On Thu, Apr 04, 2019 at 11:42:15AM +0000, Cord wrote: >=20 >=20 >=20 > Sent with ProtonMail Secure Email. >=20 > ????????????????????? Original Message ????????????????????? > On Thursday, April 4, 2019 12:27 PM, Normen Wohner <nor...@wohner.eu> wro= te: >=20 > > Seeing that OpenBSD comes secure out of the Box the most likely > > thing is that you yourself compromised your System through 3rd > > party software. If it even is the case. I think the best course of > > action would be to go for a forensic approach. Google how to log ssh > > traffic and where to find the logs. Then confirm your remote access > > actually happens. If so you should determine what software exposed > > you. VPN, Some Web Service, Your own stupidity? If you really use > > ssh keys instead of password login then someone had to be able > > to access those, usually outside of transfer. So most likely your > > work device is compromised and your OpenBSD server is just a > > casualty. > > >=20 > Maybe my description is not very clear. > I try to explain again. > I have installed openbsd desktop 2 months ago. With this I have used fire= fox (and epiphany for the webmail) and I have opened some (1 or 2) pdf from= a command shell. After the installation I have always used a vpn from a ve= ry secure vpn provider, I think that this provider is impossible to tried t= o hack his client. I use a vpn to browse the internet because I often use u= ntrusted wifis. At this point, after 1 month I have started to suspect a br= eak in because private message seem to be know from others. I started to se= arch a rootkit and I found signs of hacking in ssh connection of my vps. I = mean, a tor exit node was connected to the ssh vps with my ssh key. Then, b= ecause my key was been exfiltrated then my desktop was been hacked. But I = repeat the problem is not the server (vps). The problem is the desktop and = how the key was been exfiltrated. Then I deleted everything (also the vps) = and I reinstalled openbsd on my desktop, I changed vpn provider and I start= ed to use chrome+unveil, again private message seem known from other... I s= earch again and I found webmail session opened but I am sure I have logout = everytime. If the webmail session is opened and you have the session cookie= you can browse my email. Then this is an other signs of rootkit or somethi= ng. Then I have written to misc. >=20 > Now the answer to your email. > I think the only way they have break in is through the browser. Chrome. A= s I sad I haven't used script to connect to internet (based for example on = curl) or I haven't opened pdf outside the browser (in this second installat= ion of the desktop). I started to use unveil 1 or 2 days after the install.= As I said I use epiphany to connect to the webmail and only to the webmail= =2E About forensic I have asked on this mailing list how to use pkg_check f= rom a live environment on the infected system but none has answered. > https://marc.info/?l=3Dopenbsd-misc&m=3D155404594328762&w=3D2 >=20 > An other way could be an openbsd mirror compromise.. I don't think so but= I don't know. > Cord
Hi, You could try a few things after changing your SSH keys. 1. store SSH keys somewhere else than $HOME/.ssh, I do this 2. run chrome or firefox as another user so that someone who breaks out of = the webbrowser can't get to the ssh keys (I used to do this but it had problems with pasting, so I gave up). 3. keyphrasing your keys is important I think. It's helpful to be paranoid about these things. Also what sort of threat is against you? There are said to be 4 categories of threats..=20 government, corporate, hacker, script kiddie. Do you have enemies anywhere? I know from snowden that the NSA has a "I hunt sysadmins" program, I don't think I can do much about that though, they are said to have QUANTUM comput= ers. Are you a sysadmin and thus a target of government hacking? Regards, -peter