hacked for the second time

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

hacked for the second time

Cord
Hi,
I have some heavy suspect that my openbsd box was been hacked for the second time in few weeks. The first time was been some weeks ago, I have got some suspects and after few checks I have found that someone was been connected to my vps via ssh on a non-standard port using my ssh key. The connection came from a tor exit node. There were been 2 connections and up since 5 days. Now I have some other new suspects because some private email seems knew from others. Also I have found other open sessions on the web gui of my email provider, but I am abolutely sure I have done the logout always.
I am using just chrome+unveil and I haven't used any other script or opened pdf (maybe I have opened 1 or 2 pdf from inside of chrome). I have used epiphany *only* to open the webmail because chrome crash. My email provider support html (obviously) but generally photo are not loaded. Ofcourse I have pf enable and few service.
I also use a vpn and I visit very few web site with chrome.. maybe 20 or 25 website just to read news. Sometimes I search things about openbsd.
Anyone could help me ?
Cord.



Reply | Threaded
Open this post in threaded view
|

Re: hacked for the second time

Raul Miller
If someone is using your ssh key and you do not want that to happen,
please replace your keys.

Thanks,

--
Raul

On Wed, Apr 3, 2019 at 2:58 PM Cord <[hidden email]> wrote:

>
> Hi,
> I have some heavy suspect that my openbsd box was been hacked for the second time in few weeks. The first time was been some weeks ago, I have got some suspects and after few checks I have found that someone was been connected to my vps via ssh on a non-standard port using my ssh key. The connection came from a tor exit node. There were been 2 connections and up since 5 days. Now I have some other new suspects because some private email seems knew from others. Also I have found other open sessions on the web gui of my email provider, but I am abolutely sure I have done the logout always.
> I am using just chrome+unveil and I haven't used any other script or opened pdf (maybe I have opened 1 or 2 pdf from inside of chrome). I have used epiphany *only* to open the webmail because chrome crash. My email provider support html (obviously) but generally photo are not loaded. Ofcourse I have pf enable and few service.
> I also use a vpn and I visit very few web site with chrome.. maybe 20 or 25 website just to read news. Sometimes I search things about openbsd.
> Anyone could help me ?
> Cord.
>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: hacked for the second time

Anders Andersson
In reply to this post by Cord
On Wed, Apr 3, 2019 at 8:58 PM Cord <[hidden email]> wrote:
>
> Hi,
> I have some heavy suspect that my openbsd box was been hacked for the second time in few weeks. The first time was been some weeks ago, I have got some suspects and after few checks I have found that someone was been connected to my vps via ssh on a non-standard port using my ssh key. The connection came from a tor exit node. There were been 2 connections and up since 5 days. Now I have some other new suspects because some private email seems knew from others. Also I have found other open sessions on the web gui of my email provider, but I am abolutely sure I have done the logout always.
> I am using just chrome+unveil and I haven't used any other script or opened pdf (maybe I have opened 1 or 2 pdf from inside of chrome). I have used epiphany *only* to open the webmail because chrome crash. My email provider support html (obviously) but generally photo are not loaded. Ofcourse I have pf enable and few service.
> I also use a vpn and I visit very few web site with chrome.. maybe 20 or 25 website just to read news. Sometimes I search things about openbsd.
> Anyone could help me ?
> Cord.


Sounds to me like you're letting someone else mess with your hardware
since you mention a VPS. I don't see how you could trust that in the
first place. They have complete access to every machine.

Reply | Threaded
Open this post in threaded view
|

Re: hacked for the second time

Zeb Packard
In reply to this post by Cord
If you've got money go here:  https://www.openbsd.org/support.html

If you don't have money go ask here: http://daemonforums.org/

Generally, msp, isp, it requests don't go on this list. You've posted no
evidence - a big no no. You need a high level of forensic verification
before you bring this problem to the list.

Good luck,

Zeb

On Wed, Apr 3, 2019 at 11:59 AM Cord <[hidden email]> wrote:

> Hi,
> I have some heavy suspect that my openbsd box was been hacked for the
> second time in few weeks. The first time was been some weeks ago, I have
> got some suspects and after few checks I have found that someone was been
> connected to my vps via ssh on a non-standard port using my ssh key. The
> connection came from a tor exit node. There were been 2 connections and up
> since 5 days. Now I have some other new suspects because some private email
> seems knew from others. Also I have found other open sessions on the web
> gui of my email provider, but I am abolutely sure I have done the logout
> always.
> I am using just chrome+unveil and I haven't used any other script or
> opened pdf (maybe I have opened 1 or 2 pdf from inside of chrome). I have
> used epiphany *only* to open the webmail because chrome crash. My email
> provider support html (obviously) but generally photo are not loaded.
> Ofcourse I have pf enable and few service.
> I also use a vpn and I visit very few web site with chrome.. maybe 20 or
> 25 website just to read news. Sometimes I search things about openbsd.
> Anyone could help me ?
> Cord.
>
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: hacked for the second time

R0me0 ***
you can block connections from tor, the ssh keys must be replaced and of
course, are you using a passphrase for them?

Regards,


Em qua, 3 de abr de 2019 às 16:12, Zeb Packard <[hidden email]>
escreveu:

> If you've got money go here:  https://www.openbsd.org/support.html
>
> If you don't have money go ask here: http://daemonforums.org/
>
> Generally, msp, isp, it requests don't go on this list. You've posted no
> evidence - a big no no. You need a high level of forensic verification
> before you bring this problem to the list.
>
> Good luck,
>
> Zeb
>
> On Wed, Apr 3, 2019 at 11:59 AM Cord <[hidden email]> wrote:
>
> > Hi,
> > I have some heavy suspect that my openbsd box was been hacked for the
> > second time in few weeks. The first time was been some weeks ago, I have
> > got some suspects and after few checks I have found that someone was been
> > connected to my vps via ssh on a non-standard port using my ssh key. The
> > connection came from a tor exit node. There were been 2 connections and
> up
> > since 5 days. Now I have some other new suspects because some private
> email
> > seems knew from others. Also I have found other open sessions on the web
> > gui of my email provider, but I am abolutely sure I have done the logout
> > always.
> > I am using just chrome+unveil and I haven't used any other script or
> > opened pdf (maybe I have opened 1 or 2 pdf from inside of chrome). I have
> > used epiphany *only* to open the webmail because chrome crash. My email
> > provider support html (obviously) but generally photo are not loaded.
> > Ofcourse I have pf enable and few service.
> > I also use a vpn and I visit very few web site with chrome.. maybe 20 or
> > 25 website just to read news. Sometimes I search things about openbsd.
> > Anyone could help me ?
> > Cord.
> >
> >
> >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: hacked for the second time

Mark Leonard
This seems relevant:
https://blog.netspi.com/stealing-unencrypted-ssh-agent-keys-from-memory/



On Wed, Apr 3, 2019 at 2:33 PM R0me0 *** <[hidden email]> wrote:

> you can block connections from tor, the ssh keys must be replaced and of
> course, are you using a passphrase for them?
>
> Regards,
>
>
> Em qua, 3 de abr de 2019 às 16:12, Zeb Packard <[hidden email]>
> escreveu:
>
> > If you've got money go here:  https://www.openbsd.org/support.html
> >
> > If you don't have money go ask here: http://daemonforums.org/
> >
> > Generally, msp, isp, it requests don't go on this list. You've posted no
> > evidence - a big no no. You need a high level of forensic verification
> > before you bring this problem to the list.
> >
> > Good luck,
> >
> > Zeb
> >
> > On Wed, Apr 3, 2019 at 11:59 AM Cord <[hidden email]> wrote:
> >
> > > Hi,
> > > I have some heavy suspect that my openbsd box was been hacked for the
> > > second time in few weeks. The first time was been some weeks ago, I
> have
> > > got some suspects and after few checks I have found that someone was
> been
> > > connected to my vps via ssh on a non-standard port using my ssh key.
> The
> > > connection came from a tor exit node. There were been 2 connections and
> > up
> > > since 5 days. Now I have some other new suspects because some private
> > email
> > > seems knew from others. Also I have found other open sessions on the
> web
> > > gui of my email provider, but I am abolutely sure I have done the
> logout
> > > always.
> > > I am using just chrome+unveil and I haven't used any other script or
> > > opened pdf (maybe I have opened 1 or 2 pdf from inside of chrome). I
> have
> > > used epiphany *only* to open the webmail because chrome crash. My email
> > > provider support html (obviously) but generally photo are not loaded.
> > > Ofcourse I have pf enable and few service.
> > > I also use a vpn and I visit very few web site with chrome.. maybe 20
> or
> > > 25 website just to read news. Sometimes I search things about openbsd.
> > > Anyone could help me ?
> > > Cord.
> > >
> > >
> > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: hacked for the second time

Tor Houghton
In reply to this post by Cord
Hi,

Difficult to make any recommendations based on this information, but once
you've recovered, enforce ssh key-based logins only.

Given that your client might be compromised, you probably want to look into
that as well.

To limit the possibilities that someone gets access to your
ssh private key's keyphrase, store it off-client -- for example using your
mobile phone (e.g. Kryptonite -- https://krypt.co; do read caveat regarding
Android crypto).

Good luck.

On Wed, Apr 03, 2019 at 06:56:39PM +0000, Cord wrote:
> Hi,
> I have some heavy suspect that my openbsd box was been hacked for the second time in few weeks. The first time was been some weeks ago, I have got some suspects and after few checks I have found that someone was been connected to my vps via ssh on a non-standard port using my ssh key. The connection came from a tor exit node. There were been 2 connections and up since 5 days. Now I have some other new suspects because some private email seems knew from others. Also I have found other open sessions on the web gui of my email provider, but I am abolutely sure I have done the logout always.
> I am using just chrome+unveil and I haven't used any other script or opened pdf (maybe I have opened 1 or 2 pdf from inside of chrome). I have used epiphany *only* to open the webmail because chrome crash. My email provider support html (obviously) but generally photo are not loaded. Ofcourse I have pf enable and few service.
> I also use a vpn and I visit very few web site with chrome.. maybe 20 or 25 website just to read news. Sometimes I search things about openbsd.
> Anyone could help me ?
> Cord.
>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: hacked for the second time

Cord
Hi, my english seems very bad because my problem is not to make secure the ssh key. My problem is how do not be hacked.
I have talked about the ssh key stealing to show signs that my pc was been compromised.
I can for sure make secure my ssh key but how to make secure my the pc ?
If I have a rootkit that steal the ssh key the problem is the rootkit. You know keylogger that steal password ? or cookie stealing ?



Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, April 4, 2019 10:19 AM, Tor Houghton <[hidden email]> wrote:

> Hi,
>
> Difficult to make any recommendations based on this information, but once
> you've recovered, enforce ssh key-based logins only.
>
> Given that your client might be compromised, you probably want to look into
> that as well.
>
> To limit the possibilities that someone gets access to your
> ssh private key's keyphrase, store it off-client -- for example using your
> mobile phone (e.g. Kryptonite -- https://krypt.co; do read caveat regarding
> Android crypto).
>
> Good luck.
>
> On Wed, Apr 03, 2019 at 06:56:39PM +0000, Cord wrote:
>
> > Hi,
> > I have some heavy suspect that my openbsd box was been hacked for the second time in few weeks. The first time was been some weeks ago, I have got some suspects and after few checks I have found that someone was been connected to my vps via ssh on a non-standard port using my ssh key. The connection came from a tor exit node. There were been 2 connections and up since 5 days. Now I have some other new suspects because some private email seems knew from others. Also I have found other open sessions on the web gui of my email provider, but I am abolutely sure I have done the logout always.
> > I am using just chrome+unveil and I haven't used any other script or opened pdf (maybe I have opened 1 or 2 pdf from inside of chrome). I have used epiphany only to open the webmail because chrome crash. My email provider support html (obviously) but generally photo are not loaded. Ofcourse I have pf enable and few service.
> > I also use a vpn and I visit very few web site with chrome.. maybe 20 or 25 website just to read news. Sometimes I search things about openbsd.
> > Anyone could help me ?
> > Cord.


Reply | Threaded
Open this post in threaded view
|

Re: hacked for the second time

Flipchan
In reply to this post by Cord
Setup snort or verbose logging to find out whats wrong

On April 3, 2019 8:56:39 PM GMT+02:00, Cord <[hidden email]> wrote:

>Hi,
>I have some heavy suspect that my openbsd box was been hacked for the
>second time in few weeks. The first time was been some weeks ago, I
>have got some suspects and after few checks I have found that someone
>was been connected to my vps via ssh on a non-standard port using my
>ssh key. The connection came from a tor exit node. There were been 2
>connections and up since 5 days. Now I have some other new suspects
>because some private email seems knew from others. Also I have found
>other open sessions on the web gui of my email provider, but I am
>abolutely sure I have done the logout always.
>I am using just chrome+unveil and I haven't used any other script or
>opened pdf (maybe I have opened 1 or 2 pdf from inside of chrome). I
>have used epiphany *only* to open the webmail because chrome crash. My
>email provider support html (obviously) but generally photo are not
>loaded. Ofcourse I have pf enable and few service.
>I also use a vpn and I visit very few web site with chrome.. maybe 20
>or 25 website just to read news. Sometimes I search things about
>openbsd.
>Anyone could help me ?
>Cord.

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Reply | Threaded
Open this post in threaded view
|

Re: hacked for the second time

Gminfly
In reply to this post by Cord
Seeing that OpenBSD comes secure out of the Box the most likely
thing is that you yourself compromised your System through 3rd
party software. If it even is the case. I think the best course of
action would be to go for a forensic approach. Google how to log ssh
traffic and where to find the logs. Then confirm your remote access
actually happens. If so you should determine what software exposed
you. VPN, Some Web Service, Your own stupidity? If you really use
ssh keys instead of password login then someone had to be able
to access those, usually outside of transfer. So most likely your
work device is compromised and your OpenBSD server is just a
casualty.

> On 4 Apr 2019, at 11:57, Cord <[hidden email]> wrote:
>
> Hi, my english seems very bad because my problem is not to make secure the ssh key. My problem is how do not be hacked.
> I have talked about the ssh key stealing to show signs that my pc was been compromised.
> I can for sure make secure my ssh key but how to make secure my the pc ?
> If I have a rootkit that steal the ssh key the problem is the rootkit. You know keylogger that steal password ? or cookie stealing ?
>
>
>
> Sent with ProtonMail Secure Email.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Thursday, April 4, 2019 10:19 AM, Tor Houghton <[hidden email]> wrote:
>
>> Hi,
>>
>> Difficult to make any recommendations based on this information, but once
>> you've recovered, enforce ssh key-based logins only.
>>
>> Given that your client might be compromised, you probably want to look into
>> that as well.
>>
>> To limit the possibilities that someone gets access to your
>> ssh private key's keyphrase, store it off-client -- for example using your
>> mobile phone (e.g. Kryptonite -- https://krypt.co; do read caveat regarding
>> Android crypto).
>>
>> Good luck.
>>
>> On Wed, Apr 03, 2019 at 06:56:39PM +0000, Cord wrote:
>>
>>> Hi,
>>> I have some heavy suspect that my openbsd box was been hacked for the second time in few weeks. The first time was been some weeks ago, I have got some suspects and after few checks I have found that someone was been connected to my vps via ssh on a non-standard port using my ssh key. The connection came from a tor exit node. There were been 2 connections and up since 5 days. Now I have some other new suspects because some private email seems knew from others. Also I have found other open sessions on the web gui of my email provider, but I am abolutely sure I have done the logout always.
>>> I am using just chrome+unveil and I haven't used any other script or opened pdf (maybe I have opened 1 or 2 pdf from inside of chrome). I have used epiphany only to open the webmail because chrome crash. My email provider support html (obviously) but generally photo are not loaded. Ofcourse I have pf enable and few service.
>>> I also use a vpn and I visit very few web site with chrome.. maybe 20 or 25 website just to read news. Sometimes I search things about openbsd.
>>> Anyone could help me ?
>>> Cord.
>
>

Reply | Threaded
Open this post in threaded view
|

Re: hacked for the second time

Peter Nicolai Mathias Hansteen
In reply to this post by Cord
On Wed, Apr 03, 2019 at 06:56:39PM +0000, Cord wrote:
> I have some heavy suspect that my openbsd box was been hacked for the second time in few weeks. The first time was been some weeks ago, I have got some suspects and after few checks I have found that someone was been connected to my vps via ssh on a non-standard port using my ssh key. The connection came from a tor exit node. There were been 2 connections and up since 5 days. Now I have some other new suspects because some private email seems knew from others. Also I have found other open sessions on the web gui of my email provider, but I am abolutely sure I have done the logout always.

If you see ssh sessions that shouldn't be there, kill those sessions.

Then before they log in again, do whatever changes are required such as generating
new keys, changing your password or similar, and of course clean up your sshd config.

From your (not very precise) description it could even be that a separate set of
binaries have been installed in addition to the system sshd. Look for those too.

Basically, do not trust your system as it is. Wipe, reinstall and rebuild should be an option.

For the webmail access, do change your password and if they support it, look into
any multi-factor authentication options.

Moving forward, learn how to read and interpret logs and for that matter packet captures.

The information you have offered up does not give any indication how the suspected
attackers got hold of enough information to get access (if indeed it is what happened).

That information could possibly be found in your logs, but in my experience it is far
more likely that somebody with access to the system made some stupid mistake such
as clicking a link in a mailed webpage, speaking their password out loud within
hearing distance of somebody with enough context information to be able to use it,
or something else equally cringeworthy. Then your logs would only show a successful
login, perhaps from somewhere unexpected, as the start of the compromise.

I hope some of this stream of semi-random items is of some use.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: hacked for the second time

Cord
In reply to this post by Gminfly



Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, April 4, 2019 12:27 PM, Normen Wohner <[hidden email]> wrote:

> Seeing that OpenBSD comes secure out of the Box the most likely
> thing is that you yourself compromised your System through 3rd
> party software. If it even is the case. I think the best course of
> action would be to go for a forensic approach. Google how to log ssh
> traffic and where to find the logs. Then confirm your remote access
> actually happens. If so you should determine what software exposed
> you. VPN, Some Web Service, Your own stupidity? If you really use
> ssh keys instead of password login then someone had to be able
> to access those, usually outside of transfer. So most likely your
> work device is compromised and your OpenBSD server is just a
> casualty.
>

Maybe my description is not very clear.
I try to explain again.
I have installed openbsd desktop 2 months ago. With this I have used firefox (and epiphany for the webmail) and I have opened some (1 or 2) pdf from a command shell. After the installation I have always used a vpn from a very secure vpn provider, I think that this provider is impossible to tried to hack his client. I use a vpn to browse the internet because I often use untrusted wifis. At this point, after 1 month I have started to suspect a break in because private message seem to be know from others. I started to search a rootkit and I found signs of hacking in ssh connection of my vps. I mean, a tor exit node was connected to the ssh vps with my ssh key. Then, because my key was been exfiltrated  then my desktop was been hacked. But I repeat the problem is not the server (vps). The problem is the desktop and how the key was been exfiltrated. Then I deleted everything (also the vps) and I reinstalled openbsd on my desktop, I changed vpn provider and I started to use chrome+unveil, again private message seem known from other... I search again and I found webmail session opened but I am sure I have logout everytime. If the webmail session is opened and you have the session cookie you can browse my email. Then this is an other signs of rootkit or something. Then I have written to misc.

Now the answer to your email.
I think the only way they have break in is through the browser. Chrome. As I sad I haven't used script to connect to internet (based for example on curl) or I haven't opened pdf outside the browser (in this second installation of the desktop). I started to use unveil 1 or 2 days after the install. As I said I use epiphany to connect to the webmail and only to the webmail. About forensic I have asked on this mailing list how to use pkg_check from a live environment on the infected system but none has answered.
https://marc.info/?l=openbsd-misc&m=155404594328762&w=2

An other way could be an openbsd mirror compromise.. I don't think so but I don't know.
Cord


Reply | Threaded
Open this post in threaded view
|

Re: hacked for the second time

Kevin Chadwick-4
In reply to this post by Cord
On 4/4/19 10:57 AM, Cord wrote:
> Hi, my english seems very bad because my problem is not to make secure the ssh key. My problem is how do not be hacked.
> I have talked about the ssh key stealing to show signs that my pc was been compromised.
> I can for sure make secure my ssh key but how to make secure my the pc ?
> If I have a rootkit that steal the ssh key the problem is the rootkit. You know keylogger that steal password ? or cookie stealing ?
>

The latest chrome (available with current) just had 30 security fixes, however
pledge could possibly still protect your ssh key. More likely the html/js email
is the vector. You could run email as another user, or use plain text only.

OpenBSD puts the odds in your favour more than anything else, but it is not
infallible.

If you can't evaluate the risks yourself. I would suggest you do the work to run
current and upgrade from snapshots regularly.

Reply | Threaded
Open this post in threaded view
|

Re: hacked for the second time

Peter J. Philipp-3
In reply to this post by Cord
On Thu, Apr 04, 2019 at 11:42:15AM +0000, Cord wrote:
>=20
>=20
>=20
> Sent with ProtonMail Secure Email.
>=20
> ????????????????????? Original Message ?????????????????????
> On Thursday, April 4, 2019 12:27 PM, Normen Wohner <[hidden email]> wro=
te:

>=20
> > Seeing that OpenBSD comes secure out of the Box the most likely
> > thing is that you yourself compromised your System through 3rd
> > party software. If it even is the case. I think the best course of
> > action would be to go for a forensic approach. Google how to log ssh
> > traffic and where to find the logs. Then confirm your remote access
> > actually happens. If so you should determine what software exposed
> > you. VPN, Some Web Service, Your own stupidity? If you really use
> > ssh keys instead of password login then someone had to be able
> > to access those, usually outside of transfer. So most likely your
> > work device is compromised and your OpenBSD server is just a
> > casualty.
> >
>=20
> Maybe my description is not very clear.
> I try to explain again.
> I have installed openbsd desktop 2 months ago. With this I have used fire=
fox (and epiphany for the webmail) and I have opened some (1 or 2) pdf from=
 a command shell. After the installation I have always used a vpn from a ve=
ry secure vpn provider, I think that this provider is impossible to tried t=
o hack his client. I use a vpn to browse the internet because I often use u=
ntrusted wifis. At this point, after 1 month I have started to suspect a br=
eak in because private message seem to be know from others. I started to se=
arch a rootkit and I found signs of hacking in ssh connection of my vps. I =
mean, a tor exit node was connected to the ssh vps with my ssh key. Then, b=
ecause my key was been exfiltrated  then my desktop was been hacked. But I =
repeat the problem is not the server (vps). The problem is the desktop and =
how the key was been exfiltrated. Then I deleted everything (also the vps) =
and I reinstalled openbsd on my desktop, I changed vpn provider and I start=
ed to use chrome+unveil, again private message seem known from other... I s=
earch again and I found webmail session opened but I am sure I have logout =
everytime. If the webmail session is opened and you have the session cookie=
 you can browse my email. Then this is an other signs of rootkit or somethi=
ng. Then I have written to misc.
>=20
> Now the answer to your email.
> I think the only way they have break in is through the browser. Chrome. A=
s I sad I haven't used script to connect to internet (based for example on =
curl) or I haven't opened pdf outside the browser (in this second installat=
ion of the desktop). I started to use unveil 1 or 2 days after the install.=
 As I said I use epiphany to connect to the webmail and only to the webmail=
=2E About forensic I have asked on this mailing list how to use pkg_check f=
rom a live environment on the infected system but none has answered.
> https://marc.info/?l=3Dopenbsd-misc&m=3D155404594328762&w=3D2
>=20
> An other way could be an openbsd mirror compromise.. I don't think so but=
 I don't know.
> Cord

Hi,

You could try a few things after changing your SSH keys.

1. store SSH keys somewhere else than $HOME/.ssh, I do this
2. run chrome or firefox as another user so that someone who breaks out of =
the
webbrowser can't get to the ssh keys (I used to do this but it had problems
with pasting, so I gave up).
3. keyphrasing your keys is important I think.

It's helpful to be paranoid about these things.  Also what sort of threat is
against you?  There are said to be 4 categories of threats..=20
government, corporate, hacker, script kiddie.  Do you have enemies anywhere?
I know from snowden that the NSA has a "I hunt sysadmins" program, I don't
think I can do much about that though, they are said to have QUANTUM comput=
ers.
Are you a sysadmin and thus a target of government hacking?

Regards,
-peter

Reply | Threaded
Open this post in threaded view
|

Re: hacked for the second time

Cord
In reply to this post by Peter Nicolai Mathias Hansteen



‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, April 4, 2019 1:41 PM, Peter N. M. Hansteen <[hidden email]> wrote:

> On Wed, Apr 03, 2019 at 06:56:39PM +0000, Cord wrote:
>

Please read my last email to misc, I tried to explain again.


> If you see ssh sessions that shouldn't be there, kill those sessions.

Honestly this is not the problem.

>
> Then before they log in again, do whatever changes are required such as generating
> new keys, changing your password or similar, and of course clean up your sshd config.
>
> From your (not very precise) description it could even be that a separate set of
> binaries have been installed in addition to the system sshd. Look for those too.
>
> Basically, do not trust your system as it is. Wipe, reinstall and rebuild should be an option.
>

"Second time" of my title means:
Install first time openbsd desktop --> ssh key stealing --> hacked --> wipe and reinstall
Install second time openbsd desktop --> not my webmail session opened --> maybe hacked --> wipe and reinstall
Then you are saying I must wipe and reinstall once a month till the end of my life ?


> For the webmail access, do change your password and if they support it, look into
> any multi-factor authentication options.
>

I don't know if this is useful. I mean if the hacker has the session cookie probably he can browser my email without any authentication.

> Moving forward, learn how to read and interpret logs and for that matter packet captures.
>

ok, but a kernel rootkit doesn't leave traces.

> The information you have offered up does not give any indication how the suspected
> attackers got hold of enough information to get access (if indeed it is what happened).
>



> That information could possibly be found in your logs, but in my experience it is far
> more likely that somebody with access to the system made some stupid mistake such
> as clicking a link in a mailed webpage, speaking their password out loud within
> hearing distance of somebody with enough context information to be able to use it,
> or something else equally cringeworthy. Then your logs would only show a successful
> login, perhaps from somewhere unexpected, as the start of the compromise.
>

My openbsd desktop has no tcp services active, I have some udp listening that is openvpn and chrome. But I have pf enabled.
If you want I can paste my pf conf. But it's few lines, and the last is "block drop log all"

> I hope some of this stream of semi-random items is of some use.
>

thank you

> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.


Reply | Threaded
Open this post in threaded view
|

Re: hacked for the second time

Solene Rapenne
In reply to this post by Cord
On Thu, Apr 04, 2019 at 11:42:15AM +0000, Cord wrote:

>
>
>
> Sent with ProtonMail Secure Email.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Thursday, April 4, 2019 12:27 PM, Normen Wohner <[hidden email]> wrote:
>
> > Seeing that OpenBSD comes secure out of the Box the most likely
> > thing is that you yourself compromised your System through 3rd
> > party software. If it even is the case. I think the best course of
> > action would be to go for a forensic approach. Google how to log ssh
> > traffic and where to find the logs. Then confirm your remote access
> > actually happens. If so you should determine what software exposed
> > you. VPN, Some Web Service, Your own stupidity? If you really use
> > ssh keys instead of password login then someone had to be able
> > to access those, usually outside of transfer. So most likely your
> > work device is compromised and your OpenBSD server is just a
> > casualty.
> >
>
> Maybe my description is not very clear.
> I try to explain again.

Hi, I don't understand the whole story.

> internet because I often use untrusted wifis. At this point, after 1
> month I have started to suspect a break in because private message
> seem to be know from others.

What are "private messages", mails? Who are the "others"? What makes you
think the "others" know your messages?

> I started to search a rootkit and I found
> signs of hacking in ssh connection of my vps. I mean, a tor exit node
> was connected to the ssh vps with my ssh key.

How did you figure out this? Could you paste the commands you used to
find someone did connect to the VPS with your SSH key, and how you
figured out it was using a tor node?

> Then, because my key was
> been exfiltrated  then my desktop was been hacked

What make you think your desktop has been hacked?
Do you run sshd on it, allowing the ssh key which is said stolen?

> But I repeat the
> problem is not the server (vps). The problem is the desktop and how
> the key was been exfiltrated. Then I deleted everything (also the vps)
> and I reinstalled openbsd on my desktop, I changed vpn provider and I
> started to use chrome+unveil, again private message seem known from
> other... I search again and I found webmail session opened but I am
> sure I have logout everytime.

On which computer did you find the webmail session opened, on your desktop?
That would be a really weird hack, to use your webmail locally with a
tab opened on display :1

Reply | Threaded
Open this post in threaded view
|

Re: hacked for the second time

Cord
In reply to this post by Kevin Chadwick-4
On Thursday, April 4, 2019 1:58 PM, Kevin Chadwick <[hidden email]> wrote:

> On 4/4/19 10:57 AM, Cord wrote:
>
> > Hi, my english seems very bad because my problem is not to make secure the ssh key. My problem is how do not be hacked.
> > I have talked about the ssh key stealing to show signs that my pc was been compromised.
> > I can for sure make secure my ssh key but how to make secure my the pc ?
> > If I have a rootkit that steal the ssh key the problem is the rootkit. You know keylogger that steal password ? or cookie stealing ?
>
> The latest chrome (available with current) just had 30 security fixes, however
> pledge could possibly still protect your ssh key. More likely the html/js email
> is the vector. You could run email as another user, or use plain text only.
>

ok, this is what I am looking for, security problems on chrome.
I don't use current.
One question:
if the hacker has a 0day on chrome, unveil and pledge could help me ?
If he has my ssh key and he has used, he must know my pass phrase, this means he has the root ? As I see ssh-agent run as my user..
To browse the mail I use epiphany browser... and as I know it doesn't have pledge and unveil and probably is very buggy.
My email provider use encryption from the client side prospective (like mega cloud) then it doesn't support plain text because he make use of heavy js to encrypt the email on the server. Then it works only with epiphany, chrome crashes.
Just to say that I don't use chrome+pledge+unveil with mail.


> OpenBSD puts the odds in your favour more than anything else, but it is not
> infallible.
>

of course

Reply | Threaded
Open this post in threaded view
|

Re: hacked for the second time

Cord
In reply to this post by Solene Rapenne



Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, April 4, 2019 2:23 PM, Solene Rapenne <[hidden email]> wrote:

> On Thu, Apr 04, 2019 at 11:42:15AM +0000, Cord wrote:
>
> > Sent with ProtonMail Secure Email.
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > On Thursday, April 4, 2019 12:27 PM, Normen Wohner [hidden email] wrote:
> >
> >


> > I started to search a rootkit and I found
> > signs of hacking in ssh connection of my vps. I mean, a tor exit node
> > was connected to the ssh vps with my ssh key.
>
> How did you figure out this? Could you paste the commands you used to
> find someone did connect to the VPS with your SSH key, and how you
> figured out it was using a tor node?
>

netstat -naf inet
whois ip
grep ip /var/log/authlog


> > Then, because my key was
> > been exfiltrated then my desktop was been hacked
>
> What make you think your desktop has been hacked?
> Do you run sshd on it, allowing the ssh key which is said stolen?
>

Sorry, but the following what's menas for you:
> > because my key was
> > been exfiltrated then my desktop was been hacked


> > But I repeat the
> > problem is not the server (vps). The problem is the desktop and how
> > the key was been exfiltrated. Then I deleted everything (also the vps)
> > and I reinstalled openbsd on my desktop, I changed vpn provider and I
> > started to use chrome+unveil, again private message seem known from
> > other... I search again and I found webmail session opened but I am
> > sure I have logout everytime.
>
> On which computer did you find the webmail session opened, on your desktop?
> That would be a really weird hack, to use your webmail locally with a
> tab opened on display :1

oh you want a tutorial, this is very good:
https://www.tech-recipes.com/rx/22511/gmail-check-recent-logins-and-sign-out-of-all-sessions/

Reply | Threaded
Open this post in threaded view
|

Re: hacked for the second time

Luca Cappelletti
In reply to this post by Cord
try to restart over and then
security/aide

take the db offline and check again that db every time and then

use another OS to check that db (i.e. FreeBSD on an RaspberryPi, if you
have, ask a friend to download for you the img off your daily "garden")

LC


Reply | Threaded
Open this post in threaded view
|

Re: hacked for the second time

bofh-6
In reply to this post by Cord
On Thu, Apr 4, 2019 at 8:16 PM Cord <[hidden email]> wrote:

>
> "Second time" of my title means:
> Install first time openbsd desktop --> ssh key stealing --> hacked -->
> wipe and reinstall
> Install second time openbsd desktop --> not my webmail session opened -->
> maybe hacked --> wipe and reinstall


I don't understand where your ssh private key is stored.  I also don't
where is your webmail running? On your desktop (attached to the physical
keyboard) or the remote OpenBSD desktop?

You may have logged out but did the site set a cookie maintaining your id
and perhaps a new session?

Then you are saying I must wipe and reinstall once a month till the end of
> my life ?


No.  You need to figure out how your private key is stolen.  If that's the
case - you have not shown that.

What you are saying isn't very clear. I understand there's a language
barrier and probably some differences in understanding of networking and
remote access.

I would start any investigation at the system where you are doing the
typing.  That's the weakest point usually.