DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th July 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 121
Default My OpenBSD machine was hacked

Dear All,

First of all, thanks for reading this thread. I would like to tell you all that my OpenBSD 5.7 was hacked recently.

I have little knowledge about networking and thus I have no idea how the hacker able to hack the machine.

My firewall script was not loaded at run time where the hacker firewall rules was loaded at run time. The hacker is able to upload his script to my OpenBSD machine and edited my machine.

This was verfied using pfctl -sr command.
I did not change the kernel security level to 2 (My mistake).
I'm following the good practices of a OpenBSD firewall configuration rules

/etc/pf.conf
Quote:
ext_if="fxp0"
int_if="vr0"

allowPort="{53, 80, 443}"
netbios="{137,138,139,445}"

set block-policy drop
set state-policy floating

match on pppoe0 scrub (reassemble tcp,random-id,no-df,max-mss 1440, min-ttl 64)
match out on pppoe0 inet from !(egress:network) to any nat-to (pppoe:0)

antispoof log for {$ext_if, $int_if}

block in log from {urpf-failed no-route} to any
block drop log
block in log quick on {$ext_if, $int_if} proto {tcp, udp} from any to any port $netbios

pass out on pppoe0 inet proto {tcp, udp, icmp}
pass out log on {$ext_if, $int_if} inet proto {tcp, udp} from any port $allowPort to any
pass out proto icmp icmp-type echoreq

pass in log in $int_if inet proto {tcp, udp, icmp}
No P2P network
No ssh
No telnet
No dangerous old protocol services running

My Suspection:
ARP attack (What are the good software to protect 3 kinds of ARP attack?)
STP
SLP
Hacking was did by my ISP.
There is pf carp protocol running after the hacked (LAN Attack)

Can broadcast or multicast protocol at the same subnet uses to attack the OpenBSD machine?

I could upload the whole OS file to here for inspection. Please tell me how to do it. Thanks.

Last edited by Peter_APIIT; 25th July 2015 at 02:37 PM.
Reply With Quote
  #2   (View Single Post)  
Old 25th July 2015
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 628
Default

Do you have SSH daemon in yours system enabled?
If so, does this daemon authenticate using password or key?
If password, does pass looks more like "eye8" or "iRR1~{U{Y6),R<7&j60H&TU)+"?
Reply With Quote
  #3   (View Single Post)  
Old 25th July 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 121
Default

Quote:
Originally Posted by e1-531g View Post
Do you have SSH daemon in yours system enabled?
If so, does this daemon authenticate using password or key?
If password, does pass looks more like "eye8" or "iRR1~{U{Y6),R<7&j60H&TU)+"?
I do not have any remote login services enabled in the machine including ssh or telent, rlogin or any others.
Reply With Quote
  #4   (View Single Post)  
Old 25th July 2015
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

What kind of machine is it?

I've had the same boxes on the public internet with public services (all including ssh configured for keys only) running for years now, with some of them operating as tor endpoints (and those tend to be picked on quite a bit). I've never had a single security incident (to be precise, I've never had a single *successful* security incident...on OpenBSD, at least...I've had a few Linux machines fall to attackers, though).

For an attacker to get in, they either need an open port or they need physical access. Oh, if it's a virtual machine they might also have compromised the host to gain access to your guest, but other than that it's pretty cut and dry.

Did you scan the machine from the inside/outside to verify your firewall rules were working as intended? How do you access the machine?
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
  #5   (View Single Post)  
Old 26th July 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 121
Default

Quote:
Originally Posted by rocket357 View Post
What kind of machine is it?

I've had the same boxes on the public internet with public services (all including ssh configured for keys only) running for years now, with some of them operating as tor endpoints (and those tend to be picked on quite a bit). I've never had a single security incident (to be precise, I've never had a single *successful* security incident...on OpenBSD, at least...I've had a few Linux machines fall to attackers, though).

For an attacker to get in, they either need an open port or they need physical access. Oh, if it's a virtual machine they might also have compromised the host to gain access to your guest, but other than that it's pretty cut and dry.

Did you scan the machine from the inside/outside to verify your firewall rules were working as intended? How do you access the machine?

This is a machine used for home personal use only. There is no any kind remote login services enabled on this machine like ssh, telnet or others. I did netstat to check the open port and it shows only my dns server port was listening(unbound).

I did not perform any penetration testing from outside of the firewall. I had checked using pfctl to ensure the rules was loaded.
I have physical access to the machine.

Any method to check how the hacking was did? Thanks.

Last edited by Peter_APIIT; 26th July 2015 at 04:29 AM.
Reply With Quote
  #6   (View Single Post)  
Old 26th July 2015
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

What, exactly, does pfctl -sr show?
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
  #7   (View Single Post)  
Old 26th July 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 121
Default

Quote:
Originally Posted by rocket357 View Post
What, exactly, does pfctl -sr show?
Here is the content of pfctl -sr:

Code:
pass out inet6 proto ipv6-icmp on icmp6-type neighbrsol/routersol/neighbradv/routeradv

pass out inet6 proto udp from any port =546 to any port=547
pass out inet proto icmp all icmp-type echoreq
pass out inet proto udp from any port=68 to any port=67
pass out inet proto tcp from any port=53 flags S/SA

pass in inet6 proto udp from any port= 547 to any port= 546
pass in inet6 proto udp from any port to any port=22 flags S/SA
pass in inet6 udp from any port=67 to any port=68

pass on lo0 all flags S/SA
pass in proto carp all keep state (no-sync)
pass out proto carp all !received-on any keep state (no-sync)
I had tried to mount the pen drive and copy the whole hard disk file in tar gz but it said no such file or directory with the following command.

Code:
mkdir /mnt
mount /dev/sd0i /mnt/
tar -zcvf openbsd.tar.gz /
cp /home/peterwkc/openbsd.tar.gz /mnt/openbsd.tar.gz
The last command shows no such file or directory. I tried to issue mv command and it shows read only file system but i can mkdir and save changes to configuration file.

I could upload the openbsd.tar.gz so that anyone here can help to diagnose how the hacking was achieved.

Anything wrong with my current pf rules?
How the hacker gained root access?

Recall:
I recall that i had set dhcp flag to dhcpd_flags="", ntpd listen on localhost and unbound server listen on localhost and internal interface.

Firewall state policy is set state-policy floating.

What is the difference between state-policy floating and if-bound.

Last edited by Peter_APIIT; 27th July 2015 at 01:59 AM.
Reply With Quote
  #8   (View Single Post)  
Old 27th July 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 121
Default

New Discovered:

When I'm plugged in the LAN cable into bsd machine, the pf rules will get flush but my pf rule stand still if disconnected the LAN cable.

My pf rules was changef after connected to the LAN and reboot.

I'm believed my ISP using carp or other network topology to control my machine. (No PPPOE connection, just modem with telephone line to bsd machine)

It seems like my machine is sit in the same subnet with my ISP machine even though no PPPOE connection was established. This might be Link Layer 2 security problem or network topology issue.

https://calomel.org/mac_random.html
Any method to call perl script file from shell script?

Any thing to advise on this?
How to protect from Link Layer 2 security?
I had tried to disable carp protocol.

Last edited by Peter_APIIT; 27th July 2015 at 08:25 AM.
Reply With Quote
  #9   (View Single Post)  
Old 27th July 2015
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 628
Default

Why you are thinking yours machines were hacked? What are the symptoms? What changed on these machines?

Do you have any router in your LAN network? Maybe router was hacked (probably not by ISP)?
If router was hacked, often DNS packets are rerouted or edited on the fly. You can check some informations about your DNS provider by this web page:
https://www.f-secure.com/en/web/labs...router-checker

These kind of pages doesn't like addons, so use for example new Firefox profile
in terminal: firefox -P and create new for this purpose, use web page and delete new profile.

Last edited by e1-531g; 27th July 2015 at 10:26 AM.
Reply With Quote
Old 28th July 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 121
Default

pfctl -sr shows firewall rules was changed.
Reply With Quote
Old 31st July 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 121
Default

New Discovered:

The pf rules was flushed when changed the kern.securelevel from 1 to 2.

kern.securelevel=1
I'm able to see the pf rules written by me.

kern.securelevel=2
The pf rules consists of carp and other related to port 22 ssh which is not written by me.

Anyone can confirm this?

Last edited by Peter_APIIT; 31st July 2015 at 07:24 AM.
Reply With Quote
Old 31st July 2015
TronDD TronDD is offline
Spam Deminer
 
Join Date: Sep 2014
Posts: 304
Default

Those are the system default rules. You are not creating your own rules correctly.

How are you trying to configure pf with your own rules?

Tim.
Reply With Quote
Old 31st July 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default I can replicate your problem, Peter.

Now, finally, you have isolated the problem, and I was able to replicate it on a -release test system.

The rc(8) subsystem sets default rules in the event your pf.conf fails to load. Those are the rules you see when securelevel is set to 2.

The sysctl values in sysctl.conf are set early in the rc(8) process, as kernel settings need to be provisioned before daemons are launched.

If you set kern.securelevel=2 in /etc/sysctl.conf, rc(8) operations for PF that follow later in the process will fail, because PF cannot be altered. Your configuration cannot be loaded. This is because the securelevel(7) restrictions are already in place.

Fix:
  • Do not set kern.securelevel=2 in sysctl.conf
  • Issue the sysctl command *after* PF has been provisioned. Use rc.local(8) as that is executed much later in the rc(8) process.

Step-by-step instructions for Peter:

1. EDIT /etc/sysctl.conf. Delete the line that sets kern.securelevel.
2. CREATE /etc/rc.local, with one line that executes the "sysctl kern.securelevel=2" command. Either use an editor, or use echo(1) and pipe the results into a new file, such as shown in the example below.


# echo sysctl kern.securelevel=2 > /etc/rc.local

----

I will consider whether I will submit a patch for the securelevel(7) man page to the Project to clarify rc(8) implications. If I do, I'm not sure it would be accepted. Peter missed error messages on his console produced by rc(8), including failures to load his PF rules, that should have immediately indicated a configuration problem when he set kern.securelevel=2 in sysctl.conf.

Last edited by jggimi; 31st July 2015 at 04:44 PM. Reason: securelevel is in chapter 7 of the man pages.
Reply With Quote
Old 1st August 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 121
Default

Problem solved. Thanks jggmi for the clarification.
Reply With Quote
Old 1st August 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default This will happen again. And again.

Peter, this is not the first time you have had a problem which you did not understand, and where your explanations of the problem were incomplete, your symptoms were not well explained, where your conclusions were incorrect, and where you were unable to provide information that had been requested, here and on misc@.

When we are able to help, the resolution of your problems have usually been simple, but only after long, difficult, and confusing attempts to support you, and where seemingly by luck alone, you provide the piece of the puzzle that had been missing. When you don't provide that missing information, we're unable to help and your problems don't get resolved.

Each one of us have technical problems occur where we have unexpected results that we do not understand. It happens to all of us, and will happen again. To us. And to you. So next time, please:
  • Do not assume you know the cause of a problem.
Here, your "changed" PF configuration was not an external attack, it was normal operation of rc(8). Those rules are in /etc/rc, and you can see them there.
  • Before using any knobs, understand what those knobs do, and why you are using them. If you don't know what a knob does, please don't touch it.
You instructed the kernel to stop PF configuration changes, and then had PF problems during boot. Knowing the scope of impact should have lead you to your sysctl.conf provisioning.
  • Look for, read, and understand error messages. If you don't know what an error message means, ask.
Each time you rebooted, rc(8) issued error messages regarding PF failures on your console. You missed them.
  • Tell us more about your problems than you believe we need to know.
Each time you report a problem, people ask you for additional information. I can't recall ever seeing a complete dmesg, and I believe I've been asking for them from you since 2007, or perhaps earlier.

Here are two links which should help. Please, read them, and if you have any questions, please let us know.

A guide to asking for help

What makes a perfect newbie?

Last edited by jggimi; 1st August 2015 at 12:44 PM. Reason: typo
Reply With Quote
Old 1st August 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

One final follow-up, Peter, with a corrective action.

I was preparing a patch to the securelevel(7) documentation, and as part of that I was examining /etc/rc securelevel handling in more detail. The /etc/rc.securelevel script, if it exists, is called at the time rc(8) raises the level from 0 to 1. The sysctl can be set to 2 within that script.

If you rename your /etc/rc.local file to rc.securelevel, the sysctl will only be raised a single time.

# mv /etc/rc.local /etc/rc.securelevel
Reply With Quote
Old 1st August 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 121
Default

Sorry for been ignored the problem that arised when asked questions due to limited knowledge.

Sorry for been ignored to provide completed information and assumed a solution with a particular problem.

Last edited by Peter_APIIT; 1st August 2015 at 02:14 PM. Reason: Added information
Reply With Quote
Old 3rd August 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

http://marc.info/?l=openbsd-tech&m=143843781009774&w=2

(No replies and no commit of this or a similar patch after two days.)
Reply With Quote
Old 25th August 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 121
Default

Problem solved and close thread.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
LastPass hacked rocket357 News 0 16th June 2015 09:50 PM
Million$ hacked from Banks shep News 0 14th February 2015 06:19 PM
Create OpenBSD guest for Linux KVM (Kernel-based Virtual Machine) with 'virt-install' J65nko Guides 4 11th December 2014 04:30 AM
Security NBC.com hacked and served up malware J65nko News 0 22nd February 2013 08:22 PM
Am I being hacked? newbsdied OpenBSD Security 14 6th November 2010 10:41 PM


All times are GMT. The time now is 09:07 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick