OpenBSD machine was hacked

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenBSD machine was hacked

peterwkc
Dear All,

Recently, I'm realized that my openbsd firewall router was not usable
anymore due to pf rules had changed by using carp and pfsync mechanism.

Here is my prove.

I'm tried to reinstall the whole machine and plugged in the modem LAN cable
to NIC card. All my written pf rules was flush and changed. This happen
even without internet connection(No IP address assign).

I'm suspected this is did by my ISP. I'm believed my openbsd machine was
located same subnet with their machine.

I'm even tried to disable carp protocol but my pf rules still get flushed
out.
How this can happen?
How to prevent it?
How my ISP can synchronize its pf rules to my machine without IP assign?
I'm suspect they achieved at Layer 2 by using mac spoofing/mac target to my
machine.
net.inet.carp.allow=0

Please help. Very urgent.






--
Linux

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD machine was hacked

peterwkc
The changes was not done to /etc/pf.conf file but it is on runtime.

I'm issues pfctl -sr command which reflect this.


On Tue, Jul 28, 2015 at 5:35 PM, Stefan Wollny <[hidden email]> wrote:

> Hi,
>
> I can't tell you anything what might have happend as you didn't provide
> enough information and I am not educated to give any hints. But to prevent
> any changes you might consider using "chflags" after you have set up your
> pf.conf:
>
> $ sudo chflags schg /etc/pf.conf
>
> Keep in mind that changes thereafter are only possible if you reboot into
> insecure mode. man 1 chflags is your friend.
>
> If this doesn't help it is beyond my knowledge.
>
> Good luck!
> STEFAN
>
>
> *Gesendet:* Dienstag, 28. Juli 2015 um 11:17 Uhr
> *Von:* "Wong Peter" <[hidden email]>
> *An:* [hidden email]
> *Betreff:* OpenBSD machine was hacked
> Dear All,
>
> Recently, I'm realized that my openbsd firewall router was not usable
> anymore due to pf rules had changed by using carp and pfsync mechanism.
>
> Here is my prove.
>
> I'm tried to reinstall the whole machine and plugged in the modem LAN cable
> to NIC card. All my written pf rules was flush and changed. This happen
> even without internet connection(No IP address assign).
>
> I'm suspected this is did by my ISP. I'm believed my openbsd machine was
> located same subnet with their machine.
>
> I'm even tried to disable carp protocol but my pf rules still get flushed
> out.
> How this can happen?
> How to prevent it?
> How my ISP can synchronize its pf rules to my machine without IP assign?
> I'm suspect they achieved at Layer 2 by using mac spoofing/mac target to my
> machine.
> net.inet.carp.allow=0
>
> Please help. Very urgent.
>
>
>
>
>
>
> --
> Linux
>
>



--
Linux

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD machine was hacked

Giancarlo Razzolini-3
In reply to this post by peterwkc
Em 28-07-2015 06:17, Wong Peter escreveu:

> Dear All,
>
> Recently, I'm realized that my openbsd firewall router was not usable
> anymore due to pf rules had changed by using carp and pfsync mechanism.
>
> Here is my prove.
>
> I'm tried to reinstall the whole machine and plugged in the modem LAN cable
> to NIC card. All my written pf rules was flush and changed. This happen
> even without internet connection(No IP address assign).
>
> I'm suspected this is did by my ISP. I'm believed my openbsd machine was
> located same subnet with their machine.
>
> I'm even tried to disable carp protocol but my pf rules still get flushed
> out.
> How this can happen?
> How to prevent it?
> How my ISP can synchronize its pf rules to my machine without IP assign?
> I'm suspect they achieved at Layer 2 by using mac spoofing/mac target to my
> machine.
> net.inet.carp.allow=0
>
> Please help. Very urgent.
>
>
>
>
>
>
You use a very controversial subject in order to draw attention in the
hope that someone will help you. And not only you can't manage to give a
shred of evidence to support your claim, as you can't even manage to
provide enough information for some good soul on this list to help you.
Come back when you sorted this out.

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD machine was hacked

Peter Nicolai Mathias Hansteen
In reply to this post by peterwkc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/28/15 11:17, Wong Peter wrote:

> Recently, I'm realized that my openbsd firewall router was not
> usable anymore due to pf rules had changed by using carp and pfsync
> mechanism.

It would be a lot easier to offer assistance if you offer some facts
(including config files and the output of various commands you should
find obvious, and data from relevant log files would be nice), along
with the reasoning behind that conjecture.

I have several plausible scenarios in mind that be could good fits
your very vaguely described symptoms, but there's no way anybody can
help you without some actual information on the configuration and
problem at hand.
- --
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
iQIcBAEBAgAGBQJVt694AAoJELJiGF9h4DyesVEP/iIAWIpQSegLsVKTvP04Cdu1
t6Km8k9/DMZqIRLpIdRafCoMIbPX7732754yFxiUFwSswNg+utBVvrROajndgoPC
TQIUYEyZwJFUHWFxV83nNU3vwXrpgBHFvdXXRkb5Y+6rySnW8dCK5Gbdw4pu8X2u
ZtGSMESrVX0JQuhHLarf+Zg5qKa0IPyKB2+rk1U2mIwhoaDPysXgQ9s3yW982Nb3
Q9qBLPVmxseut3LIZ7Z3DLCzyXH/RhVhJgA1phjDVYTHYg38R8dVqAR2Y11eHEVu
Z5uNJ/59zzVcgMaysga/8kjH1vHwhLrya31euf5dMjD3fmCZwZ/bUYmwllmTwlBz
kP9gSGgUGqhmhF9MY95uxdmfNpdFNeqxsl5nJS8sWNhtPYVV9q5FqZI4XsRtoDOt
5HTxj+D4QrUph/lQg131+Xeq+u5spSR0i4OESk2Spilr81o2wbx1FjYxHttwF3gb
pv1mE8D2iiK3vt2eNExvmUkFFqBqzH/KJn+O8bKsTy6M6nXND6PZ2t9Gzpu0stma
1/i8QjSt+duCpXPdh9ft/Z9TOtff2m2GGXUct55s50ST8T2rt+eFGvUdSAv4FyS/
IL7wbhVG8/3AemZrqtMsUyPWdfZd4w7fUEf8HSOYumbxvfdiaAg5+ZA5bIodu7OW
JcDpBSaAoi+/bK9AbxPr
=lcQs
-----END PGP SIGNATURE-----

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD machine was hacked

peterwkc
In reply to this post by Giancarlo Razzolini-3
What information you all require?

On Tue, Jul 28, 2015 at 10:28 PM, Giancarlo Razzolini <[hidden email]>
wrote:

> Em 28-07-2015 06:17, Wong Peter escreveu:
> > Dear All,
> >
> > Recently, I'm realized that my openbsd firewall router was not usable
> > anymore due to pf rules had changed by using carp and pfsync mechanism.
> >
> > Here is my prove.
> >
> > I'm tried to reinstall the whole machine and plugged in the modem LAN
> cable
> > to NIC card. All my written pf rules was flush and changed. This happen
> > even without internet connection(No IP address assign).
> >
> > I'm suspected this is did by my ISP. I'm believed my openbsd machine was
> > located same subnet with their machine.
> >
> > I'm even tried to disable carp protocol but my pf rules still get flushed
> > out.
> > How this can happen?
> > How to prevent it?
> > How my ISP can synchronize its pf rules to my machine without IP assign?
> > I'm suspect they achieved at Layer 2 by using mac spoofing/mac target to
> my
> > machine.
> > net.inet.carp.allow=0
> >
> > Please help. Very urgent.
> >
> >
> >
> >
> >
> >
> You use a very controversial subject in order to draw attention in the
> hope that someone will help you. And not only you can't manage to give a
> shred of evidence to support your claim, as you can't even manage to
> provide enough information for some good soul on this list to help you.
> Come back when you sorted this out.
>
> Cheers,
> Giancarlo Razzolini
>



--
Linux

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD machine was hacked

Daniel Boulet
There is all sorts of information that you could provide:

- why do you believe that your machine was hacked? You seem to think that someone at your ISP did whatever was done. Why do you believe that to be true? Why would someone at your ISP want to do this? Why would someone at you ISP be better able to do this than some random bad person out on the Internet?

- you say that whatever happened was done by your ISP even though you had no Internet connection. Why do you believe that this is even possible? Why do you believe that you had no Internet connection? If you had no Internet connection, how is it that someone at your ISP would have been able to access the machine? Where is the machine actually located?

- you say that your pf rules were flushed. Why do you believe that they were ever loaded in the first place? Can you demonstrate that the rules were in place at one point in time and that they are no longer in place later? Have you tried rebooting the machine and then immediately checking to see if the rules are there or not?

- you say that you suspect that your ISP used some sort of “Layer 2 by using mac spoofing/mac target” technique. Please say more about “some sort of” - what sort of? Why do you believe that this technique, whatever it is, might work? Can you even provide a basic explanation of how this technique, whatever it is, might have been used to hack your machine or is this just a theory with no evidence to support it.

There are lots of other questions you could answer. For example, what messages appear in your log files that support your theory? Even a list of the evidence that you see that supports your theory might help. It almost sounds like you are saying that you cannot figure out how whatever happened occurred so it must have been someone at your ISP. That is a pretty big leap to make without some evidence that actually points at your ISP.

-Danny

> On Jul 28, 2015, at 18:00 , Wong Peter <[hidden email]> wrote:
>
> What information you all require?
>
> On Tue, Jul 28, 2015 at 10:28 PM, Giancarlo Razzolini <[hidden email]>
> wrote:
>
>> Em 28-07-2015 06:17, Wong Peter escreveu:
>>> Dear All,
>>>
>>> Recently, I'm realized that my openbsd firewall router was not usable
>>> anymore due to pf rules had changed by using carp and pfsync mechanism.
>>>
>>> Here is my prove.
>>>
>>> I'm tried to reinstall the whole machine and plugged in the modem LAN
>> cable
>>> to NIC card. All my written pf rules was flush and changed. This happen
>>> even without internet connection(No IP address assign).
>>>
>>> I'm suspected this is did by my ISP. I'm believed my openbsd machine was
>>> located same subnet with their machine.
>>>
>>> I'm even tried to disable carp protocol but my pf rules still get flushed
>>> out.
>>> How this can happen?
>>> How to prevent it?
>>> How my ISP can synchronize its pf rules to my machine without IP assign?
>>> I'm suspect they achieved at Layer 2 by using mac spoofing/mac target to
>> my
>>> machine.
>>> net.inet.carp.allow=0
>>>
>>> Please help. Very urgent.
>>>
>>>
>>>
>>>
>>>
>>>
>> You use a very controversial subject in order to draw attention in the
>> hope that someone will help you. And not only you can't manage to give a
>> shred of evidence to support your claim, as you can't even manage to
>> provide enough information for some good soul on this list to help you.
>> Come back when you sorted this out.
>>
>> Cheers,
>> Giancarlo Razzolini
>>
>
>
>
> --
> Linux

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD machine was hacked

Joel Rees-2
In reply to this post by peterwkc
One question at a time.

On Tue, Jul 28, 2015 at 6:17 PM, Wong Peter <[hidden email]> wrote:
> Dear All,
>
> Recently, I'm realized that my openbsd firewall router was not usable
> anymore

What symptoms?

> due to pf rules had changed

Can you show the configuration, the rules before the undesired
changes, and the rules after the changes?

> by using carp and pfsync mechanism.

Have you checked for unauthorized logins, rootkits, and such things?

> Here is my prove.

Without the log messages that should be generated when you went
through this, it's hard to analyze this.

> I'm tried to reinstall the whole machine and plugged in the modem LAN cable
> to NIC card. All my written pf rules was flush and changed. This happen
> even without internet connection(No IP address assign).

Can you provide copies of your logs when you did this?

If not, can you do it again, keeping logs this time?

> I'm suspected this is did by my ISP. I'm believed my openbsd machine was
> located same subnet with their machine.

Check your DHCP client, as well. Both the configuration and the logs.

> I'm even tried to disable carp protocol but my pf rules still get flushed
> out.

Again, can you show before and after?

> How this can happen?

How can what happen?

> How to prevent it?

It's hard to prevent things you don't understand.

And it's hard to give advice when it seems like the advice won't be
understood. (Pardon me for being blunt.)

> How my ISP can synchronize its pf rules to my machine without IP assign?

Why ask this question before you know what really happened?

> I'm suspect they achieved at Layer 2 by using mac spoofing/mac target to my
> machine.
> net.inet.carp.allow=0

Suspicion is free, but it doesn't help without understanding.

> Please help. Very urgent.

Get answers to the first questions first.

The other questions don't make sense without answers to the first questions.

If it's urgent, that's all the more reason to start with questions you
can understand.

(This is what everyone else is saying.)

--
Joel Rees

Be careful when you look at conspiracy.
Arm yourself with knowledge of yourself, as well:
http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD machine was hacked

peterwkc
In reply to this post by Daniel Boulet
Q:why do you believe that your machine was hacked?
A: My pf rules was flushed.This can prove using pfctl -sr. The whoe
firewall was not usable anymore. NO NAT nor packet filtering.

Q: You say that whatever happened was done by your ISP even though you had
no Internet connection.Why do you believe that to be true?
A: Our ISP had implement monitoring like NSA or British CGHQ. Moreover,
Hacking openBSD is not that easy. First hop hacking is much more easier
than anyone.

Q: Why do you believe that you had no Internet connection?
A: No response when ping dns server and no IP address assign to pppoe0
interface.

Q:  If you had no Internet connection, how is it that someone at your ISP
would have been able to access the machine?
A: I had no idea. Thus, I was asked it here.

Q: Where is the machine actually located?
A: This is a home use firewall router sit behind a modem.

Where to find log files regarding pf rule was flushed out using carp or
pfsync?

I'm understand you all want to help me and you all require information.
I'm tried to extract the whole OS into zip file and copied to portable hard
disk but it failed.
It say no such file or directory.
cp /home/user/bsd.tar.gz /mnt/obsd/

What wrong with it?











On Wed, Jul 29, 2015 at 8:26 AM, Daniel Boulet <[hidden email]> wrote:

> There is all sorts of information that you could provide:
>
> - why do you believe that your machine was hacked? You seem to think that
> someone at your ISP did whatever was done. Why do you believe that to be
> true? Why would someone at your ISP want to do this? Why would someone at
> you ISP be better able to do this than some random bad person out on the
> Internet?
>
> - you say that whatever happened was done by your ISP even though you had
> no Internet connection. Why do you believe that this is even possible? Why
> do you believe that you had no Internet connection? If you had no Internet
> connection, how is it that someone at your ISP would have been able to
> access the machine? Where is the machine actually located?
>
> - you say that your pf rules were flushed. Why do you believe that they
> were ever loaded in the first place? Can you demonstrate that the rules
> were in place at one point in time and that they are no longer in place
> later? Have you tried rebooting the machine and then immediately checking
> to see if the rules are there or not?
>
> - you say that you suspect that your ISP used some sort of “Layer 2 by
> using mac spoofing/mac target” technique. Please say more about “some
sort
> of” - what sort of? Why do you believe that this technique, whatever it
is,

> might work? Can you even provide a basic explanation of how this technique,
> whatever it is, might have been used to hack your machine or is this just a
> theory with no evidence to support it.
>
> There are lots of other questions you could answer. For example, what
> messages appear in your log files that support your theory? Even a list of
> the evidence that you see that supports your theory might help. It almost
> sounds like you are saying that you cannot figure out how whatever happened
> occurred so it must have been someone at your ISP. That is a pretty big
> leap to make without some evidence that actually points at your ISP.
>
> -Danny
>
> > On Jul 28, 2015, at 18:00 , Wong Peter <[hidden email]> wrote:
> >
> > What information you all require?
> >
> > On Tue, Jul 28, 2015 at 10:28 PM, Giancarlo Razzolini <
> [hidden email]>
> > wrote:
> >
> >> Em 28-07-2015 06:17, Wong Peter escreveu:
> >>> Dear All,
> >>>
> >>> Recently, I'm realized that my openbsd firewall router was not usable
> >>> anymore due to pf rules had changed by using carp and pfsync mechanism.
> >>>
> >>> Here is my prove.
> >>>
> >>> I'm tried to reinstall the whole machine and plugged in the modem LAN
> >> cable
> >>> to NIC card. All my written pf rules was flush and changed. This happen
> >>> even without internet connection(No IP address assign).
> >>>
> >>> I'm suspected this is did by my ISP. I'm believed my openbsd machine
> was
> >>> located same subnet with their machine.
> >>>
> >>> I'm even tried to disable carp protocol but my pf rules still get
> flushed
> >>> out.
> >>> How this can happen?
> >>> How to prevent it?
> >>> How my ISP can synchronize its pf rules to my machine without IP
> assign?
> >>> I'm suspect they achieved at Layer 2 by using mac spoofing/mac target
> to
> >> my
> >>> machine.
> >>> net.inet.carp.allow=0
> >>>
> >>> Please help. Very urgent.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >> You use a very controversial subject in order to draw attention in the
> >> hope that someone will help you. And not only you can't manage to give a
> >> shred of evidence to support your claim, as you can't even manage to
> >> provide enough information for some good soul on this list to help you.
> >> Come back when you sorted this out.
> >>
> >> Cheers,
> >> Giancarlo Razzolini
> >>
> >
> >
> >
> > --
> > Linux
> >
>
>


--
Linux

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD machine was hacked

Martin Brandenburg
On Wed, 29 Jul 2015, Wong Peter wrote:

> Q:why do you believe that your machine was hacked?
> A: My pf rules was flushed.This can prove using pfctl -sr. The whoe
> firewall was not usable anymore. NO NAT nor packet filtering.
>
> Q: You say that whatever happened was done by your ISP even though you had
> no Internet connection.Why do you believe that to be true?
> A: Our ISP had implement monitoring like NSA or British CGHQ. Moreover,
> Hacking openBSD is not that easy. First hop hacking is much more easier
> than anyone.
>
> Q: Why do you believe that you had no Internet connection?
> A: No response when ping dns server and no IP address assign to pppoe0
> interface.
>
> Q:  If you had no Internet connection, how is it that someone at your ISP
> would have been able to access the machine?
> A: I had no idea. Thus, I was asked it here.
>
> Q: Where is the machine actually located?
> A: This is a home use firewall router sit behind a modem.
>
> Where to find log files regarding pf rule was flushed out using carp or
> pfsync?
>
> I'm understand you all want to help me and you all require information.
> I'm tried to extract the whole OS into zip file and copied to portable hard
> disk but it failed.
> It say no such file or directory.
> cp /home/user/bsd.tar.gz /mnt/obsd/
>
> What wrong with it?

I see no evidence that your ISP hacked your machine. As you say hacking
OpenBSD is not easy. Further it is difficult to imagine what motive
somebody might have in hacking into your machine and turning your
Internet connection and NAT off.

One plausable scenario is that your firewall rules are not setup
correctly to begin with, and the machine rebooted due to a power
interruption, and the firewall rules never got put back in. There are
many other plausable scenarios that somebody with more time could think
of.

Is your computer set up to restore the connection and firewall on boot?
Have you tested that?

As far as intrusion goes, the best place to look would be
/var/log/authlog, which will record logins. However I think what I've
outlined above will be a more fruitful approach.

Further your entire OS image is far too large to send here, and very few
people here will have the patience to wade through it searching for your
problem.

If cp says "no such file or directory" then either the source file path
is wrong or the destination directory does not exist. To be very blunt,
the fact that you did not know this makes me suspect that you have
misconfigured your system in some way. Describe how you configured it,
and somebody may be able to help you.

-- Martin

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD machine was hacked

Peter J. Philipp-3
In reply to this post by peterwkc
On 07/29/15 03:33, Wong Peter wrote:
> Q:why do you believe that your machine was hacked?
> A: My pf rules was flushed.This can prove using pfctl -sr. The whoe
> firewall was not usable anymore. NO NAT nor packet filtering.

Hi Peter,

Can you let us know the version and architecture of OpenBSD you were
running, and any ports you might have installed.  What sort of programs
were facing the network ie. netstat -na would tell.

Also I gather you used ssh to access the machine.  Do you use a strong
password?  Does your ISP know your password?  If they installed snooping
mechanism they don't know your password per say, only if you've given it
to them.

You seem to have some trouble mounting a drive, indicating that you're
new to OpenBSD.  I don't want to call you a newbie but this is likely a
newbie mistake.  In regards to mounting the external harddrive use mount
to mount the drive first, it doesn't automatically get auto-mounted.

Right now I see a lot of guessing on what's going on and little fact.
Help us with the facts so that _perhaps_ we can see an avenue of attack.

Regards,

-peter philipp





> Q: You say that whatever happened was done by your ISP even though you had
> no Internet connection.Why do you believe that to be true?
> A: Our ISP had implement monitoring like NSA or British CGHQ. Moreover,
> Hacking openBSD is not that easy. First hop hacking is much more easier
> than anyone.
>
> Q: Why do you believe that you had no Internet connection?
> A: No response when ping dns server and no IP address assign to pppoe0
> interface.
>
> Q:  If you had no Internet connection, how is it that someone at your ISP
> would have been able to access the machine?
> A: I had no idea. Thus, I was asked it here.
>
> Q: Where is the machine actually located?
> A: This is a home use firewall router sit behind a modem.
>
> Where to find log files regarding pf rule was flushed out using carp or
> pfsync?
>
> I'm understand you all want to help me and you all require information.
> I'm tried to extract the whole OS into zip file and copied to portable hard
> disk but it failed.
> It say no such file or directory.
> cp /home/user/bsd.tar.gz /mnt/obsd/
>
> What wrong with it?
>
>
>
>
>
>
>
>
>
>
>
> On Wed, Jul 29, 2015 at 8:26 AM, Daniel Boulet <[hidden email]> wrote:
>
>> There is all sorts of information that you could provide:
>>
>> - why do you believe that your machine was hacked? You seem to think that
>> someone at your ISP did whatever was done. Why do you believe that to be
>> true? Why would someone at your ISP want to do this? Why would someone at
>> you ISP be better able to do this than some random bad person out on the
>> Internet?
>>
>> - you say that whatever happened was done by your ISP even though you had
>> no Internet connection. Why do you believe that this is even possible? Why
>> do you believe that you had no Internet connection? If you had no Internet
>> connection, how is it that someone at your ISP would have been able to
>> access the machine? Where is the machine actually located?
>>
>> - you say that your pf rules were flushed. Why do you believe that they
>> were ever loaded in the first place? Can you demonstrate that the rules
>> were in place at one point in time and that they are no longer in place
>> later? Have you tried rebooting the machine and then immediately checking
>> to see if the rules are there or not?
>>
>> - you say that you suspect that your ISP used some sort of “Layer 2 by
>> using mac spoofing/mac target� technique. Please say more about “some
> sort
>> of� - what sort of? Why do you believe that this technique, whatever it
> is,
>> might work? Can you even provide a basic explanation of how this technique,
>> whatever it is, might have been used to hack your machine or is this just a
>> theory with no evidence to support it.
>>
>> There are lots of other questions you could answer. For example, what
>> messages appear in your log files that support your theory? Even a list of
>> the evidence that you see that supports your theory might help. It almost
>> sounds like you are saying that you cannot figure out how whatever happened
>> occurred so it must have been someone at your ISP. That is a pretty big
>> leap to make without some evidence that actually points at your ISP.
>>
>> -Danny
>>
>>> On Jul 28, 2015, at 18:00 , Wong Peter <[hidden email]> wrote:
>>>
>>> What information you all require?
>>>
>>> On Tue, Jul 28, 2015 at 10:28 PM, Giancarlo Razzolini <
>> [hidden email]>
>>> wrote:
>>>
>>>> Em 28-07-2015 06:17, Wong Peter escreveu:
>>>>> Dear All,
>>>>>
>>>>> Recently, I'm realized that my openbsd firewall router was not usable
>>>>> anymore due to pf rules had changed by using carp and pfsync mechanism.
>>>>>
>>>>> Here is my prove.
>>>>>
>>>>> I'm tried to reinstall the whole machine and plugged in the modem LAN
>>>> cable
>>>>> to NIC card. All my written pf rules was flush and changed. This happen
>>>>> even without internet connection(No IP address assign).
>>>>>
>>>>> I'm suspected this is did by my ISP. I'm believed my openbsd machine
>> was
>>>>> located same subnet with their machine.
>>>>>
>>>>> I'm even tried to disable carp protocol but my pf rules still get
>> flushed
>>>>> out.
>>>>> How this can happen?
>>>>> How to prevent it?
>>>>> How my ISP can synchronize its pf rules to my machine without IP
>> assign?
>>>>> I'm suspect they achieved at Layer 2 by using mac spoofing/mac target
>> to
>>>> my
>>>>> machine.
>>>>> net.inet.carp.allow=0
>>>>>
>>>>> Please help. Very urgent.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> You use a very controversial subject in order to draw attention in the
>>>> hope that someone will help you. And not only you can't manage to give a
>>>> shred of evidence to support your claim, as you can't even manage to
>>>> provide enough information for some good soul on this list to help you.
>>>> Come back when you sorted this out.
>>>>
>>>> Cheers,
>>>> Giancarlo Razzolini
>>>>
>>>
>>>
>>> --
>>> Linux
>>>
>>
>
> --
> Linux

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD machine was hacked

Stuart Henderson
In reply to this post by peterwkc
On 2015-07-29, Wong Peter <[hidden email]> wrote:
> Where to find log files regarding pf rule was flushed out using carp or
> pfsync?

pfsync can only sync firewall state tables (pfctl -ss).

carp can't change anything to do with PF settings - not rules, not states.

There is no mechanism to sync or flush rules without logging in to the
machine.

If there's an error in your pf.conf file, default rules will be used
instead. Run "pfctl -nf /etc/pf.conf" and check for error messages.

What are the actual rules that were installed? Show "pfctl -sr" output.