv6 routers present

       

      Jan 25 12:04:52 kernel: br0: no IPv6 routers present

      Jan 25 12:04:53 ipsec: [setup] Stopping FreeS/WAN IPSEC...

      Jan 25 12:04:53 ipsec: [setup] ...FreeS/WAN IPSEC stopped

      Jan 25 12:04:53 ipsec: [setup] Starting FreeS/WAN IPSEC...

      Jan 25 12:04:53 ipsec: [setup] KLIPS debug `none'

       

      Jan 25 12:04:54 authd[111]: blocked web request for http://www.vastdata.net/

      Jan 25 12:04:54 authd[111]: src=184.154.142.114 dest=173.236.87.78 code=11 user=<null-user> cats= download=0 upload=0 uri=http://www.vastdata.net/

       

      Jan 25 12:04:55 firewall[138]: executing firewall rules

      Jan 25 12:04:55 kernel: eth0: no IPv6 routers present

      Jan 25 12:04:56 kernel: eth0.2: no IPv6 routers present

      Jan 25 12:04:57 ipsec: [setup] Pluto debug `none'

      Jan 25 12:04:58 Pluto[266]: Starting Pluto (FreeS/WAN Version )

      Jan 25 12:04:58 Pluto[266]:   including X.509 patch (Version 0.9.13)

      Jan 25 12:04:58 Pluto[266]:   including NAT-Traversal patch (Version 0.6)

       

      Jan 25 12:04:58 Pluto[266]: ike_alg_register_enc: Activating OAKLEY_AES_CBC: Ok (ret=0)

      Jan 25 12:04:58 Pluto[266]: Changing to directory '/etc/config'

      Jan 25 12:04:58 Pluto[266]:   error in X.509 certificate: ssl_key.pem

      Jan 25 12:04:58 Pluto[266]:   X.509 loaded: ssl_cert.pem

      Jan 25 12:04:58 Pluto[266]:   error in X.509 certificate: ssh_host_rsa_key

      Jan 25 12:04:58 Pluto[266]:   error in X.509 certificate: ssh_host_dsa_key

      Jan 25 12:04:58 Pluto[266]:   error in X.509 certificate: id_rsa

      Jan 25 12:04:58 Pluto[266]:   error in X.509 certificate: id_dsa

      Jan 25 12:04:58 Pluto[266]:   error in X.509 CRL: ssl_key.pem

       

      Jan 25 12:04:58 Pluto[266]:   error in X.509 CRL: ssl_cert.pem

      Jan 25 12:04:58 Pluto[266]:   error in X.509 CRL: ssh_host_rsa_key

      Jan 25 12:04:58 Pluto[266]:   error in X.509 CRL: ssh_host_dsa_key

      Jan 25 12:04:58 Pluto[266]:   error in X.509 CRL: id_rsa

      Jan 25 12:04:58 Pluto[266]:   error in X.509 CRL: id_dsa

       

      Jan 25 12:05:00 cron[119]: loading crontab file /etc/config/crontab

       

       

      Then the traffic that I can't make any sense of - it seems the snapgear is downloading and uploading to outside addresses, not going to anything on our network.

       

      Jan 25 12:07:56 authd[111]: blocked web request for http://l17.member.re3.yahoo.com/?.src=ym&login=<k9f"x@swbell.net&passwd=summer

      Jan 25 12:07:56 authd[111]: src=209.44.106.76 dest=66.196.86.196 code=11 user=<null-user> cats= download=0 upload=0 uri=http://l17.member.re3.yahoo.com/?.src=ym&login=<k9f"x@swbell.net&passwd=summer

      Jan 25 12:08:02 authd[111]: blocked web request for http://www.vastdata.net/

      Jan 25 12:08:02 authd[111]: src=184.154.142.114 dest=173.236.87.78 code=11 user=<null-user> cats= download=0 upload=0 uri=http://www.vastdata.net/

       

      Jan 25 12:08:05 proxy80[154]: Bad request 'HEAD /1.1^M TE: deflate,gzip;q=0.3^M Host: www.youtube.com^M User-Agent: Mozilla/5.0^M Connection: close^M Proxy-Connection: close^M ^M ', cannot get host name: 1

      Jan 25 12:08:05 authd[111]: blocked web request for http://www.ticketmaster.com/event/0D00456FED455EC2

      Jan 25 12:08:05 authd[111]: src=204.13.98.145 dest=118.214.196.199 code=11 user=<null-user> cats= download=0 upload=0 uri=http://www.ticketmaster.com/event/0D00456FED455EC2

      Jan 25 12:08:15 authd[111]: blocked web request for http://www.vastdata.net/

      Jan 25 12:08:15 authd[111]: src=178.162.148.27 dest=173.236.87.78 code=11 user=<null-user> cats= download=0 upload=0 uri=http://www.vastdata.net/

       

      Jan 25 12:08:22 snort: [1:472:4] ICMP redirect host [Classification: Potentially Bad Traffic] [Priority: 2]: {ICMP} xx.xx.xx.xx -> xx.xx.xx.xx

      Jan 25 12:08:26 last message repeated 2 time(s)

      Jan 25 12:08:26 authd[111]: blocked web request for http://ultrathinlightbox.com/proxyc/engine.php

      Jan 25 12:08:26 authd[111]: src=63.223.79.96 dest=69.89.31.121 code=11 user=<null-user> cats= download=0 upload=0 uri=http://ultrathinlightbox.com/proxyc/engine.php

      Jan 25 12:08:27 snort: [1:472:4] ICMP redirect host [Classification: Potentially Bad Traffic] [Priority: 2]: {ICMP} xx.xx.xx.xx -> xx.xx.xx.xx

      Jan 25 12:08:27 authd[111]: blocked web request for http://vastdata.net/

      Jan 25 12:08:27 authd[111]: src=178.162.131.33 dest=173.236.87.78 code=11 user=<null-user> cats= download=0 upload=0 uri=http://vastdata.net/

      Jan 25 12:08:28 snort: [1:472:4] ICMP redirect host [Classification: Potentially Bad Traffic] [Priority: 2]: {ICMP} xx.xx.xx.xx -> xx.xx.xx.xx

      Jan 25 12:08:32 last message repeated 1 time(s)

      Jan 25 12:08:32 snort: [1:2466:6] NETBIOS SMB-DS IPC$ unicode share access [Classification: Generic Protocol Command Decode] [Priority: 3]: {TCP} xx.xx.xx.xx(host on IPSEC LAN):1852 -> xx.xx.xx.xx(server on LAN address):445

       

      Jan 25 12:08:46 authd[111]: blocked web request for http://www.cooleasy.com/azenv.php

      Jan 25 12:08:46 authd[111]: src=24.27.19.155 dest=218.85.133.201 code=11 user=<null-user> cats= download=0 upload=0 uri=http://www.cooleasy.com/azenv.php

      Jan 25 12:08:47 authd[111]: blocked web request for http://www.proxyjudge.biz/az.php

      Jan 25 12:08:47 authd[111]: src=24.27.19.155 dest=217.172.172.192 code=11 user=<null-user> cats= download=0 upload=0 uri=http://www.proxyjudge.biz/az.php

      Jan 25 12:08:50 authd[111]: blocked web request for http://www.myspace.com/music/services/player?action=getToken

      Jan 25 12:08:50 authd[111]: src=24.176.248.13 dest=63.135.80.46 code=11 user=<null-user> cats= download=0 upload=0 uri=http://www.myspace.com/music/services/player?action=getToken

      Jan 25 12:09:06 authd[111]: blocked web request for http://vastdata.net/

      Jan 25 12:09:06 authd[111]: src=178.162.131.33 dest=173.236.87.78 code=11 user=<null-user> cats= download=0 upload=0 uri=http://vastdata.net/

       

      Jan 25 12:09:08 authd[111]: blocked web request for http://www.seektwo.com/proxy-1.php

      Jan 25 12:09:08 authd[111]: src=125.110.137.212 dest=75.126.197.218 code=11 user=<null-user> cats= download=0 upload=0 uri=http://www.seektwo.com/proxy-1.php

      Jan 25 12:09:08 authd[111]: blocked web request for http://www.seektwo.com/proxy-1.php

      Jan 25 12:09:08 authd[111]: src=125.110.137.212 dest=75.126.197.218 code=11 user=<null-user> cats= download=0 upload=0 uri=http://www.seektwo.com/proxy-1.php

      Jan 25 12:09:09 authd[111]: blocked web request for http://www.yahoo.com/

      Jan 25 12:09:09 authd[111]: src=125.110.137.212 dest=72.30.2.43 code=11 user=<null-user> cats= download=0 upload=0 uri=http://www.yahoo.com/

      Jan 25 12:09:09 authd[111]: blocked web request for http://www.yahoo.com/

      Jan 25 12:09:09 authd[111]: src=125.110.137.212 dest=98.137.149.56 code=11 user=<null-user> cats= download=0 upload=0 uri=http://www.yahoo.com/

      Jan 25 12:09:09 snort: [1:2466:6] NETBIOS SMB-DS IPC$ unicode share access [Classification: Generic Protocol Command Decode] [Priority: 3]: {TCP} xx.xx.xx.xx(host on IPSEC LAN):1873 -> xx.xx.xx.xx(server on LAN address):445

        • 1. Re: Compromised SG580 - Confirmation? Suggestions? Any Ideas welcome!

          Without the full diagnostics available to technical support, I am limited in what I can diagnose....but

           

          3.1.6 would be the best firmware to run if you want to stick with version 3....early 3.x had issues with the access control proxy ( proxy80 ) and as such may explain the crash on the bootup....but it does respawn and start ok.

           

          But back to your issue, it does seem that there is 'weird' traffic logged by proxy80

           

          It is most likely generated from an internal host, which is spoofing source addresses after being compromised itself.

           

          The SG is an embedded platform, and as such any changes outside of config changes, will not survive a reboot. Nor is it i386. A misconfiguration is more probable than a compromise.

           

          Could be you do have an open proxy.

           

          By default proxy80 runs on tcp 81, and is firewalled off from the internet. But you may have opened the port by accident

           

          If you PM my your IP I can test to see if 81 is open.

           

          Failing that, disconnect all internal hosts and see if the issue persists for further diagnosis.

          1 of 1 people found this helpful
          • 2. Re: Compromised SG580 - Confirmation? Suggestions? Any Ideas welcome!

            Thanks for the reply Ross! I've previously disconnected the router from everything except the public IP - ie. Disconnected all IPSEC tunnels, disbled PPTP access and shut down the only host behind the firewall. Logs show that the traffic keeps flowing...

             

            There are no rules that seem to allow port 81 open to our external IP. We have a default deny rule at the bottom:

             

             

            DENYDropForwardAnyAnyAnyAnyAny

             

             

            There are a couple of rules that allow any port in, but they're restricted by either source or destination IP and do not match the traffic I'm seeing.

             

             

            I created a rule to block port 81 inwards:

             

            Block 81 inwardDropInputAnyNoneAnyAnytcp/81

             

             

            but this also blocked access to the web server behind our firewall...

            I'm not sure where to go from here, it's a plus that I can block the unwanted traffic but I can't let it be at the cost of blocking our web server!

             

            Thanks in advance for any input.

             

             

            Message was edited by: Skirmish on 1/24/11 9:52:28 PM CST
            • 3. Re: Compromised SG580 - Confirmation? Suggestions? Any Ideas welcome!

              I forgot to mention that PM's need to be approved by moderators these days sue to past abuse.

               

              It sounds like a complex/misconfigured setup if you are running internal web servers accessable via port 81

               

              Are you covered with McAfee support ( Valid Grant ID )

              • 4. Re: Compromised SG580 - Confirmation? Suggestions? Any Ideas welcome!

                No problem, hopefully you get my PM soon.

                The more I look at this, the stranger this situation gets so I'll try to set the scene.

                 

                We have a snapgear sg580 with public IP xx.xx.xx.6 in bridge mode with a windows server with public IP  xx.xx.xx.2 . Web cache is not enabled. The SG580 and windows machine both have private IP aliases which are available via IPSEC or PPTP connections. The SG580 can be administered via http://xx.xx.xx.6:80 or https://xx.xx.xx.6:443.

                 

                The windows web server is accessible via http://xx.xx.xx.2:80, http://xx.xx.xx.2:81 does not work.

                 

                 

                By adding the rule

                 

                Block 81 inwardDropInputAnyNoneAnyAnytcp/81

                 

                 

                And trying to access the windows machine via http://xx.xx.xx.2 or http://xx.xx.xx.2:80 i see the packed filter dropping the packets from my external IP yy.yy.yy.4 with a log entry:

                 

                 

                kernel: PF Deny Drop: IN=br0 OUT= PHYSIN=eth1 MAC=zzzzzzzzzzzz SRC=yy.yy.yy.4 DST=xx.xx.xx.6 LEN=64 TOS=0x00 PREC=0x00 TTL=59 ID=34620 DF PROTO=TCP SPT=46383 DPT=81 WINDOW=65535 RES=0x00 SYN URGP=0

                 

                 

                 

                And that's where I'm up to! The above rule blocks the unwanted traffic, but also blocks the wanted traffic.

                 

                Thanks again for your input on this situation.

                 

                 

                PS - I'm pretty sure I'm not covered by McAfee support, I haven't paid for a subscription for any service. The routers are approximately 3 years old I've been told.

                 

                 

                Message was edited by: Skirmish on 1/24/11 10:31:37 PM CST
                • 5. Re: Compromised SG580 - Confirmation? Suggestions? Any Ideas welcome!

                  sorry for the delayed response....the office floated down the Brisbane river, and then my internet connection at home got killed

                   

                  i will ask some peers on their opinion on this and get back to you

                  • 6. Re: Compromised SG580 - Confirmation? Suggestions? Any Ideas welcome!

                    No need to apologise! Take care of yourself and those close to you - some things are more important than networking.

                    • 7. Re: Compromised SG580 - Confirmation? Suggestions? Any Ideas welcome!

                      finally back online

                       


                      It certainly does look like the UTM access control proxy is being hit by outside connections.

                       

                      The problem is without seeing a Technical Support Report from the unit we can't tell why.

                       

                      others have posted TSR's on this site, but I don't think it is the best thing to do.

                       

                      I dont think there are further options other than going through technical support.

                      If you do, get them to escalate to me directly