Subject: Log files and Zero click exploits Greetings,
Kindly find below log entries generated from tcpdump of the pflog. The is a fresh install & updated openbsd 7.4, with bare-minimum installation configured for a firewall. There are no x* programs installed. Feb 11 18:09:41.682345 rule 14/(match) block in on re0: 69.166.225.73.51820 > wan-ip.60360: [wg] initiation from 0xdd6a56bc Feb 11 18:09:46.754493 rule 14/(match) block in on re0: 69.166.225.73.51820 > wan-ip.60360: [wg] initiation from 0x963acc89 Feb 11 18:09:51.778525 rule 14/(match) block in on re0: 69.166.225.73.51820 > wan-ip.60360: [wg] initiation from 0x93d9508d Feb 11 18:09:56.835383 rule 14/(match) block in on re0: 69.166.225.73.51820 > wan-ip.60360: [wg] initiation from 0x112cf65b Feb 11 18:29:33.657009 rule 14/(match) block in on re0: 69.166.225.73.51820 > wan-ip.60360: [wg] initiation from 0x639ed21a Feb 11 18:29:33.657454 rule 14/(match) block in on re0: 69.166.225.73.51820 > wan-ip.60360: [wg] initiation from 0xb2fcd9b8 Feb 11 18:29:33.658140 rule 14/(match) block in on re0: 69.166.225.73.51820 > wan-ip.60360: [wg] initiation from 0x8ae84cca Feb 11 18:29:33.658808 rule 14/(match) block in on re0: 69.166.225.73.51820 > wan-ip.60360: [wg] initiation from 0xcbb881b7 Feb 11 18:29:33.659165 rule 14/(match) block in on re0: 69.166.225.73.51820 > wan-ip.60360: [wg] initiation from 0x612a28f8 Feb 11 18:29:33.659416 rule 14/(match) block in on re0: 69.166.225.73.51820 > wan-ip.60360: [wg] initiation from 0x49f595ec wan-ip is my wan static ip address. What does [wg] means? What does "initiation from 0xdd6a56bc"...etc. means? Does that mean there is a malicious file/app located at those memory addresses in my system trying to initiate connection to this specific 69.166.225.73.51820 address/port? This ip address is a malicious and there are others as well we get every single time we connect to the internet. Those malicious ip addresses could also be spoofed. Other log files are not indicating anything. We always get those attacks every time when connecting to the internet, and usually happens at the initial connections. How to configure the log files to record all the activities happening on the system and especially to locate malicious activities/files including zero-click exploits...etc? I created a basic bin malware for testing purposes and copied it to the bsd system using usb. The only activity that was logged under messages was the usb attach/detach. However, the malicious file itself and its execution were not recorded at all in any of the log files. Also, for Intrusion Detection, I used mtree before and after the malware copy to the system, mtree was able to detect the file and record it under extra:, however, when I deleted the file and covered the track using dd if=/dev/zero of=/bin_location bs=1024k count=12, mtree could not detect it. That means as an IDS, mtree is defenseless against malicious files that deletes and covers its tracks. When examining citizen lab's zero-click exploits reports, almost all the malicious directories and files are stored under folders that would not be immutable such as /usr/ library directories and files. As an example, under openbsd, the folders /bin, /sbin, /usr/bin, /usr/sbin, and /etc, could be schg immutable, however, if the other folder or files configured to be schg immutable, the openbsd system would break, and when restart, it would not load. Also, the zero-click exploits for the most part do not attempt to change the files in the mentioned bin/sbin folders, rather, the exploit would copy the malware to a location that is not immutable and use those files to its malicious purposes. The zero-click exploit attacks for smartphones may be slightly different than a fixed standalone device system, as the smartphone such as ios, andriod...etc are mobile, so the malware may have to be persistence, however, for a standalone system such as a firewall, since it would be in a fixed location with static wan IP address, and especially if the device was under the telecom umbrella of a corrupted adversary, as long as they know what platform you are using, the zero-click exploit could happen almost instantly and does not have to be persistent as they would get in at every internet connection, then delete, cover tracks, and reinstating the system to an undetectable status at every internet disconnect. How to activate the log files to be able to detect such activities, How to protect openbsd from such exploits, what tools could be used in openbsd to help detect such malicious intrusion, any kernel/firewall tweaks to protect against such attacks? The rules "block all, pass out" are insufficient, and you do not have to click on any link for the attack to take place. Appreciate your kind support. John On Sunday, April 30th, 2023 at 5:23 AM, jonathon575 <jonathon...@protonmail.com> wrote: > Thank you Stuart. > > ------- Original Message ------- > On Saturday, April 29th, 2023 at 2:18 PM, jonathon575 > <jonathon...@protonmail.com> wrote: > >> Hi, >> >> How to sappnd history? >> >> Thanks,