Re: OpenBSD machine was hacked
Q:why do you believe that your machine was hacked? A: My pf rules was flushed.This can prove using pfctl -sr. The whoe firewall was not usable anymore. NO NAT nor packet filtering. Q: You say that whatever happened was done by your ISP even though you had no Internet connection.Why do you believe that to be true? A: Our ISP had implement monitoring like NSA or British CGHQ. Moreover, Hacking openBSD is not that easy. First hop hacking is much more easier than anyone. Q: Why do you believe that you had no Internet connection? A: No response when ping dns server and no IP address assign to pppoe0 interface. Q: If you had no Internet connection, how is it that someone at your ISP would have been able to access the machine? A: I had no idea. Thus, I was asked it here. Q: Where is the machine actually located? A: This is a home use firewall router sit behind a modem. Where to find log files regarding pf rule was flushed out using carp or pfsync? I'm understand you all want to help me and you all require information. I'm tried to extract the whole OS into zip file and copied to portable hard disk but it failed. It say no such file or directory. cp /home/user/bsd.tar.gz /mnt/obsd/ What wrong with it? On Wed, Jul 29, 2015 at 8:26 AM, Daniel Boulet wrote: > There is all sorts of information that you could provide: > > - why do you believe that your machine was hacked? You seem to think that > someone at your ISP did whatever was done. Why do you believe that to be > true? Why would someone at your ISP want to do this? Why would someone at > you ISP be better able to do this than some random bad person out on the > Internet? > > - you say that whatever happened was done by your ISP even though you had > no Internet connection. Why do you believe that this is even possible? Why > do you believe that you had no Internet connection? If you had no Internet > connection, how is it that someone at your ISP would have been able to > access the machine? Where is the machine actually located? > > - you say that your pf rules were flushed. Why do you believe that they > were ever loaded in the first place? Can you demonstrate that the rules > were in place at one point in time and that they are no longer in place > later? Have you tried rebooting the machine and then immediately checking > to see if the rules are there or not? > > - you say that you suspect that your ISP used some sort of âLayer 2 by > using mac spoofing/mac targetâ technique. Please say more about âsome sort > ofâ - what sort of? Why do you believe that this technique, whatever it is, > might work? Can you even provide a basic explanation of how this technique, > whatever it is, might have been used to hack your machine or is this just a > theory with no evidence to support it. > > There are lots of other questions you could answer. For example, what > messages appear in your log files that support your theory? Even a list of > the evidence that you see that supports your theory might help. It almost > sounds like you are saying that you cannot figure out how whatever happened > occurred so it must have been someone at your ISP. That is a pretty big > leap to make without some evidence that actually points at your ISP. > > -Danny > > > On Jul 28, 2015, at 18:00 , Wong Peter wrote: > > > > What information you all require? > > > > On Tue, Jul 28, 2015 at 10:28 PM, Giancarlo Razzolini < > grazzol...@gmail.com> > > wrote: > > > >> Em 28-07-2015 06:17, Wong Peter escreveu: > >>> Dear All, > >>> > >>> Recently, I'm realized that my openbsd firewall router was not usable > >>> anymore due to pf rules had changed by using carp and pfsync mechanism. > >>> > >>> Here is my prove. > >>> > >>> I'm tried to reinstall the whole machine and plugged in the modem LAN > >> cable > >>> to NIC card. All my written pf rules was flush and changed. This happen > >>> even without internet connection(No IP address assign). > >>> > >>> I'm suspected this is did by my ISP. I'm believed my openbsd machine > was > >>> located same subnet with their machine. > >>> > >>> I'm even tried to disable carp protocol but my pf rules still get > flushed > >>> out. > >>> How this can happen? > >>> How to prevent it? > >>> How my ISP can synchronize its pf rules to my machine without IP > assign? > >>> I'm suspect they achieved at Layer 2 by using mac spoofing/mac target > to > >> my > >>> machine. > >>> net.inet.carp.allow=0 > >>> > >>> Please help. Very urgent. > >>> > >>> > >>> > >>> > >>> > >>> > >> You use a very controversial subject in order to draw attention in the > >> hope that someone will help you. And not only you can't manage to give a > >> shred of evidence to support your claim, as you can't even manage to > >> provide enough information for some good soul on this list to help you. > >> Come back when you sorted this out. > >> > >> Cheers, > >> Giancarlo Razzolini > >> > > > > > > > > -- > > Linux > > > > -- Linux
Re: OpenBSD machine was hacked
What information you all require? On Tue, Jul 28, 2015 at 10:28 PM, Giancarlo Razzolini wrote: > Em 28-07-2015 06:17, Wong Peter escreveu: > > Dear All, > > > > Recently, I'm realized that my openbsd firewall router was not usable > > anymore due to pf rules had changed by using carp and pfsync mechanism. > > > > Here is my prove. > > > > I'm tried to reinstall the whole machine and plugged in the modem LAN > cable > > to NIC card. All my written pf rules was flush and changed. This happen > > even without internet connection(No IP address assign). > > > > I'm suspected this is did by my ISP. I'm believed my openbsd machine was > > located same subnet with their machine. > > > > I'm even tried to disable carp protocol but my pf rules still get flushed > > out. > > How this can happen? > > How to prevent it? > > How my ISP can synchronize its pf rules to my machine without IP assign? > > I'm suspect they achieved at Layer 2 by using mac spoofing/mac target to > my > > machine. > > net.inet.carp.allow=0 > > > > Please help. Very urgent. > > > > > > > > > > > > > You use a very controversial subject in order to draw attention in the > hope that someone will help you. And not only you can't manage to give a > shred of evidence to support your claim, as you can't even manage to > provide enough information for some good soul on this list to help you. > Come back when you sorted this out. > > Cheers, > Giancarlo Razzolini > -- Linux
Re: OpenBSD machine was hacked
The changes was not done to /etc/pf.conf file but it is on runtime. I'm issues pfctl -sr command which reflect this. On Tue, Jul 28, 2015 at 5:35 PM, Stefan Wollny wrote: > Hi, > > I can't tell you anything what might have happend as you didn't provide > enough information and I am not educated to give any hints. But to prevent > any changes you might consider using "chflags" after you have set up your > pf.conf: > > $ sudo chflags schg /etc/pf.conf > > Keep in mind that changes thereafter are only possible if you reboot into > insecure mode. man 1 chflags is your friend. > > If this doesn't help it is beyond my knowledge. > > Good luck! > STEFAN > > > *Gesendet:* Dienstag, 28. Juli 2015 um 11:17 Uhr > *Von:* "Wong Peter" > *An:* misc@openbsd.org > *Betreff:* OpenBSD machine was hacked > Dear All, > > Recently, I'm realized that my openbsd firewall router was not usable > anymore due to pf rules had changed by using carp and pfsync mechanism. > > Here is my prove. > > I'm tried to reinstall the whole machine and plugged in the modem LAN cable > to NIC card. All my written pf rules was flush and changed. This happen > even without internet connection(No IP address assign). > > I'm suspected this is did by my ISP. I'm believed my openbsd machine was > located same subnet with their machine. > > I'm even tried to disable carp protocol but my pf rules still get flushed > out. > How this can happen? > How to prevent it? > How my ISP can synchronize its pf rules to my machine without IP assign? > I'm suspect they achieved at Layer 2 by using mac spoofing/mac target to my > machine. > net.inet.carp.allow=0 > > Please help. Very urgent. > > > > > > > -- > Linux > > -- Linux
OpenBSD machine was hacked
Dear All, Recently, I'm realized that my openbsd firewall router was not usable anymore due to pf rules had changed by using carp and pfsync mechanism. Here is my prove. I'm tried to reinstall the whole machine and plugged in the modem LAN cable to NIC card. All my written pf rules was flush and changed. This happen even without internet connection(No IP address assign). I'm suspected this is did by my ISP. I'm believed my openbsd machine was located same subnet with their machine. I'm even tried to disable carp protocol but my pf rules still get flushed out. How this can happen? How to prevent it? How my ISP can synchronize its pf rules to my machine without IP assign? I'm suspect they achieved at Layer 2 by using mac spoofing/mac target to my machine. net.inet.carp.allow=0 Please help. Very urgent. -- Linux
Re: Cannot run Snort
Dear All, OpenBSD 5.7 Arch: i386 Snort Version:2.9.7.3 Installed from packages Start by typing snort. Thanks. On Sat, Jun 27, 2015 at 6:49 PM, Nigel J Taylor wrote: > On 06/27/15 09:12, Wong Peter wrote: > > Dear All, > > > > I had installed Snort but cannot run it. > > > > Error Message: Can't load library liblzma.s0.2.0 > > > > What need to install? I had install the lzlib but still cannot solved it. > > Which packages need to install or how to tell snort to look up the shared > > library? > > > try xz, it should have been installed with snort, current version does > include the dependency. > For 5.7 the dependency is missing. > > > $ pkg_info -Sq snort > > snort-2.9.7.3,@daq-2.0.5,@libdnet-1.12p10,@pcre-8.37p0,@xz-5.2.1,c.80.0,crypto.34.0,daq.2.1,dnet.1.0,lzma.2.1,m.9.0,pcap.8.0,pcre.3.0,pthread.19.0,z.5.0 > $ pkg_info -f xz | grep lzma.so > @lib lib/liblzma.so.2.1 > > The pkglocatedb package should help to find any missing packages... > > $ pkg_locate lzma.so.2 > xz-5.2.1:archivers/xz:/usr/local/lib/liblzma.so.2.1 > > -- Linux
Cannot run Snort
Dear All, I had installed Snort but cannot run it. Error Message: Can't load library liblzma.s0.2.0 What need to install? I had install the lzlib but still cannot solved it. Which packages need to install or how to tell snort to look up the shared library? -- Linux
Linksys wmp54g v4.1 is not support
Dear all, The Linksys wmp54g v4.1 is not support on Openbsd 4.1. Previously, it is working but it is not working after few years. Any reason for this ? Please help. Thanks. -- Linux
Netgear WG311T Atheros Chipset Wireless Problem
Dear all, I had bought a Netgear WG311T Atheros Chipset. The Openbsd kernel(dmesg) shows this card as ath0. Therefore, I try to configure it using /etc/hostname.ath0 with content below: inet 192.168..5.1 255.255.255.0 none media autoselect mediaopt hostap mode 11b chan 6 nwid wsm nwkey "" This configuration gives me an access point which its LED keeps on blinking and scan from window cannot find the particular nwid as well. I believe there is some problems with it. Please help. Thanks. -- Linux
Openbsd Routing/NAT Internet Issues
Hello to all, I had try to set up openbsd as home router but eventually it fail to function properly. External Interface (vr0) 192.168.1.2 255.255.255.0 none Internal Interface (rl0) 172.16.10.1 255.255.255.0 none Wireless Interface (ath0) 192.168.5.1 255.255.255.0 none External interface connects to a modem with ip address of 192.168.1.254. *Routing Table* (route show | more) Destination Gateway Flags Interface default 175.13.8.127.254 UGS tun0 175.130.127.254 175.135.116.213 (PPPOE IP address) UH tun0 loopback loopback UGRS lo0 loopback loopback UH lo0 172.16.10/24 link#2 UC rl0 172.16.10.3 inet6 UHLC rl0 192.168.1/24 link#1 UC vr0 192.168.5/24 link#3 UC ath0 My wireless interface light is keep on blinking rather stay on stable mode. *Packet Filter Rules* (pfcrt -sr) nat on vr0 from !(vr0) to any -> (vr0) round-robin scrub on vr0 all no-df fragment reassemble scrub on vr0 all reassemble tcp block drop in log on vr0 all pass out quick on ath0/rl0 keep state. Problem: I can ping Google DNS(8.8.8.8) from openbsd machine. or browsing internet. I cannot ping Google DNS(8.8.8.8) from LAN PC. I can ping my external modem(192.168.1.254) which return echo reply. I have no idea why ping the modem does reply but ping external network with no reply. Please help. -- Linux
Openbsd 4.1 Routing Issues
Hello to all, I had try to set up openbsd as home router but eventually it fail to function properly. External Interface (vr0) 192.168.1.2 255.255.255.0 none Internal Interface (rl0) 172.16.10.1 255.255.255.0 none Wireless Interface (ath0) 192.168.5.1 255.255.255.0 none *Routing Table* (route show | more) Destination Gateway Flags Interface default 175.13.8.127.254 UGS tun0 loopback loopback UGRS lo0 loopback loopback UH lo0 172.16.10/24 link#2 UC rl0 172.16.10.3 inet6 UHLC rl0 175.130.127.254 175.135.116.213 (PPPOE IP address) UH tun0 192.168.1/24 link#1 UC vr0 192.168.5/24 link#3 UC ath0 My wireless interface light is keep on blinking rather stay on stable mode. *Packet Filter Rules* (pfcrt -sr) nat on vr0 from !(vr0) to any -> (vr0) round-robin scrub on vr0 all no-df fragment reassemble scrub on vr0 all reassemble tcp block drop in log on vr0 all pass out quick on ath0/rl0 keep state. Please help me why my pc cannot connect to internet. My pc can even ping external interface ip address (192.168.1.2) but it shows no internet access. My external interface connects to a modem with ip address of 192.168.1.254. Please help. -- Linux
OpenBSD Strange Problem
Hello all respect network administrator, i have set up a openbsd gateway but the wireless connection(gateway) is not detected by client but before this is ok. Can see it widnows but now cannot. I don't know what wrong with it. I sure my configuration is ok because i didn't edit it. Another problem now is when oot up to process starting network, previously i did not need to enter ctrl + C to proceeed to DHCP request for rl0 but now i need that. I alos don't know what wrong. Third problem is from openbsd canno ping to LAN client ip but client can ping to openbsd. I try router add 176.16.10.11(destination) 176.16.10.1(gateway) return file exists. If this routing is exists, then should be no problem but who come cannot ping from openbsd to client. My Version of openbsd is 4.1 I hope you can help me out. becuase my hair has drop until no more hair. If you all need extra information or configuration, please let me know. A billion thanks for your help -- Linux
OpenBSD 4.1 Strange Problem
Hello all respect network administrator, i have set up a openbsd gateway but the wireless connection(gateway) is not detected by client but before this is ok. Can see it widnows but now cannot. I don't know what wrong with it. I sure my configuration is ok because i didn't edit it. Another problem now is when oot up to process starting network, previously i did not need to enter ctrl + C to proceeed to DHCP request for rl0 but now i need that. I alos don't know what wrong. Third problem is from openbsd canno ping to LAN client ip but client can ping to openbsd. I try router add 176.16.10.11(destination) 176.16.10.1(gateway) return file exists. If this routing is exists, then should be no problem but who come cannot ping from openbsd to client. I hope you can help me out. becuase my hair has drop until no more hair. If you all need extra information or configuration, please let me know. A billion thanks for your help. -- Linux
Re: OpenBSD 4.1 Stable Strange Problem
On 2/21/08, Wong Peter <[EMAIL PROTECTED]> wrote:
>
> Before this, it is not normal to me because it is very fast. Now become
> like this and also the wireless problem.
>
> My wireless card is Linksys Wmp54g.
>
> No i do not do any thing to rc.rconf .rc.local.
>
> /etc/hostname.rl1 :
> inet 172.16.10.1 255.240.0.0
>
> /etc/hostname.ral0:
> inet 192.168.5.1 255.255.0.0 NONE media autoselect \ mediaopt hostap mode
> 11g nwid myname nwkey xxx
>
> /etc/hostname.rl0 (External Interface)
> dhcp NONE NONE NONE
>
> /etc/dhcpd.interfaces.
> ral0 rl1
>
> /etc/dhcpd.conf
>
> Wired
>
> subnet 172.16.0.0 netmask 255.240.0.0
> {
>option subnet-mask 255.240.0.0;
>option routers 172.16.10.1;
>range 172.16.10.12 and some fixed address;
> }
>
> wireless
>
> subnet 192.168.0.0 netmask 255.255.0.0
> {
> option routers 192.168.5.1;
> }
>
> After boot, the wireless interface is not up and i need to manulaly bring
> it up with ifconifg ral0 192.168.5.1. AFter issues this command, the
> status of wireless interface is no network.
>
> Below is the ifconfig -a | less : rl1(Wired internal interfac) is not
> connected
>
>
> rl1: status: no carrier
> inet 172.16.10.1 netmask 0xfff0 broadcast 172.31.255.255
>
> ral0:
>
> groups: wlan
> meida IEEE 802.11 autoselect (DS1)
> status no network
> ieee802.11: nwid myname (100dBm)
> inet 192.168.5.1 netmask 0xff00 broadcast 192.168.5.255
>
> Routing Tables:
>
> Internet
> Destination GatewayFlagsRefs Use MtuInterface
> default 219.93.218.177 UGS 13 2142 tun0
> 127/8127.0.0.1UGRS 0 0 33224 lo0
> 127.0.0.1 127.0.0.1 UH 2 0 33224lo0
> 155.207.113.207 219.93.218.177 UGHD 0 1682 - L tun0
> 172.116/12 link#2 UC0 0- rl1
> 192.168.1/24 link#1 UC1 0 rl0
> 192.168.1.1 H.AUHLc 0 0 lo0
> 192.168.1.2 127.0.0.1 UGHS 0 0 lo0
> 219.93.218.177 60.48.180.172 UH2 0 1492 tun0
> 224/4 127.0.0.1 URS 0 0 33224 lo0
>
> Dmesg if as follow:
>
> ral0 at pci0 dev 15 function 0 "Ralink Rt2561S" rev 0x00: irq 10, address
> H.A ral0: MAC/BBP RT 2561C, RF Rt 2527
>
> Why function is 0 ?
>
> NAT rules:
>
> priv_add="192.168.0.0/16"
> priv_adds=172.16.0.0/12"
>
> nat on {ext_if} inet from $priv_add or $priv_adds to any -> {$ext_if}
>
> rl0 is promisc mode when i do rootkit hunter scan.
> etherip.allow=1;
> ip.redirect=0;
> ip forward = 1
> esp.enable = 1
> ah.enable=1
>
> Cannot ping openbsd to rl1(Wired Internal interface)
>
> If you need any more information, please let me know.
>
> I'm one of the developer of rootkit hunter.
> A billion thnaks for oyur help.
>
>
>
>
>
--
Linux
