Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, April 4, 2019 12:27 PM, Normen Wohner <nor...@wohner.eu> wrote:
> Seeing that OpenBSD comes secure out of the Box the most likely
> thing is that you yourself compromised your System through 3rd
> party software. If it even is the case. I think the best course of
> action would be to go for a forensic approach. Google how to log ssh
> traffic and where to find the logs. Then confirm your remote access
> actually happens. If so you should determine what software exposed
> you. VPN, Some Web Service, Your own stupidity? If you really use
> ssh keys instead of password login then someone had to be able
> to access those, usually outside of transfer. So most likely your
> work device is compromised and your OpenBSD server is just a
> casualty.
>
Maybe my description is not very clear.
I try to explain again.
I have installed openbsd desktop 2 months ago. With this I have used firefox
(and epiphany for the webmail) and I have opened some (1 or 2) pdf from a
command shell. After the installation I have always used a vpn from a very
secure vpn provider, I think that this provider is impossible to tried to hack
his client. I use a vpn to browse the internet because I often use untrusted
wifis. At this point, after 1 month I have started to suspect a break in
because private message seem to be know from others. I started to search a
rootkit and I found signs of hacking in ssh connection of my vps. I mean, a tor
exit node was connected to the ssh vps with my ssh key. Then, because my key
was been exfiltrated then my desktop was been hacked. But I repeat the problem
is not the server (vps). The problem is the desktop and how the key was been
exfiltrated. Then I deleted everything (also the vps) and I reinstalled openbsd
on my desktop, I changed vpn provider and I started to use chrome+unveil, again
private message seem known from other... I search again and I found webmail
session opened but I am sure I have logout everytime. If the webmail session is
opened and you have the session cookie you can browse my email. Then this is an
other signs of rootkit or something. Then I have written to misc.
Now the answer to your email.
I think the only way they have break in is through the browser. Chrome. As I
sad I haven't used script to connect to internet (based for example on curl) or
I haven't opened pdf outside the browser (in this second installation of the
desktop). I started to use unveil 1 or 2 days after the install. As I said I
use epiphany to connect to the webmail and only to the webmail. About forensic
I have asked on this mailing list how to use pkg_check from a live environment
on the infected system but none has answered.
https://marc.info/?l=openbsd-misc&m=155404594328762&w=2
An other way could be an openbsd mirror compromise.. I don't think so but I
don't know.
Cord