On 07/29/15 03:33, Wong Peter wrote: > Q:why do you believe that your machine was hacked? > A: My pf rules was flushed.This can prove using pfctl -sr. The whoe > firewall was not usable anymore. NO NAT nor packet filtering.
Hi Peter, Can you let us know the version and architecture of OpenBSD you were running, and any ports you might have installed. What sort of programs were facing the network ie. netstat -na would tell. Also I gather you used ssh to access the machine. Do you use a strong password? Does your ISP know your password? If they installed snooping mechanism they don't know your password per say, only if you've given it to them. You seem to have some trouble mounting a drive, indicating that you're new to OpenBSD. I don't want to call you a newbie but this is likely a newbie mistake. In regards to mounting the external harddrive use mount to mount the drive first, it doesn't automatically get auto-mounted. Right now I see a lot of guessing on what's going on and little fact. Help us with the facts so that _perhaps_ we can see an avenue of attack. Regards, -peter philipp > Q: You say that whatever happened was done by your ISP even though you had > no Internet connection.Why do you believe that to be true? > A: Our ISP had implement monitoring like NSA or British CGHQ. Moreover, > Hacking openBSD is not that easy. First hop hacking is much more easier > than anyone. > > Q: Why do you believe that you had no Internet connection? > A: No response when ping dns server and no IP address assign to pppoe0 > interface. > > Q: If you had no Internet connection, how is it that someone at your ISP > would have been able to access the machine? > A: I had no idea. Thus, I was asked it here. > > Q: Where is the machine actually located? > A: This is a home use firewall router sit behind a modem. > > Where to find log files regarding pf rule was flushed out using carp or > pfsync? > > I'm understand you all want to help me and you all require information. > I'm tried to extract the whole OS into zip file and copied to portable hard > disk but it failed. > It say no such file or directory. > cp /home/user/bsd.tar.gz /mnt/obsd/ > > What wrong with it? > > > > > > > > > > > > On Wed, Jul 29, 2015 at 8:26 AM, Daniel Boulet <da...@matilda.com> wrote: > >> There is all sorts of information that you could provide: >> >> - why do you believe that your machine was hacked? You seem to think that >> someone at your ISP did whatever was done. Why do you believe that to be >> true? Why would someone at your ISP want to do this? Why would someone at >> you ISP be better able to do this than some random bad person out on the >> Internet? >> >> - you say that whatever happened was done by your ISP even though you had >> no Internet connection. Why do you believe that this is even possible? Why >> do you believe that you had no Internet connection? If you had no Internet >> connection, how is it that someone at your ISP would have been able to >> access the machine? Where is the machine actually located? >> >> - you say that your pf rules were flushed. Why do you believe that they >> were ever loaded in the first place? Can you demonstrate that the rules >> were in place at one point in time and that they are no longer in place >> later? Have you tried rebooting the machine and then immediately checking >> to see if the rules are there or not? >> >> - you say that you suspect that your ISP used some sort of “Layer 2 by >> using mac spoofing/mac target� technique. Please say more about “some > sort >> of� - what sort of? Why do you believe that this technique, whatever it > is, >> might work? Can you even provide a basic explanation of how this technique, >> whatever it is, might have been used to hack your machine or is this just a >> theory with no evidence to support it. >> >> There are lots of other questions you could answer. For example, what >> messages appear in your log files that support your theory? Even a list of >> the evidence that you see that supports your theory might help. It almost >> sounds like you are saying that you cannot figure out how whatever happened >> occurred so it must have been someone at your ISP. That is a pretty big >> leap to make without some evidence that actually points at your ISP. >> >> -Danny >> >>> On Jul 28, 2015, at 18:00 , Wong Peter <peterap...@gmail.com> wrote: >>> >>> What information you all require? >>> >>> On Tue, Jul 28, 2015 at 10:28 PM, Giancarlo Razzolini < >> grazzol...@gmail.com> >>> wrote: >>> >>>> Em 28-07-2015 06:17, Wong Peter escreveu: >>>>> Dear All, >>>>> >>>>> Recently, I'm realized that my openbsd firewall router was not usable >>>>> anymore due to pf rules had changed by using carp and pfsync mechanism. >>>>> >>>>> Here is my prove. >>>>> >>>>> I'm tried to reinstall the whole machine and plugged in the modem LAN >>>> cable >>>>> to NIC card. All my written pf rules was flush and changed. This happen >>>>> even without internet connection(No IP address assign). >>>>> >>>>> I'm suspected this is did by my ISP. I'm believed my openbsd machine >> was >>>>> located same subnet with their machine. >>>>> >>>>> I'm even tried to disable carp protocol but my pf rules still get >> flushed >>>>> out. >>>>> How this can happen? >>>>> How to prevent it? >>>>> How my ISP can synchronize its pf rules to my machine without IP >> assign? >>>>> I'm suspect they achieved at Layer 2 by using mac spoofing/mac target >> to >>>> my >>>>> machine. >>>>> net.inet.carp.allow=0 >>>>> >>>>> Please help. Very urgent. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> You use a very controversial subject in order to draw attention in the >>>> hope that someone will help you. And not only you can't manage to give a >>>> shred of evidence to support your claim, as you can't even manage to >>>> provide enough information for some good soul on this list to help you. >>>> Come back when you sorted this out. >>>> >>>> Cheers, >>>> Giancarlo Razzolini >>>> >>> >>> >>> -- >>> Linux >>> >> > > -- > Linux
