Right, I'm not saying it's because the 'kids' have been at home over easter (but I am suspicious!). Had all the symptoms of a 'man in the middle' attack this morning. So far I've
- turned off all internet access
- run the malware scanners we have on PCs and Macs (nothing found)
- Booted one mac in safe mode and looked for rogue processes (nothing obvious)
- Adguard running on PI does not recognise any malware/phishing attacks
- Norton on my wife's phone HAS detected a MITM attack.
However we've defo got something which is between bad and very bad
bad: getting kcproxy messages on 2 of 3 macs suggesting there's a malware/hidden user in there. Obviously I'm not giving it the pwd (KCPROXY is a mac process but it's being hijacked I guess)
Very Bad: I stopped both the NAS's manually but the big one didn't shut down. It's protected with 2FA but 2FA no longer works. So I pulled the plug. My worry is that's a ransom wear target. We do have other non connected backups of the most important data.
I see my options as:
- blowing away every machine including phones and starting again from a fresh OSX/windows build. Then doing the same with the NAS (although I can't currently log into it so maybe I have to trash the disks)
- calling in a specialist to see if they can remove malware/check over NAS for nasties.
The second seems a better option but no idea who is good and how expensive they will be.
Obviously got to work starting with a training course tomorrow. SO I think Pri 1 is blow away my 'work macbook' so I can take it to a friends and run course from there. Assume to be absolutely safe best to use their WiFI to restore OS rather than risk opening up ours again.
I really could do without this this week! We do run bitdefender on PC, malaware bytes on laptop, 2FA on all our bank stuff plus all internal routers/wifi/nas etc. I think we're pretty careful but I'm clearly going to need to up my game when I get this sorted
Any advice very welcome before I start doing lenghty and painful things to end devices.
What do you have for connecting to your broadband? Is it a generic router and, if so, is the firmware up to date? If that has been compromised, it could have given attackers a way in to your local network. Also, exactly what symptoms are we talking about here?
Carrying on that for a while, do you know if the NAS machines are up to date with patches? I know that some of the NAS manufacturers had recent* security issues.
I'll have a look and see if I have info on kcproxy hijacking, but a casual look just now did not show any serious hits. It is _possible_ that that is just odd behaviour. What is different about the one Mac that does not have the weird stuff going on with it? Is it running the same OS, same patch level?
BTW: Why Bitdefender and not Defender on the Windows machines?
Thanks @willard
Standard Huw router from three. No updates available. Behind that are a set of 3 year old Orbi's in bridge mode (ie no DMZ) but with all the security turned on. NAS is up to date, I'm super careful checking those. Yeah I researched KCPROXY this morning and it doesn't look bad but it's suspicious. For example if I use keychain to reveal my outlook password (which I don't use anymore), it's just admin pwd, if I click on a wifi pwd, I get KCProxy (on 2 of 3 machines, this one seems okay, connected via phone currently to internet)
Defender not bitdefender sorry. I was going to reinstall it on the Orib's but it doesn't look like my version is supported anymore.
Symptoms. Three main ones
1) PC/MACs all saying 'can't get a secure connection' (both email and browser), browser pops up an authentication box when , for eg, I connect to flickr. Obviously i don't do that.
2) Norton 360 on Wife's phone detects MITM attack (somehow) and says you to disconnect
3) Random maybe but my wife got a spam email from me this morning (so my name, nonsense email address)
1) This is with the normal browser on the devices, right? Have you tried using another browser on the same device, t.ex Safari instead of Chrome on a Mac, Firefox instead of Edge on Windows? What does the certificate say when you are at the site you are trying to visit (right click in address bar, "View Details", or similar)?
2) This could be the same thing as 1)
3) Could be. I get/got random mails from my sister with her name but another address and sometime it is just random. Spam that, but don't delete it.
The standard Huawei router bothers me but, sadly, the lack of updates to it does not surprise me. Does it have a suitably not-standard password for the admin account? If you actually have an admin account on it, I'd try logging in to it from a known safe device and seeing if things were all still good there. The logs (if they exist) could give you an indication of something like a login from the internet, config changes (kids messing with it?) or similar.
The firs thing I would do is to get a known good machine and start looking at what could have gone wrong on the network from that. Macs are (generally) less targeted than Windows but a properly updated Windows 10/11 device will not be an easy target either.
Bit weird but I wouldn’t try to burn everything just yet! Kids messed around with router settings, tried to install VPN or something (is that something they might do?)
What was the problem with the NAS? Couldn’t log into it?
What happens if you connect to WiFi via your iPhone then try to go to that Flickr page?
@willard - good questions
1) Yes, Safari. Have Chrome on a device. Will go test in a bit. What it said was 'enter your credentials' in a pop up box. But browser had already warned me no HTTPS connection. I'll see if I can get a screen shot. Will also get a screenshot of cert.
Router has a very long password I changed when we got it. I just changed it again. Checked logs, nothing interesting. Did turn of PNP which I don't remember turning on (and no way kids are modding the router!)
I've got a mate coming over with his laptop so we're going to try that.
@ailog6128
NAS, 2FA didn't work. But no idea how anyone could have got in to disable it as there is exactly one 2FA enabled device and it's in my hand! But the fact it wouldn't shut down off the hardware switch makes me very suspicious.
Phone seems okay on wifi but all seems to have settled down at the mo (I do have all machines shut down except this one and my phone). Tried Norton scan on wifes phone a second ago and now it says all is fine. I might try restarting NAS in a sec after I tried Willard's stuff.
Thanks all for your help so far.
Probably coincidence, but Pornhub was just bought by a group called Ethical Capital Partners.
@thols2 - I can honestly say never been to that site!
Anyway - turned router back on, issues currently not obvious (Norton now says all is fine) but one Mac is definitely playing up more than the others. I'm going to safe boot that one. Could be a coincidence but defo weird stuff going on when I re-enabled wifi.Hard to explain what, shall investigate.
Ah hah we might be getting somewhere
here's the cert when I connect to flickr (after Safari tells me not to allow an unsecure connection)
Keep us in the loop, this kind of thing is exciting
So that's the Orbi! Only netgear thing we have in the house.
So I connected to the internet wifi SSID (which we normally have turned off) and refereshed the page. Same device, same website, no problem straight to flckr on HTTPS. So then tried same test on my phone. Same result - no HTTPS on Orbi mesh, HTTPS on internet router.
So maybe the problem is that cert, or can a cert be hijacked?
The fact it says it's not certified is concerning but I don't know much about certs. I am an ex (big stuff) network guy tho so I do understand troubleshooting!
Keep us in the loop, this kind of thing is exciting
For you maybe, for me it's somewhere between extremely worrying and incredibly frustrating!
Is the Orbi trying to serve out a guest login page for some reason?
God knows why if it was! It's never done it in 5 years!
Weird. I mean, cert errors for self-signed is going to happen, so that could be the first problem with cert errors for the website.
Can the Orbi do any packet inspection of HTTPS traffic?
A quick google suggests it can - https://www.reddit.com/r/orbi/comments/g2lc2u/orbi_ssl_error/
2 questions:
1)Whos is your ISP?
2)What does going to here tell you?
https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html
ISP is Three
That link - all passed
Defo an issue internally as if I connect to internet router wifi it seems fine
Update: not sure it's resolved but we found we had DHCP running on the internet router and the Pi. Everything I checked was still using the Pi as its DNS AND if I manually changed DNS entry to (eg) 8.8.8.8 the problem didn't go away.
Still we turned it off and for the last 45 mins - no issues. Other than me having already changed wifi SSID and password so now lots of things stop working. I'm okay with that, I'd like to know if we've any rogues and I'm not letting kids reconnect without checking their devices.
The NAS issue is strange. I managed to log back in off a different device but not the first one I tried. So that's still under investigation
The KCPROXY thing I'm not worried about (much). Seems to be normal operation when requesting certain object types (such as wifi passwords) apparently.
We shall see.
Anyway I'm going to definitely buy a second PI and load balance DNS between them so I've always got something to test with. And maybe build that DMZ I've been talking about doing for years...
Thanks for all help so far, I might be back!
that will probably be your toughest problem 😂Anyway I’m going to definitely buy a second PI
What is actually (supposed) to be acting as your router? If it's not the 3 thingy then you want to put it into bridge mode really if possible rather than just disable WiFi on it.
Everything (hopefully) just sounds like a bunch of weird coincidences. I wouldn't put much (any) stock in Norton running on Android. Surprised it didn't try to get you to download/pay for Norton on the Macs/PCs to "solve" the problem 😂
well it's kind of back but we're 99% sure it's the PI/ADGUARD/DNS setup. So I've moved that onto the NAS using a docker container. Will leave PI off and see if we get a repeat. I'm coming ot the conclusion I was probably being over-paranoid (not that that's a bad thing)
The router is the Huwai - it terminates the antenna we use for cell based broadband, I could put it in bridge node and use the Orbi as first line of defence but that makes me very nervous. I will take wifi off it, it was just so I could test 'outside' the orbi network
I'm sure I could have spent 100s of pounds on security 'solutions but I wasn't going too until I'd diagnosed the issue. Anyway I like the idea of going full vpn/cloudflare/warp... that's my longer term plan I think.
Also might just make a linux box to run home assistant and punt the pi into a field!
Oddly enough I've got a similar setup. 4 node Orbi but in routed mode, internet router load sharing across two links. With pi hole running on docker on my NAS and a second pi hole on a pi.
Using Orbi in routed as I've got the Netgear/Bitdefender running which does regular host vuln scans and blocking of comprised links.
Going to replace the router with a Fortigate firewall I'm slowly configuring how I want, with Talos blocklists etc.
There were some issues in earlier versions of the Orbi firmware with DNS but I thought that was only affecting routed mode. Are you on the latest version as that's been working a treat on mine.
Oh ps the router has a FTTC connection on it and the second is a Huawei 4g router.
Huawei is in router mode, plugged into a WAN port on the router/firewall running NAT.
Our orbi's are 4 years old at least. No upgrades for about a year. One of them - the one with the NAS and PI plugged in appears to have died. Rebooted it, just flashing white even when I put it next to another one.
I shall prob just get a new mesh. Not been super impressed with netgear so shall have a look around. Whatever I get it will be in routed mode so I can start to create DMZ from 4G router. I was looking at fortigate FWs as well, maybe 2 🙂
Until then I do like the idea of running security software on mesh not just on end devices.
What a fun day today has been. Still it could have been a lot worse.
Love the FG's deployed 1000's of them on various SD-WAN solutions. But want mine to be just right before its deployed on the most critical network, also taking my time as Fortinet have have a bit of a torrid time over the last few months with lots of Critical vulns needing firmware updates.
I did have a Meraki MX64 doing security duties but it was a freebie from Meraki and I'd done the CMNA that long in the past, that despite renewals they wouldn't give me any more free licences (on the MX, switch and AP's)
Just a final update. I was racking my brains trying to work out why 2FA wasn't working on the NAS. A bit of googling and it appears I'd unchecked the time server and set the time manually for some reason and that's enough to un-sync the 30 second window for the 2FA apparently. Would never have worked that out.
The issue was definitely a dodgy/partially broken Orbi that after a full reset came back eventually but will be switched out for something else. Not paying for new ones, they are stupid money!
Excellent news! Good to hear you got to the bottom of things