|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
My OpenBSD machine was hacked
Dear All,
First of all, thanks for reading this thread. I would like to tell you all that my OpenBSD 5.7 was hacked recently. I have little knowledge about networking and thus I have no idea how the hacker able to hack the machine. My firewall script was not loaded at run time where the hacker firewall rules was loaded at run time. The hacker is able to upload his script to my OpenBSD machine and edited my machine. This was verfied using pfctl -sr command. I did not change the kernel security level to 2 (My mistake). I'm following the good practices of a OpenBSD firewall configuration rules /etc/pf.conf Quote:
No ssh No telnet No dangerous old protocol services running My Suspection: ARP attack (What are the good software to protect 3 kinds of ARP attack?) STP SLP Hacking was did by my ISP. There is pf carp protocol running after the hacked (LAN Attack) Can broadcast or multicast protocol at the same subnet uses to attack the OpenBSD machine? I could upload the whole OS file to here for inspection. Please tell me how to do it. Thanks. Last edited by Peter_APIIT; 25th July 2015 at 02:37 PM. |
|
|||
Do you have SSH daemon in yours system enabled?
If so, does this daemon authenticate using password or key? If password, does pass looks more like "eye8" or "iRR1~{U{Y6),R<7&j60H&TU)+"? |
|
|||
I do not have any remote login services enabled in the machine including ssh or telent, rlogin or any others.
|
|
|||
Quote:
This is a machine used for home personal use only. There is no any kind remote login services enabled on this machine like ssh, telnet or others. I did netstat to check the open port and it shows only my dns server port was listening(unbound). I did not perform any penetration testing from outside of the firewall. I had checked using pfctl to ensure the rules was loaded. I have physical access to the machine. Any method to check how the hacking was did? Thanks. Last edited by Peter_APIIT; 26th July 2015 at 04:29 AM. |
|
|||
Here is the content of pfctl -sr:
Code:
pass out inet6 proto ipv6-icmp on icmp6-type neighbrsol/routersol/neighbradv/routeradv pass out inet6 proto udp from any port =546 to any port=547 pass out inet proto icmp all icmp-type echoreq pass out inet proto udp from any port=68 to any port=67 pass out inet proto tcp from any port=53 flags S/SA pass in inet6 proto udp from any port= 547 to any port= 546 pass in inet6 proto udp from any port to any port=22 flags S/SA pass in inet6 udp from any port=67 to any port=68 pass on lo0 all flags S/SA pass in proto carp all keep state (no-sync) pass out proto carp all !received-on any keep state (no-sync) Code:
mkdir /mnt mount /dev/sd0i /mnt/ tar -zcvf openbsd.tar.gz / cp /home/peterwkc/openbsd.tar.gz /mnt/openbsd.tar.gz I could upload the openbsd.tar.gz so that anyone here can help to diagnose how the hacking was achieved. Anything wrong with my current pf rules? How the hacker gained root access? Recall: I recall that i had set dhcp flag to dhcpd_flags="", ntpd listen on localhost and unbound server listen on localhost and internal interface. Firewall state policy is set state-policy floating. What is the difference between state-policy floating and if-bound. Last edited by Peter_APIIT; 27th July 2015 at 01:59 AM. |
|
|||
New Discovered:
When I'm plugged in the LAN cable into bsd machine, the pf rules will get flush but my pf rule stand still if disconnected the LAN cable. My pf rules was changef after connected to the LAN and reboot. I'm believed my ISP using carp or other network topology to control my machine. (No PPPOE connection, just modem with telephone line to bsd machine) It seems like my machine is sit in the same subnet with my ISP machine even though no PPPOE connection was established. This might be Link Layer 2 security problem or network topology issue. https://calomel.org/mac_random.html Any method to call perl script file from shell script? Any thing to advise on this? How to protect from Link Layer 2 security? I had tried to disable carp protocol. Last edited by Peter_APIIT; 27th July 2015 at 08:25 AM. |
|
|||
Why you are thinking yours machines were hacked? What are the symptoms? What changed on these machines?
Do you have any router in your LAN network? Maybe router was hacked (probably not by ISP)? If router was hacked, often DNS packets are rerouted or edited on the fly. You can check some informations about your DNS provider by this web page: https://www.f-secure.com/en/web/labs...router-checker These kind of pages doesn't like addons, so use for example new Firefox profile in terminal: firefox -P and create new for this purpose, use web page and delete new profile. Last edited by e1-531g; 27th July 2015 at 10:26 AM. |
|
|||
pfctl -sr shows firewall rules was changed.
|
|
|||
New Discovered:
The pf rules was flushed when changed the kern.securelevel from 1 to 2. kern.securelevel=1 I'm able to see the pf rules written by me. kern.securelevel=2 The pf rules consists of carp and other related to port 22 ssh which is not written by me. Anyone can confirm this? Last edited by Peter_APIIT; 31st July 2015 at 07:24 AM. |
|
|||
Those are the system default rules. You are not creating your own rules correctly.
How are you trying to configure pf with your own rules? Tim. |
|
||||
I can replicate your problem, Peter.
Now, finally, you have isolated the problem, and I was able to replicate it on a -release test system.
The rc(8) subsystem sets default rules in the event your pf.conf fails to load. Those are the rules you see when securelevel is set to 2. The sysctl values in sysctl.conf are set early in the rc(8) process, as kernel settings need to be provisioned before daemons are launched. If you set kern.securelevel=2 in /etc/sysctl.conf, rc(8) operations for PF that follow later in the process will fail, because PF cannot be altered. Your configuration cannot be loaded. This is because the securelevel(7) restrictions are already in place. Fix:
Step-by-step instructions for Peter: 1. EDIT /etc/sysctl.conf. Delete the line that sets kern.securelevel. 2. CREATE /etc/rc.local, with one line that executes the "sysctl kern.securelevel=2" command. Either use an editor, or use echo(1) and pipe the results into a new file, such as shown in the example below. # echo sysctl kern.securelevel=2 > /etc/rc.local ---- I will consider whether I will submit a patch for the securelevel(7) man page to the Project to clarify rc(8) implications. If I do, I'm not sure it would be accepted. Peter missed error messages on his console produced by rc(8), including failures to load his PF rules, that should have immediately indicated a configuration problem when he set kern.securelevel=2 in sysctl.conf. Last edited by jggimi; 31st July 2015 at 04:44 PM. Reason: securelevel is in chapter 7 of the man pages. |
|
|||
Problem solved. Thanks jggmi for the clarification.
|
|
||||
This will happen again. And again.
Peter, this is not the first time you have had a problem which you did not understand, and where your explanations of the problem were incomplete, your symptoms were not well explained, where your conclusions were incorrect, and where you were unable to provide information that had been requested, here and on misc@.
When we are able to help, the resolution of your problems have usually been simple, but only after long, difficult, and confusing attempts to support you, and where seemingly by luck alone, you provide the piece of the puzzle that had been missing. When you don't provide that missing information, we're unable to help and your problems don't get resolved. Each one of us have technical problems occur where we have unexpected results that we do not understand. It happens to all of us, and will happen again. To us. And to you. So next time, please:
Here are two links which should help. Please, read them, and if you have any questions, please let us know. A guide to asking for help What makes a perfect newbie? Last edited by jggimi; 1st August 2015 at 12:44 PM. Reason: typo |
|
||||
One final follow-up, Peter, with a corrective action.
I was preparing a patch to the securelevel(7) documentation, and as part of that I was examining /etc/rc securelevel handling in more detail. The /etc/rc.securelevel script, if it exists, is called at the time rc(8) raises the level from 0 to 1. The sysctl can be set to 2 within that script. If you rename your /etc/rc.local file to rc.securelevel, the sysctl will only be raised a single time. # mv /etc/rc.local /etc/rc.securelevel
|
|
|||
Sorry for been ignored the problem that arised when asked questions due to limited knowledge.
Sorry for been ignored to provide completed information and assumed a solution with a particular problem. Last edited by Peter_APIIT; 1st August 2015 at 02:14 PM. Reason: Added information |
|
||||
http://marc.info/?l=openbsd-tech&m=143843781009774&w=2
(No replies and no commit of this or a similar patch after two days.) |
|
|||
Problem solved and close thread.
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
LastPass hacked | rocket357 | News | 0 | 16th June 2015 09:50 PM |
Million$ hacked from Banks | shep | News | 0 | 14th February 2015 06:19 PM |
Create OpenBSD guest for Linux KVM (Kernel-based Virtual Machine) with 'virt-install' | J65nko | Guides | 4 | 11th December 2014 04:30 AM |
Security NBC.com hacked and served up malware | J65nko | News | 0 | 22nd February 2013 08:22 PM |
Am I being hacked? | newbsdied | OpenBSD Security | 14 | 6th November 2010 10:41 PM |