OpenBSD machine was hacked

[Wong Peter]

Dear All,

Recently, I'm realized that my openbsd firewall router was not usable
anymore due to pf rules had changed by using carp and pfsync mechanism.

Here is my prove.

I'm tried to reinstall the whole machine and plugged in the modem LAN cable
to NIC card. All my written pf rules was flush and changed. This happen
even without internet connection(No IP address assign).

I'm suspected this is did by my ISP. I'm believed my openbsd machine was
located same subnet with their machine.

I'm even tried to disable carp protocol but my pf rules still get flushed
out.
How this can happen?
How to prevent it?
How my ISP can synchronize its pf rules to my machine without IP assign?
I'm suspect they achieved at Layer 2 by using mac spoofing/mac target to my
machine.
net.inet.carp.allow=0

Please help. Very urgent.






-- 
Linux

Re: OpenBSD machine was hacked

[Wong Peter]

What information you all require?

On Tue, Jul 28, 2015 at 10:28 PM, Giancarlo Razzolini grazzol...@gmail.com
wrote:

 Em 28-07-2015 06:17, Wong Peter escreveu:
  Dear All,
 
  Recently, I'm realized that my openbsd firewall router was not usable
  anymore due to pf rules had changed by using carp and pfsync mechanism.
 
  Here is my prove.
 
  I'm tried to reinstall the whole machine and plugged in the modem LAN
 cable
  to NIC card. All my written pf rules was flush and changed. This happen
  even without internet connection(No IP address assign).
 
  I'm suspected this is did by my ISP. I'm believed my openbsd machine was
  located same subnet with their machine.
 
  I'm even tried to disable carp protocol but my pf rules still get flushed
  out.
  How this can happen?
  How to prevent it?
  How my ISP can synchronize its pf rules to my machine without IP assign?
  I'm suspect they achieved at Layer 2 by using mac spoofing/mac target to
 my
  machine.
  net.inet.carp.allow=0
 
  Please help. Very urgent.
 
 
 
 
 
 
 You use a very controversial subject in order to draw attention in the
 hope that someone will help you. And not only you can't manage to give a
 shred of evidence to support your claim, as you can't even manage to
 provide enough information for some good soul on this list to help you.
 Come back when you sorted this out.

 Cheers,
 Giancarlo Razzolini




-- 
Linux

Re: OpenBSD machine was hacked

[Wong Peter]

Q:why do you believe that your machine was hacked?
A: My pf rules was flushed.This can prove using pfctl -sr. The whoe
firewall was not usable anymore. NO NAT nor packet filtering.

Q: You say that whatever happened was done by your ISP even though you had
no Internet connection.Why do you believe that to be true?
A: Our ISP had implement monitoring like NSA or British CGHQ. Moreover,
Hacking openBSD is not that easy. First hop hacking is much more easier
than anyone.

Q: Why do you believe that you had no Internet connection?
A: No response when ping dns server and no IP address assign to pppoe0
interface.

Q:  If you had no Internet connection, how is it that someone at your ISP
would have been able to access the machine?
A: I had no idea. Thus, I was asked it here.

Q: Where is the machine actually located?
A: This is a home use firewall router sit behind a modem.

Where to find log files regarding pf rule was flushed out using carp or
pfsync?

I'm understand you all want to help me and you all require information.
I'm tried to extract the whole OS into zip file and copied to portable hard
disk but it failed.
It say no such file or directory.
cp /home/user/bsd.tar.gz /mnt/obsd/

What wrong with it?











On Wed, Jul 29, 2015 at 8:26 AM, Daniel Boulet da...@matilda.com wrote:

 There is all sorts of information that you could provide:

 - why do you believe that your machine was hacked? You seem to think that
 someone at your ISP did whatever was done. Why do you believe that to be
 true? Why would someone at your ISP want to do this? Why would someone at
 you ISP be better able to do this than some random bad person out on the
 Internet?

 - you say that whatever happened was done by your ISP even though you had
 no Internet connection. Why do you believe that this is even possible? Why
 do you believe that you had no Internet connection? If you had no Internet
 connection, how is it that someone at your ISP would have been able to
 access the machine? Where is the machine actually located?

 - you say that your pf rules were flushed. Why do you believe that they
 were ever loaded in the first place? Can you demonstrate that the rules
 were in place at one point in time and that they are no longer in place
 later? Have you tried rebooting the machine and then immediately checking
 to see if the rules are there or not?

 - you say that you suspect that your ISP used some sort of “Layer 2 by
 using mac spoofing/mac target” technique. Please say more about “some
sort
 of” - what sort of? Why do you believe that this technique, whatever it
is,
 might work? Can you even provide a basic explanation of how this technique,
 whatever it is, might have been used to hack your machine or is this just a
 theory with no evidence to support it.

 There are lots of other questions you could answer. For example, what
 messages appear in your log files that support your theory? Even a list of
 the evidence that you see that supports your theory might help. It almost
 sounds like you are saying that you cannot figure out how whatever happened
 occurred so it must have been someone at your ISP. That is a pretty big
 leap to make without some evidence that actually points at your ISP.

 -Danny

  On Jul 28, 2015, at 18:00 , Wong Peter peterap...@gmail.com wrote:
 
  What information you all require?
 
  On Tue, Jul 28, 2015 at 10:28 PM, Giancarlo Razzolini 
 grazzol...@gmail.com
  wrote:
 
  Em 28-07-2015 06:17, Wong Peter escreveu:
  Dear All,
 
  Recently, I'm realized that my openbsd firewall router was not usable
  anymore due to pf rules had changed by using carp and pfsync mechanism.
 
  Here is my prove.
 
  I'm tried to reinstall the whole machine and plugged in the modem LAN
  cable
  to NIC card. All my written pf rules was flush and changed. This happen
  even without internet connection(No IP address assign).
 
  I'm suspected this is did by my ISP. I'm believed my openbsd machine
 was
  located same subnet with their machine.
 
  I'm even tried to disable carp protocol but my pf rules still get
 flushed
  out.
  How this can happen?
  How to prevent it?
  How my ISP can synchronize its pf rules to my machine without IP
 assign?
  I'm suspect they achieved at Layer 2 by using mac spoofing/mac target
 to
  my
  machine.
  net.inet.carp.allow=0
 
  Please help. Very urgent.
 
 
 
 
 
 
  You use a very controversial subject in order to draw attention in the
  hope that someone will help you. And not only you can't manage to give a
  shred of evidence to support your claim, as you can't even manage to
  provide enough information for some good soul on this list to help you.
  Come back when you sorted this out.
 
  Cheers,
  Giancarlo Razzolini
 
 
 
 
  --
  Linux
 




--
Linux

Re: OpenBSD machine was hacked

[Wong Peter]

The changes was not done to /etc/pf.conf file but it is on runtime.

I'm issues pfctl -sr command which reflect this.


On Tue, Jul 28, 2015 at 5:35 PM, Stefan Wollny ste...@wollny.de wrote:

 Hi,

 I can't tell you anything what might have happend as you didn't provide
 enough information and I am not educated to give any hints. But to prevent
 any changes you might consider using chflags after you have set up your
 pf.conf:

 $ sudo chflags schg /etc/pf.conf

 Keep in mind that changes thereafter are only possible if you reboot into
 insecure mode. man 1 chflags is your friend.

 If this doesn't help it is beyond my knowledge.

 Good luck!
 STEFAN


 *Gesendet:* Dienstag, 28. Juli 2015 um 11:17 Uhr
 *Von:* Wong Peter peterap...@gmail.com
 *An:* misc@openbsd.org
 *Betreff:* OpenBSD machine was hacked
 Dear All,

 Recently, I'm realized that my openbsd firewall router was not usable
 anymore due to pf rules had changed by using carp and pfsync mechanism.

 Here is my prove.

 I'm tried to reinstall the whole machine and plugged in the modem LAN cable
 to NIC card. All my written pf rules was flush and changed. This happen
 even without internet connection(No IP address assign).

 I'm suspected this is did by my ISP. I'm believed my openbsd machine was
 located same subnet with their machine.

 I'm even tried to disable carp protocol but my pf rules still get flushed
 out.
 How this can happen?
 How to prevent it?
 How my ISP can synchronize its pf rules to my machine without IP assign?
 I'm suspect they achieved at Layer 2 by using mac spoofing/mac target to my
 machine.
 net.inet.carp.allow=0

 Please help. Very urgent.






 --
 Linux





-- 
Linux

Re: Cannot run Snort

[Wong Peter]

Dear All,

OpenBSD 5.7
Arch: i386
Snort Version:2.9.7.3
Installed from packages
Start by typing snort. Thanks.


On Sat, Jun 27, 2015 at 6:49 PM, Nigel J Taylor ni...@openbsd.org wrote:

 On 06/27/15 09:12, Wong Peter wrote:
  Dear All,
 
  I had installed Snort but cannot run it.
 
  Error Message: Can't load library liblzma.s0.2.0
 
  What need to install? I had install the lzlib but still cannot solved it.
  Which packages need to install or how to tell snort to look up the shared
  library?
 
 try xz, it should have been installed with snort, current version does
 include the dependency.
 For 5.7 the dependency is missing.


 $ pkg_info -Sq snort

 snort-2.9.7.3,@daq-2.0.5,@libdnet-1.12p10,@pcre-8.37p0,@xz-5.2.1,c.80.0,crypto.34.0,daq.2.1,dnet.1.0,lzma.2.1,m.9.0,pcap.8.0,pcre.3.0,pthread.19.0,z.5.0
 $ pkg_info -f xz | grep lzma.so
 @lib lib/liblzma.so.2.1

 The pkglocatedb package should help to find any missing packages...

 $ pkg_locate lzma.so.2
 xz-5.2.1:archivers/xz:/usr/local/lib/liblzma.so.2.1




-- 
Linux

Cannot run Snort

[Wong Peter]

Dear All,

I had installed Snort but cannot run it.

Error Message: Can't load library liblzma.s0.2.0

What need to install? I had install the lzlib but still cannot solved it.
Which packages need to install or how to tell snort to look up the shared
library?

-- 
Linux

Linksys wmp54g v4.1 is not support

[Wong Peter]

Dear all,

The Linksys wmp54g v4.1 is not support on Openbsd 4.1. Previously, it is
working but it is not working after few years.

Any reason for this ?

Please help.

Thanks.

-- 
Linux

Netgear WG311T Atheros Chipset Wireless Problem

[Wong Peter]

Dear all,

I had bought a Netgear WG311T Atheros Chipset. The Openbsd kernel(dmesg)
shows this card as ath0.

Therefore, I try to configure it using /etc/hostname.ath0 with content
below:
inet 192.168..5.1 255.255.255.0 none media autoselect mediaopt hostap mode
11b chan 6 nwid wsm nwkey 

This configuration gives me an access point which its LED keeps on blinking
and scan from window cannot find the particular nwid as well.

I believe there is some problems with it.

Please help. Thanks.


-- 
Linux

Openbsd Routing/NAT Internet Issues

[Wong Peter]

Hello to all, I had try to set up openbsd as home router but eventually it
fail to function properly.

External Interface (vr0)
192.168.1.2 255.255.255.0 none

Internal Interface (rl0)
172.16.10.1 255.255.255.0 none

Wireless Interface (ath0)
192.168.5.1 255.255.255.0 none

External interface connects to a modem with ip address of 192.168.1.254.

*Routing Table* (route show | more)
Destination Gateway Flags Interface
default 175.13.8.127.254 UGS tun0
175.130.127.254 175.135.116.213 (PPPOE IP address) UH tun0
loopback loopback UGRS lo0
loopback loopback UH lo0
172.16.10/24 link#2 UC rl0
172.16.10.3 inet6 UHLC rl0
192.168.1/24 link#1 UC vr0
192.168.5/24 link#3 UC ath0

My wireless interface light is keep on blinking rather stay on stable mode.

*Packet Filter Rules* (pfcrt -sr)
nat on vr0 from !(vr0) to any - (vr0) round-robin
scrub on vr0 all no-df fragment reassemble
scrub on vr0 all reassemble tcp

block drop in log on vr0 all
pass out quick on ath0/rl0 keep state.

Problem:
I can ping Google DNS(8.8.8.8) from openbsd machine. or browsing internet.
I cannot ping Google DNS(8.8.8.8) from LAN PC.
I can ping my external modem(192.168.1.254) which return echo reply.

I have no idea why ping the modem does reply but ping external network with
no reply.

Please help.

-- 
Linux

Openbsd 4.1 Routing Issues

[Wong Peter]

Hello to all, I had try to set up openbsd as home router but eventually it
fail to function properly.

External Interface (vr0)
192.168.1.2 255.255.255.0 none

Internal Interface (rl0)
172.16.10.1 255.255.255.0 none

Wireless Interface (ath0)
192.168.5.1 255.255.255.0 none

*Routing Table* (route show | more)
Destination Gateway Flags Interface
default 175.13.8.127.254 UGS tun0
loopback loopback UGRS lo0
loopback loopback UH lo0
172.16.10/24 link#2 UC rl0
172.16.10.3 inet6 UHLC rl0
175.130.127.254 175.135.116.213 (PPPOE IP address) UH tun0
192.168.1/24 link#1 UC vr0
192.168.5/24 link#3 UC ath0

My wireless interface light is keep on blinking rather stay on stable mode.

*Packet Filter Rules* (pfcrt -sr)
nat on vr0 from !(vr0) to any - (vr0) round-robin
scrub on vr0 all no-df fragment reassemble
scrub on vr0 all reassemble tcp

block drop in log on vr0 all
pass out quick on ath0/rl0 keep state.


Please help me why my pc cannot connect to internet. My pc can even ping
external interface ip address (192.168.1.2) but it shows no internet
access.

My external interface connects to a modem with ip address of 192.168.1.254.

Please help.

-- 
Linux

OpenBSD Strange Problem

[Wong Peter]

Hello all respect network administrator, i have set up a openbsd gateway but
the wireless connection(gateway) is not detected by client but before this
is ok. Can see it widnows but now cannot. I don't know what wrong with it.
I sure my configuration is ok because i didn't edit it.
Another problem now is when oot up to process starting network, previously i
did not need to enter ctrl + C to proceeed to DHCP request for rl0 but now i
need that. I alos don't know what wrong.
Third problem is from openbsd canno ping to LAN client ip but client can
ping to openbsd.
I try router add 176.16.10.11(destination) 176.16.10.1(gateway) return file
exists. If this routing is exists, then should be no problem but who come
cannot ping from openbsd to client.

My Version of openbsd is 4.1

I hope you can help me out. becuase my hair has drop until no more hair.


If you all need extra information or configuration, please let me know.


A billion thanks for your help

-- 
Linux

OpenBSD 4.1 Strange Problem

[Wong Peter]

Hello all respect network administrator, i have set up a openbsd gateway but
the wireless connection(gateway) is not detected by client but before this
is ok. Can see it widnows but now cannot. I don't know what wrong with it.

I sure my configuration is ok because i didn't edit it.

Another problem now is when oot up to process starting network, previously i
did not need to enter ctrl + C to proceeed to DHCP request for rl0 but now i
need that. I alos don't know what wrong.

Third problem is from openbsd canno ping to LAN client ip but client can
ping to openbsd.

I try router add 176.16.10.11(destination) 176.16.10.1(gateway) return file
exists. If this routing is exists, then should be no problem but who come
cannot ping from openbsd to client.

I hope you can help me out. becuase my hair has drop until no more hair.

If you all need extra information or configuration, please let me know.

A billion thanks for your help.

-- 
Linux

Re: OpenBSD 4.1 Stable Strange Problem

[Wong Peter]

On 2/21/08, Wong Peter [EMAIL PROTECTED] wrote:

 Before this, it is not normal to me because it is very fast. Now become
 like this and also the wireless problem.

 My wireless card is Linksys Wmp54g.

 No i do not do any thing to rc.rconf .rc.local.

 /etc/hostname.rl1 :
 inet 172.16.10.1 255.240.0.0

 /etc/hostname.ral0:
 inet 192.168.5.1 255.255.0.0 NONE media autoselect \ mediaopt hostap mode
 11g nwid myname nwkey xxx

 /etc/hostname.rl0 (External Interface)
 dhcp NONE NONE NONE

 /etc/dhcpd.interfaces.
 ral0 rl1

 /etc/dhcpd.conf

 Wired

 subnet 172.16.0.0 netmask 255.240.0.0
 {
option subnet-mask 255.240.0.0;
option routers 172.16.10.1;
range 172.16.10.12 and some fixed address;
 }

 wireless

 subnet 192.168.0.0 netmask 255.255.0.0
 {
   option routers 192.168.5.1;
 }

 After boot, the wireless interface is not up and i need to manulaly bring
 it up with ifconifg ral0 192.168.5.1. AFter issues this command, the
 status of wireless interface is no network.

 Below is the ifconfig -a | less : rl1(Wired internal interfac) is not
 connected


 rl1: status: no carrier
 inet 172.16.10.1 netmask 0xfff0 broadcast 172.31.255.255

 ral0:
 UP, Broadcast, RUNNING SIMPLEX,MULTICAST
 groups: wlan
 meida IEEE 802.11 autoselect (DS1)
 status no network
 ieee802.11: nwid myname (100dBm)
 inet 192.168.5.1 netmask 0xff00 broadcast 192.168.5.255

 Routing Tables:

 Internet
 Destination GatewayFlagsRefs   Use   MtuInterface
 default 219.93.218.177  UGS 13 2142 tun0
 127/8127.0.0.1UGRS   0  0   33224 lo0
 127.0.0.1   127.0.0.1   UH   2   0   33224lo0
 155.207.113.207  219.93.218.177   UGHD   0   1682 - L tun0
 172.116/12 link#2   UC0 0-   rl1
 192.168.1/24   link#1   UC1   0  rl0
 192.168.1.1  H.AUHLc 0   0  lo0
 192.168.1.2   127.0.0.1   UGHS   0  0   lo0
 219.93.218.177   60.48.180.172  UH2  0  1492  tun0
 224/4   127.0.0.1   URS   0 0 33224 lo0

 Dmesg if as follow:

 ral0 at pci0 dev 15 function 0 Ralink Rt2561S rev 0x00: irq 10, address
 H.A ral0: MAC/BBP RT 2561C, RF Rt 2527

 Why function is 0  ?

 NAT rules:

 priv_add=192.168.0.0/16
 priv_adds=172.16.0.0/12

 nat on {ext_if} inet from $priv_add or $priv_adds to any -  {$ext_if}

 rl0 is promisc mode when i do rootkit hunter scan.
 etherip.allow=1;
 ip.redirect=0;
 ip forward = 1
 esp.enable = 1
 ah.enable=1

 Cannot ping openbsd to rl1(Wired Internal interface)

 If you need any more information, please let me know.

 I'm one of the developer of rootkit hunter.
 A billion thnaks for oyur help.








-- 
Linux