Re: rc.local mystery executables
2014/08/30 12:20 Eric Furman ericfur...@fastmail.net: grc.*** (because I don't want any more googgle weight given to this website) and the person who runs it, whose name shall not be mentioned other than his initials are SG, is a complete fraud. The first two paragraphs didn't seem too bad. But DoG ? Brute force doesn't have to be blind. I think I agree with you. On Fri, Aug 29, 2014, at 08:37 PM, Scott Bonds wrote: On Tue, Aug 19, 2014 at 03:24:08AM -0400, Todd Zimmermann wrote: Just off the top my head a few links: www.team-cymru.org https://www.dshield.org http://emergingthreats.net/ https://www.grc.***/dns/dns.htm I stumbled upon malheur awhile back. No idea what to do with it, but it compiles easy on obsd. Since you found the malware files it might help. http://www.mlsec.org/malheur/ Thanks, I'll check these out.
Re: rc.local mystery executables
On Tue, Aug 19, 2014 at 03:24:08AM -0400, Todd Zimmermann wrote: Just off the top my head a few links: www.team-cymru.org https://www.dshield.org http://emergingthreats.net/ https://www.grc.com/dns/dns.htm I stumbled upon malheur awhile back. No idea what to do with it, but it compiles easy on obsd. Since you found the malware files it might help. http://www.mlsec.org/malheur/ Thanks, I'll check these out.
Re: rc.local mystery executables
grc.*** (because I don't want any more googgle weight given to this website) and the person who runs it, whose name shall not be mentioned other than his initials are SG, is a complete fraud. On Fri, Aug 29, 2014, at 08:37 PM, Scott Bonds wrote: On Tue, Aug 19, 2014 at 03:24:08AM -0400, Todd Zimmermann wrote: Just off the top my head a few links: www.team-cymru.org https://www.dshield.org http://emergingthreats.net/ https://www.grc.***/dns/dns.htm I stumbled upon malheur awhile back. No idea what to do with it, but it compiles easy on obsd. Since you found the malware files it might help. http://www.mlsec.org/malheur/ Thanks, I'll check these out.
Re: rc.local mystery executables
* Scott Bonds sc...@ggr.com [2014-08-19 02:28]: The funny thing is that I have a book on Snort on my reading list. Time to read it. or you use the time for something useful instead. did I say snake oil? ewps. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: rc.local mystery executables
OpenBSD has always rocked for providing very current versions of snort. barnyard2 compiles cleanly on obsd. The funny thing is that I have a book on Snort on my reading list. Time to read it. I'll checkout barnyard2 as well There is a learning curve for sure. It's not something that most can set up in day or longer (I certainly didn't). It does give from you a view from Layer 7 down which is really what is needed anymore. Just to clarify, barnyard2 handles the unified2 output from snort. Compile it and check out the barnyard2.conf it generates and it will lead you to various utilities. You really don't need it right it away when you're getting started. A lot of these things require the patience to tune them or they will drive ya nuts with alerts ;) Just off the top my head a few links: www.team-cymru.org https://www.dshield.org http://emergingthreats.net/ https://www.grc.com/dns/dns.htm Working on cleaning up DNS via unbound/dnscrypt-proxy can help too. If anyone reading this knows where I can read up on (those specific) exploits, please let me know, perhaps I can figure out where my vulnerability is/was if I know more about how they work. I stumbled upon malheur awhile back. No idea what to do with it, but it compiles easy on obsd. Since you found the malware files it might help. http://www.mlsec.org/malheur/
Re: rc.local mystery executables
On 2014-08-15, Scott Bonds sc...@ggr.com wrote: I thought I was being reasonably careful: ssh disabled for root, key-only login on my admin account, following stable, etc...then again, I'm running owncloud and a bunch of other (no doubt less secure) software. Perhaps I should separate the router and 'everything else' roles, so that the router only has builtin OpenBSD software on it, no packages. Then again, whatever the exploit, they could probably still use it on the newly separated 'everything else' box. Anyway, I clearly have a lot to learn about security. Web application security is often not that great, and popular programs are subject to a lot of investigation (phpmyadmin, owncloud, wordpress, joomla, piwik, ...) - looking through 404s in error_log on pretty much any internet-facing web server will identify some of these. To reduce risk of web applications that you run which shouldn't be accessible to the public, you can do things like use your packet filter or http daemon's access controls to prevent unauthorised users from being able to access the code at all. Or make it unroutable; only access over VPN or SSH tunnel. Other generally useful things to consider: reject (and ideally log and investigate) unexpected *outgoing* connections. Check web server logs for unusual entries. And as you have suggested, isolating services reduces the scope of a breach. On Thu, Aug 14, 2014 at 09:23:54PM -0400, Ted Unangst wrote: Bad news: yeah. They appear to have screwed up their rootkit by installing the i386 edition, ... dsfrefr: ELF 32-bit LSB executable, Intel 80386, version 1, statically linked, stripped That isn't even for OpenBSD, file(1) would say for OpenBSD. That's only one of the executables though; perhaps the others might be for a range of OS.. So they clearly had root and access outside of any chroot jail (if your httpd and/or php-fpm was using one) but don't seem to have done much in the way of targetted probing. Web server isn't necessarily the infection route but I'd think it was high probability; if you're lucky you might still have the evidence of the infection route in web server access logs.
Re: rc.local mystery executables
On Fri, Aug 15, 2014 at 5:53 PM, Josh Grosse j...@jggimi.homeip.net wrote: On 2014-08-15 10:39, Scott Bonds wrote: ...I'm running owncloud and a bunch of other (no doubt less secure) software On June 29, there was a 5.5-stable update to www/owncloud to release 6.0.4 to fix a security issue. Change/modifying /etc requires root privileges. Here we haven't only a bugged software, but some other serious issue. Ownlcoud should run with web server privileges. -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/
Re: rc.local mystery executables
On 16-08-14 08:22, Joel Rees wrote: On Fri, Aug 15, 2014 at 11:39 PM, Scott Bonds sc...@ggr.com wrote: [...] Perhaps I should separate the router and 'everything else' roles, so that the router only has builtin OpenBSD software on it, no packages. Strongly encourage you to get a separate box to run the router and firewall on. (Ted, if you read this, do you run firewall on Beagle Boards?) Then again, whatever the exploit, they could probably still use it on the newly separated 'everything else' box. Anyway, I clearly have a lot to learn about security. Actually, many of the exploits will hit high enough speed bumps getting through the router/firewall, if you set it up right, that the exploit would not succeed in dropping actual rootkit. Not to say you don't need something to watch for rootkits, as well, but combining functions makes for a weaker system. You might want to run a SIEM solution such as ossim with local ossec agents. Works fine. Overkill? Might be, but it is nice to see what is happening, and you can run automated vulnerability scans on your own network to see where leaks or misconfigurations might be. Erik Jan
Re: rc.local mystery executables
On Sat, Aug 16, 2014 at 02:34:21AM -0400, Todd Zimmermann wrote: Lots of good stuff in base and the ports collection. mtree can be extended to check file integrity for anything you've modified and other local stuff (something I need to do). thanks, mtree is neat, glad to know about it security(8) uses it too and on that note, I realized I hadn't received my daily security(8) email in a while, I broke my root=scott alias when fiddling with smtpd configuration and forgot to fix it, otherwise I would have likely noticed the breach sooner...live and learn OpenBSD has always rocked for providing very current versions of snort. barnyard2 compiles cleanly on obsd. The funny thing is that I have a book on Snort on my reading list. Time to read it. I'll checkout barnyard2 as well. IIRC swatch can email you on log events. i.e. I know I haven't logged onto the server for 2 weeks, why was there an unsuccessful (or yikes successful) su/sudo attempt at 0237 when I was sleeping. Got sagan-1.0.0RC4 set up earlier and was greeted with this alert: [**] [1001:1] sagan_blacklist: Address found in blacklist [**] [Classification: Blacklist] [Priority: 1] 2014-08-15 22:58:01 61.174.51.214:1514 - 127.0.0.1:1514 daemon warning Message: Aug 15 22:57:55.617311 rule 7/(match) block in on rl0: 61.174.51.214.6000 xxx.xxx.xxx.xxx.22: S 1496842240:1496842240(0) win 16384 [tos 0x20] And snort (timestamps are messed up): 04/21-15:21:46.67 [**] [1:2100528:6] snort GPL SCAN loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 127.0.0.1:53 - 172.xxx.xxx.xxx:31105 12/30-19:03:17.65 [**] [1:2100528:6] snort GPL SCAN loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 127.0.0.1:53 - 172.xxx.xxx.xxx:3117 So you're not alone. Good Luck Thank you. I'll checkout swatch and sagan too. Also, another emailer suggested I submit the files to virustotal.com. I did and all of them were recognized as malware, all but one had been uploaded to them before: https://www.virustotal.com/en/file/f9ff2f398e479a3e4dbb36c8b1a61e737ed18d6249bf0c2dc9abf4f0fe9ca665/analysis/ https://www.virustotal.com/en/file/53f0ba09b70923874ff84fb0061087a880c8583f4f9b5cee2deaa0d55a9ffdc9/analysis/ https://www.virustotal.com/en/file/50e83cea2ebcb0a8fc806a1ad19db3b052438ca585c4da6ab50048d0f640c27c/analysis/ https://www.virustotal.com/en/file/4c703e03afbda5411dda6e653b8c9bca48fd5b9187a730656b3a9da4b2a593ee/analysis/ https://www.virustotal.com/en/file/29f89dc1da6da3fa2fa951c3453d63ff82eab3159020012a90763df279a75e25/analysis/ https://www.virustotal.com/en/file/ab8c46065f2ae116e09d168d6cca940e8f472c80bb4b354c8e594081525da31a/analysis/ https://www.virustotal.com/en/file/2c22dfc1ea336737349bb51c60be268c42a1e965aaab292cb6ba9a4a4fa31171/analysis/ If anyone reading this knows where I can read up on (those specific) exploits, please let me know, perhaps I can figure out where my vulnerability is/was if I know more about how they work.
Re: rc.local mystery executables
On Sat, Aug 16, 2014 at 1:52 AM, Scott Bonds sc...@ggr.com wrote: On Fri, Aug 15, 2014 at 10:50:55AM -0500, Adam Thompson wrote: While a long way from perfect, tools such as chkrootkit and rkhunter might shed some light on your situation. As Giancarlo said, check every machine that's closely interconnected, not just the one compromised server you've noticed. I haven't used them under OpenBSD, so not sure how effective they'll be (both projects claim to support OpenBSD), but they're probably more appropriate than clamscan(1) which looks for mostly MS Windows-based viruses, not rootkits. Thank you for the suggestion. I just ran both chkrootkit and rkhunter. chkrootkit didn't find any matches. rkhunter had a couple warnings but to my eye they checkout out, i.e. warning that pkg_info is a perl script. That said, I'm going to make chkrootkit and rkhunter a regular part of my maintenance regime, perhaps add them as daily cron jobs. Both give warnings that look like false positives, but are really asking you, Is this something you intended, or would have intended had you known the package did it this way? (The warning on pkg_info is one such.) It takes a while to learn to weed through them. (I'm still not very used to it.) Speaking of which, is tripwire still considered useful, if set up right? -- Joel Rees Be careful where you see conspiracy. Look first in your own heart.
Re: rc.local mystery executables
On Fri, Aug 15, 2014 at 11:39 PM, Scott Bonds sc...@ggr.com wrote: [...] Perhaps I should separate the router and 'everything else' roles, so that the router only has builtin OpenBSD software on it, no packages. Strongly encourage you to get a separate box to run the router and firewall on. (Ted, if you read this, do you run firewall on Beagle Boards?) Then again, whatever the exploit, they could probably still use it on the newly separated 'everything else' box. Anyway, I clearly have a lot to learn about security. Actually, many of the exploits will hit high enough speed bumps getting through the router/firewall, if you set it up right, that the exploit would not succeed in dropping actual rootkit. Not to say you don't need something to watch for rootkits, as well, but combining functions makes for a weaker system. -- Joel Rees Be careful where you see conspiracy. Look first in your own heart.
Re: rc.local mystery executables
Yeah it sucks, the miscreants run 24/7 365. My guess is home systems are targeted a lot because there's only an 'IT Dept' of one. Lots of good stuff in base and the ports collection. mtree can be extended to check file integrity for anything you've modified and other local stuff (something I need to do). OpenBSD has always rocked for providing very current versions of snort. barnyard2 compiles cleanly on obsd. IIRC swatch can email you on log events. i.e. I know I haven't logged onto the server for 2 weeks, why was there an unsuccessful (or yikes successful) su/sudo attempt at 0237 when I was sleeping. Got sagan-1.0.0RC4 set up earlier and was greeted with this alert: [**] [1001:1] sagan_blacklist: Address found in blacklist [**] [Classification: Blacklist] [Priority: 1] 2014-08-15 22:58:01 61.174.51.214:1514 - 127.0.0.1:1514 daemon warning Message: Aug 15 22:57:55.617311 rule 7/(match) block in on rl0: 61.174.51.214.6000 xxx.xxx.xxx.xxx.22: S 1496842240:1496842240(0) win 16384 [tos 0x20] And snort (timestamps are messed up): 04/21-15:21:46.67 [**] [1:2100528:6] snort GPL SCAN loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 127.0.0.1:53 - 172.xxx.xxx.xxx:31105 12/30-19:03:17.65 [**] [1:2100528:6] snort GPL SCAN loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 127.0.0.1:53 - 172.xxx.xxx.xxx:3117 So you're not alone. Good Luck On Thu, Aug 14, 2014 at 8:54 PM, Scott Bonds sc...@ggr.com wrote: I run an OpenBSD 5.5-stable amd64 server at home. Email, web, etc. Today I was doing some maintenance and I found my way to /etc/rc.local. When I opened it I saw this: $ cat rc.local # $OpenBSD: rc.local,v 1.44 2011/04/22 06:08:14 ajacoutot Exp $ # Site-specific startup actions, daemons, and other things which # can be done AFTER your system goes into securemode. For actions # which should be done BEFORE your system has gone into securemode # please see /etc/rc.securelevel. cd /etc;./sfewfesfs cd /etc;./gfhjrtfyhuf cd /etc;./rewgtf3er4t cd /etc;./sdmfdsfhjfe cd /etc;./gfhddsfew cd /etc;./ferwfrre cd /etc;./dsfrefr I don't remember adding those lines to my rc.local file. $ cd /etc ls -al ./sfewfesfs -rwsrwsrwt 1 root wheel 694680 Apr 4 07:47 /etc/sfewfesfs $ file dsfrefr dsfrefr: ELF 32-bit LSB executable, Intel 80386, version 1, statically linked, stripped Seems odd to have a bunch of randomly named executibles running at boot. And that they are compiled for 386 (I'm running amd64), and that they have suid set, and to root. $ clamscan * dsfrefr: OK ferwfrre: OK gfhddsfew: OK gfhjrtfyhuf: OK rc.local: OK rewgtf3er4t: OK sdmfdsfhjfe: OK sfewfesfs: OK Scanned directories: 0 Scanned files: 8 Infected files: 0 Data scanned: 3.21 MB Data read: 3.20 MB (ratio 1.00:1) Time: 10.842 sec (0 m 10 s) Hmm, ok let's run one. $ ./dsfrefr ./dsfrefr[1]: syntax error: `(' unexpected That's all any of them say when run. So...have I been p0wned or does anyone know what innocent thing might be happening here? Please CC sc...@ggr.com on any replies, as I'm not subscribed to updates from the list.
Re: rc.local mystery executables
On Sat, Aug 16, 2014 at 15:22, Joel Rees wrote: On Fri, Aug 15, 2014 at 11:39 PM, Scott Bonds sc...@ggr.com wrote: [...] Perhaps I should separate the router and 'everything else' roles, so that the router only has builtin OpenBSD software on it, no packages. Strongly encourage you to get a separate box to run the router and firewall on. (Ted, if you read this, do you run firewall on Beagle Boards?) No, I don't think they're useable for that purpose. Only one ethernet, and not very reliable. At least for the Black boards, there's no USB yet, and even on the others, I don't think I'd ever use USB ethernet for something like a firewall that I expect to just work.
Re: rc.local mystery executables
Ok, thanks for confirming (and Chris and Adam). And while I have you here, thank you for all of your contributions to OpenBSD, its amazing to me the scope and quality of what y'all have built. I thought I was being reasonably careful: ssh disabled for root, key-only login on my admin account, following stable, etc...then again, I'm running owncloud and a bunch of other (no doubt less secure) software. Perhaps I should separate the router and 'everything else' roles, so that the router only has builtin OpenBSD software on it, no packages. Then again, whatever the exploit, they could probably still use it on the newly separated 'everything else' box. Anyway, I clearly have a lot to learn about security. On Thu, Aug 14, 2014 at 09:23:54PM -0400, Ted Unangst wrote: On Thu, Aug 14, 2014 at 17:54, Scott Bonds wrote: So...have I been p0wned or does anyone know what innocent thing might be happening here? Please CC sc...@ggr.com on any replies, as I'm not subscribed to updates from the list. Bad news: yeah. They appear to have screwed up their rootkit by installing the i386 edition, but those files should not be there. I'd reinstall after giving some consideration to how this may have happened (and changing all your passwords, rotating ssh keys, etc.).
Re: rc.local mystery executables
On 15-08-2014 11:39, Scott Bonds wrote: I thought I was being reasonably careful: ssh disabled for root, key-only login on my admin account, following stable, etc...then again, I'm running owncloud and a bunch of other (no doubt less secure) software. Perhaps I should separate the router and 'everything else' roles, so that the router only has builtin OpenBSD software on it, no packages. Then again, whatever the exploit, they could probably still use it on the newly separated 'everything else' box. Anyway, I clearly have a lot to learn about security. Don't forget to check your own machine, not just your OpenBSD server. It's more often than not the point of origin of the attack. If your machine is compromised, reinstalling your server won't do anything, since they'll reinfect it again. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: rc.local mystery executables
On Fri, Aug 15, 2014 at 11:42:32AM -0300, Giancarlo Razzolini wrote: Don't forget to check your own machine, not just your OpenBSD server. It's more often than not the point of origin of the attack. If your machine is compromised, reinstalling your server won't do anything, since they'll reinfect it again. I'm running OpenBSD 5.5-stable on my laptop as well. My laptop isn't running any public services AFAIK...I've configured the ones I'm running on it (like unbound) to only respond to local requests. Then again, I haven't tested those ports from another machine to verify that I locked them down the way I think I have, and now that I think about it, that would be a good idea--I'll add that to my todo list. If my laptop config IS properly locked down, it would need to be trojan horse or some kind of Firefox or email based vector, I suppose. Let's see... well, my laptop rc.local doesn't have any mystery files, at least.
Re: rc.local mystery executables
On 14-08-15 10:01 AM, Scott Bonds wrote: I'm running OpenBSD 5.5-stable on my laptop as well. My laptop isn't running any public services AFAIK...I've configured the ones I'm running on it (like unbound) to only respond to local requests. Then again, I haven't tested those ports from another machine to verify that I locked them down the way I think I have, and now that I think about it, that would be a good idea--I'll add that to my todo list. If my laptop config IS properly locked down, it would need to be trojan horse or some kind of Firefox or email based vector, I suppose. Let's see... well, my laptop rc.local doesn't have any mystery files, at least. While a long way from perfect, tools such as chkrootkit and rkhunter might shed some light on your situation. As Giancarlo said, check every machine that's closely interconnected, not just the one compromised server you've noticed. I haven't used them under OpenBSD, so not sure how effective they'll be (both projects claim to support OpenBSD), but they're probably more appropriate than clamscan(1) which looks for mostly MS Windows-based viruses, not rootkits. -- -Adam Thompson athom...@athompso.net
Re: rc.local mystery executables
On 2014-08-15 10:39, Scott Bonds wrote: ...I'm running owncloud and a bunch of other (no doubt less secure) software On June 29, there was a 5.5-stable update to www/owncloud to release 6.0.4 to fix a security issue. If you are looking for possible attack surfaces, this may have been one, or may still be one. http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/www/owncloud/Makefile
Re: rc.local mystery executables
On June 29, there was a 5.5-stable update to www/owncloud to release 6.0.4 to fix a security issue. The developers annoucement, from the webpage for this thingie ( i don't know what the hell this software is doing): -- Yeah, you were screwed!
Re: rc.local mystery executables
On Fri, Aug 15, 2014 at 10:50:55AM -0500, Adam Thompson wrote: While a long way from perfect, tools such as chkrootkit and rkhunter might shed some light on your situation. As Giancarlo said, check every machine that's closely interconnected, not just the one compromised server you've noticed. I haven't used them under OpenBSD, so not sure how effective they'll be (both projects claim to support OpenBSD), but they're probably more appropriate than clamscan(1) which looks for mostly MS Windows-based viruses, not rootkits. Thank you for the suggestion. I just ran both chkrootkit and rkhunter. chkrootkit didn't find any matches. rkhunter had a couple warnings but to my eye they checkout out, i.e. warning that pkg_info is a perl script. That said, I'm going to make chkrootkit and rkhunter a regular part of my maintenance regime, perhaps add them as daily cron jobs.
Re: [Bulk] Re: rc.local mystery executables
previously on this list Scott Bonds contributed: I'm running OpenBSD 5.5-stable on my laptop as well. My laptop isn't running any public services AFAIK...I've configured the ones I'm running on it (like unbound) to only respond to local requests. Then again, I haven't tested those ports from another machine to verify that I locked them down the way I think I have, and now that I think about it, that would be a good idea--I'll add that to my todo list. If my laptop config IS properly locked down, it would need to be trojan horse or some kind of Firefox Is your firefox/email client 6 months old or are you using the updated mtier packages? -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd ___
Re: rc.local mystery executables
On 2014-08-15 12:38, Mihai Popescu wrote: On June 29, there was a 5.5-stable update to www/owncloud to release 6.0.4 to fix a security issue. The developers annoucement, from the webpage for this thingie ( i don't know what the hell this software is doing): -- Yeah, you were screwed! There are a number of security issues that have been fixed in that release -- if I read their web page correctly -- including one which that project perceives to be a high-risk issue: https://owncloud.org/security/advisory/?id=oc-sa-2014-018 There's also a big one, that earlier this month that project decided *not to fix*. I don't know anything about OwnCloud either, but this sort of issue is one that should probably be addressed. https://senderek.ie/archive/2014/owncloud_unencrypted_private_key_exposure.php An attacker, who is able to read the PHP session files by exploiting another web application that is running on the ownCloud server, will be able to gather the unencrypted private key of every ownCloud user. All encrypted files that are stored in a user's home directory can be decrypted with this RSA private key, stored in the PHP session files in plain text. If the user's encrypted files are synced to other devices or shared with other servers - for hosting or backup - an attacker will be able to decrypt all user data that is being intercepted, even if the attacker has no longer access to the server's file system.
Re: rc.local mystery executables
Before I blocked all of China, I saw something very similar on an ssh honeypot I run. Every few hours or so, I'd get the following: http://sprunge.us/OGfE Seemed totally automated. J. Stuart McMurray On Fri, Aug 15, 2014 at 1:51 PM, Josh Grosse j...@jggimi.homeip.net wrote: On 2014-08-15 12:38, Mihai Popescu wrote: On June 29, there was a 5.5-stable update to www/owncloud to release 6.0.4 to fix a security issue. The developers annoucement, from the webpage for this thingie ( i don't know what the hell this software is doing): -- Yeah, you were screwed! There are a number of security issues that have been fixed in that release -- if I read their web page correctly -- including one which that project perceives to be a high-risk issue: https://owncloud.org/security/advisory/?id=oc-sa-2014-018 There's also a big one, that earlier this month that project decided *not to fix*. I don't know anything about OwnCloud either, but this sort of issue is one that should probably be addressed. https://senderek.ie/archive/2014/owncloud_unencrypted_ private_key_exposure.php An attacker, who is able to read the PHP session files by exploiting another web application that is running on the ownCloud server, will be able to gather the unencrypted private key of every ownCloud user. All encrypted files that are stored in a user's home directory can be decrypted with this RSA private key, stored in the PHP session files in plain text. If the user's encrypted files are synced to other devices or shared with other servers - for hosting or backup - an attacker will be able to decrypt all user data that is being intercepted, even if the attacker has no longer access to the server's file system.
rc.local mystery executables
I run an OpenBSD 5.5-stable amd64 server at home. Email, web, etc. Today I was doing some maintenance and I found my way to /etc/rc.local. When I opened it I saw this: $ cat rc.local # $OpenBSD: rc.local,v 1.44 2011/04/22 06:08:14 ajacoutot Exp $ # Site-specific startup actions, daemons, and other things which # can be done AFTER your system goes into securemode. For actions # which should be done BEFORE your system has gone into securemode # please see /etc/rc.securelevel. cd /etc;./sfewfesfs cd /etc;./gfhjrtfyhuf cd /etc;./rewgtf3er4t cd /etc;./sdmfdsfhjfe cd /etc;./gfhddsfew cd /etc;./ferwfrre cd /etc;./dsfrefr I don't remember adding those lines to my rc.local file. $ cd /etc ls -al ./sfewfesfs -rwsrwsrwt 1 root wheel 694680 Apr 4 07:47 /etc/sfewfesfs $ file dsfrefr dsfrefr: ELF 32-bit LSB executable, Intel 80386, version 1, statically linked, stripped Seems odd to have a bunch of randomly named executibles running at boot. And that they are compiled for 386 (I'm running amd64), and that they have suid set, and to root. $ clamscan * dsfrefr: OK ferwfrre: OK gfhddsfew: OK gfhjrtfyhuf: OK rc.local: OK rewgtf3er4t: OK sdmfdsfhjfe: OK sfewfesfs: OK Scanned directories: 0 Scanned files: 8 Infected files: 0 Data scanned: 3.21 MB Data read: 3.20 MB (ratio 1.00:1) Time: 10.842 sec (0 m 10 s) Hmm, ok let's run one. $ ./dsfrefr ./dsfrefr[1]: syntax error: `(' unexpected That's all any of them say when run. So...have I been p0wned or does anyone know what innocent thing might be happening here? Please CC sc...@ggr.com on any replies, as I'm not subscribed to updates from the list.
Re: rc.local mystery executables
Scott Bonds [sc...@ggr.com] wrote: I run an OpenBSD 5.5-stable amd64 server at home. Email, web, etc. Today ... $ file dsfrefr dsfrefr: ELF 32-bit LSB executable, Intel 80386, version ... So...have I been p0wned or does anyone know what innocent thing might be happening here? Please CC sc...@ggr.com on any replies, as I'm not subscribed to updates from the list. Yeah, you are compromised.
Re: rc.local mystery executables
On 14-08-14 07:54 PM, Scott Bonds wrote: So...have I been p0wned or does anyone know what innocent thing might be happening here? I think you already know the answer, unless you've done something very, very strange back in April. However, it could be said that the 3rd party here isn't terribly competent, mixing arches and leaving traces behind. The most innocent thing I can think of is that someone is playing a prank of you... -- -Adam Thompson athom...@athompso.net
Re: rc.local mystery executables
On Thu, Aug 14, 2014 at 17:54, Scott Bonds wrote: So...have I been p0wned or does anyone know what innocent thing might be happening here? Please CC sc...@ggr.com on any replies, as I'm not subscribed to updates from the list. Bad news: yeah. They appear to have screwed up their rootkit by installing the i386 edition, but those files should not be there. I'd reinstall after giving some consideration to how this may have happened (and changing all your passwords, rotating ssh keys, etc.).