Re: Final Solution to Chinese Break in
On Mon, Oct 06, 2014 at 02:06:04PM -0400, Larry Linder wrote: My suggestion is to unplug China from the Internet and a number of other countries until they get their house in order. Congratulations with reinventing the evil bit (RFC 3514). (Your E == IP is from China). It is a common misconception that the bad guys are localized in China and a few other countries. In reality, the bad guys are as globalized as anybody else and if you unplug China, the same bad guys would show up with IP addresses in Africa, Europe, US, etc. (Take a look at the going street prices of blocks of clean IP addresses). -- Konstantin Olchanski Data Acquisition Systems: The Bytes Must Flow! Email: olchansk-at-triumf-dot-ca Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada
Re: Final Solution to Chinese Break in
On Sat, Oct 04, 2014 at 06:12:13PM -0400, Paul Robert Marino wrote: One other problem is the FBI can only investigate criminals operating within the united states ... That's the 1990-ies FBI. Today, everybody is looking for Bin Laden. ... they really can't do any thing if the criminal is operating out of an other country due to their mandated scope of enforcement. That's right, that's why hackers operate out of Russia - no risk of extradition to the US. (just in case you thought it was the balmy climate or the good cooking). -- Konstantin Olchanski Data Acquisition Systems: The Bytes Must Flow! Email: olchansk-at-triumf-dot-ca Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada
Re: Final Solution to Chinese Break in
If credit card fraud was involved you might check with the Secret Service. At
least in the mid 80s credit card fraud was investigated by the Secret Service.
I've no freaking idea why; but, during an investigation about some online
stalking featuring me as one of the victims credit card fraud was involved. I
was interviewed about it by a Secret Service agent and an FBI agent
concurrently. Both were just a touch out of their depth. Sigi Kluger was
ultimately prosecuted for the CC fraud, not the stalking, not the death threats,
not the bodily harm (chop me up and feed me to his dog) but CC fraud that was
small amounts over a full year. VERY few women stayed with McGraw-Hill's BIX
or Byte Information eXchange through that year. I was too damn stubborn to be
run out. But - damn - CC fraud was the Secret Service's domain? Washington DC
was hopelessly screwed up even then.
{^_^} Joanne
On 2014-10-04 21:26, Paul Robert Marino wrote:
you may be right Interpol's economic crimes division might be the
right way to go Ive never considered that before.
On Sat, Oct 4, 2014 at 8:56 PM, Nico Kadel-Garcia nka...@gmail.com wrote:
On Sat, Oct 4, 2014 at 9:26 PM, Bill Maidment b...@maidment.me wrote:
There used to be an organisation called Interpol to deal with international
crime. I haven't heard anything recent about them; do they still exist?
Regards
Bill Maidment
Interpol still exists, they've a web site hat
https://www.interpol.int/. Since we've gone way off this mailing
list's announced purpose, I'll stop here.
Re: Final Solution to Chinese Break in
If your loss is less than $50K, the FBI is unlikely to help you unless your case can be included in another investigation. You should still Report it. Or you'll never know. According to requirements put in place by our current administration, if you call the FBI on the phone, someone will take your report regardless of loss.So, if you call the FBI, they may not be able to do anything for you, but they should take your statement and give you a case number. This is a change from previous years. Let us all know if this is not the case.This is my understanding of the laws and procedures as they exist. They're still unlikely to do anything for you unless you can demonstrate damages in excess of $50k. Report your attack to your local police department. Do not call 911 unless you are currently under physical threat. Call your local police department directly, they are who you pay taxes to. If possible, go to your local PD in person and don't leave until you have a copy of the report you filed. Bring print-outs of your pertinent logs. Bring all logs you can w/o compromising information that is private to your users. Your local PD will file the report and if they can help you they will. If you want to know how to get your federal and local law involved, that's how. I won't speak to efficacy, or willingness to act, that's up to the LEO's in question, the case at hand, and how low all tax payers set the bar. But if you can bring any amount of information regarding crimes against your company to any LEO, that's likely a good thing. At least then, it's on the books and statistics will be updated. If you don't report it... you aren't even statistics. If you don't report your loss and the attacks, I guarantee you that nothing will happen. --J
Re: Final Solution to Chinese Break in
And yes, some of mine have had their physical safety threatened by griefers and extortionists (we'll swat you if you don't pay constitutes a physical threat) online. They reported it to local and national law-enforcement. It's been ugly. But if no one reports these asshats, nothing _CAN_ be done. Feel free to report the IPs of anyone involved in your attacks. We can all ban them. On Sun, Oct 5, 2014 at 5:47 AM, James Rogers wa...@preternatural.net wrote: If your loss is less than $50K, the FBI is unlikely to help you unless your case can be included in another investigation. You should still Report it. Or you'll never know. According to requirements put in place by our current administration, if you call the FBI on the phone, someone will take your report regardless of loss.So, if you call the FBI, they may not be able to do anything for you, but they should take your statement and give you a case number. This is a change from previous years. Let us all know if this is not the case.This is my understanding of the laws and procedures as they exist. They're still unlikely to do anything for you unless you can demonstrate damages in excess of $50k. Report your attack to your local police department. Do not call 911 unless you are currently under physical threat. Call your local police department directly, they are who you pay taxes to. If possible, go to your local PD in person and don't leave until you have a copy of the report you filed. Bring print-outs of your pertinent logs. Bring all logs you can w/o compromising information that is private to your users. Your local PD will file the report and if they can help you they will. If you want to know how to get your federal and local law involved, that's how. I won't speak to efficacy, or willingness to act, that's up to the LEO's in question, the case at hand, and how low all tax payers set the bar. But if you can bring any amount of information regarding crimes against your company to any LEO, that's likely a good thing. At least then, it's on the books and statistics will be updated. If you don't report it... you aren't even statistics. If you don't report your loss and the attacks, I guarantee you that nothing will happen. --J
Re: Final Solution to Chinese Break in
Interpol is not so much an org as an agreement between LEOs in different countries. Not an LEO so much as a way of sharing information. The FBI, according to presentations they've given, is very interested in crimes in all countries even if they cannot pursue or prosecute. And are more than willing to interdict criminals in any country that allows their shoes on the ground. --James On Sat, Oct 4, 2014 at 9:26 PM, Bill Maidment b...@maidment.me wrote: There used to be an organisation called Interpol to deal with international crime. I haven't heard anything recent about them; do they still exist? Regards Bill Maidment -Original message- From:Paul Robert Marino prmari...@gmail.com Sent: Sunday 5th October 2014 9:14 To: Nico Kadel-Garcia nka...@gmail.com; Larry Linder larry.lin...@micro-controls.com Cc: SCIENTIFIC-LINUX-USERS@FNAL.GOV scientific-linux-users@fnal.gov Subject: Re: Final Solution to Chinese Break in One other problem is the FBI can only investigate criminals operating within the united states they really can't do any thing if the criminal is operating out of an other country due to their mandated scope of enforcement. In fact internet crimes are really difficult for any law enforcement because they are usually international and there for exceed their jurisdiction. The laws that limit jurisdiction are ment to protect our rights and prevent any one law enforcement agency from having enough power to threaten the government; however this makes it nearly impossible for any one of them to truly investigate internet crimes. What is needed is a new agency who's jurisdiction is international internet crimes; however that also presents its own risks because if you think the NSA is bad about respecting our rights just wait to see what an international agency tasked with tracking internet crimes would do. -- Sent from my HP Pre3
Re: Final Solution to Chinese Break in
FBI Contact US page: http://www.fbi.gov/contact-us And hey, give us IPs for your attackers so that we can block them at our routers. On Sun, Oct 5, 2014 at 6:16 AM, James Rogers wa...@preternatural.net wrote: -- Forwarded message -- From: James Rogers wa...@preternatural.net Date: Sun, Oct 5, 2014 at 6:09 AM Subject: Re: Final Solution to Chinese Break in To: Bill Maidment b...@maidment.me Cc: Paul Robert Marino prmari...@gmail.com, Nico Kadel-Garcia nka...@gmail.com, Larry Linder larry.lin...@micro-controls.com, SCIENTIFIC-LINUX-USERS@FNAL.GOV scientific-linux-users@fnal.gov Interpol is not so much an org as an agreement between LEOs in different countries. Not an LEO so much as a way of sharing information. The FBI, according to presentations they've given, is very interested in crimes in all countries even if they cannot pursue or prosecute. And are more than willing to interdict criminals in any country that allows their shoes on the ground. --James On Sat, Oct 4, 2014 at 9:26 PM, Bill Maidment b...@maidment.me wrote: There used to be an organisation called Interpol to deal with international crime. I haven't heard anything recent about them; do they still exist? Regards Bill Maidment -Original message- From:Paul Robert Marino prmari...@gmail.com Sent: Sunday 5th October 2014 9:14 To: Nico Kadel-Garcia nka...@gmail.com; Larry Linder larry.lin...@micro-controls.com Cc: SCIENTIFIC-LINUX-USERS@FNAL.GOV scientific-linux-users@fnal.gov Subject: Re: Final Solution to Chinese Break in One other problem is the FBI can only investigate criminals operating within the united states they really can't do any thing if the criminal is operating out of an other country due to their mandated scope of enforcement. In fact internet crimes are really difficult for any law enforcement because they are usually international and there for exceed their jurisdiction. The laws that limit jurisdiction are ment to protect our rights and prevent any one law enforcement agency from having enough power to threaten the government; however this makes it nearly impossible for any one of them to truly investigate internet crimes. What is needed is a new agency who's jurisdiction is international internet crimes; however that also presents its own risks because if you think the NSA is bad about respecting our rights just wait to see what an international agency tasked with tracking internet crimes would do. -- Sent from my HP Pre3
Re: Final Solution to Chinese Break in
I don't block China and NK, but for the most part, my decision is automatic when I see IP's out of those countries. I kill OUTPUT and INPUT. It might not solve your problem, but it can't hurt. I kill OUTPUT and INPUT on every IP I can with the assumption that if people really have problems I'll notice, and if users have problems, I'll be called. If you see issues from an IP, you don't want to talk to it anymore, ever. On Sun, Oct 5, 2014 at 6:32 AM, James Rogers wa...@preternatural.net wrote: I also highly recommend running a whois on the IP's used in the attacks, and then creating DROP rules for the entire ASIN for your attackers if you don't have any legit reason for talking to that range. I keep whole /8's and /16's in my iptables DROP list. If you can limit the people you want to talk to, then only talk to those IP's.A small positive list if often more useful than sections of the rest of the world. On Sun, Oct 5, 2014 at 6:19 AM, James Rogers wa...@preternatural.net wrote: FBI Contact US page: http://www.fbi.gov/contact-us And hey, give us IPs for your attackers so that we can block them at our routers. On Sun, Oct 5, 2014 at 6:16 AM, James Rogers wa...@preternatural.net wrote: -- Forwarded message -- From: James Rogers wa...@preternatural.net Date: Sun, Oct 5, 2014 at 6:09 AM Subject: Re: Final Solution to Chinese Break in To: Bill Maidment b...@maidment.me Cc: Paul Robert Marino prmari...@gmail.com, Nico Kadel-Garcia nka...@gmail.com, Larry Linder larry.lin...@micro-controls.com, SCIENTIFIC-LINUX-USERS@FNAL.GOV scientific-linux-users@fnal.gov Interpol is not so much an org as an agreement between LEOs in different countries. Not an LEO so much as a way of sharing information. The FBI, according to presentations they've given, is very interested in crimes in all countries even if they cannot pursue or prosecute. And are more than willing to interdict criminals in any country that allows their shoes on the ground. --James On Sat, Oct 4, 2014 at 9:26 PM, Bill Maidment b...@maidment.me wrote: There used to be an organisation called Interpol to deal with international crime. I haven't heard anything recent about them; do they still exist? Regards Bill Maidment -Original message- From:Paul Robert Marino prmari...@gmail.com Sent: Sunday 5th October 2014 9:14 To: Nico Kadel-Garcia nka...@gmail.com; Larry Linder larry.lin...@micro-controls.com Cc: SCIENTIFIC-LINUX-USERS@FNAL.GOV scientific-linux-users@fnal.gov Subject: Re: Final Solution to Chinese Break in One other problem is the FBI can only investigate criminals operating within the united states they really can't do any thing if the criminal is operating out of an other country due to their mandated scope of enforcement. In fact internet crimes are really difficult for any law enforcement because they are usually international and there for exceed their jurisdiction. The laws that limit jurisdiction are ment to protect our rights and prevent any one law enforcement agency from having enough power to threaten the government; however this makes it nearly impossible for any one of them to truly investigate internet crimes. What is needed is a new agency who's jurisdiction is international internet crimes; however that also presents its own risks because if you think the NSA is bad about respecting our rights just wait to see what an international agency tasked with tracking internet crimes would do. -- Sent from my HP Pre3
Re: Final Solution to Chinese Break in
That is because the secret service is part of the treasury department oddly enough. Even though they are most know for protecting the president they are actually a law enforcement agency.-- Sent from my HP Pre3On Oct 5, 2014 2:54 AM, jdow j...@earthlink.net wrote: If credit card fraud was involved you might check with the Secret Service. At
least in the mid 80s credit card fraud was investigated by the Secret Service.
I've no freaking idea why; but, during an investigation about some online
stalking featuring me as one of the victims credit card fraud was involved. I
was interviewed about it by a Secret Service agent and an FBI agent
concurrently. Both were just a touch out of their depth. Sigi Kluger was
ultimately prosecuted for the CC fraud, not the stalking, not the death threats,
not the bodily harm (chop me up and feed me to his dog) but CC fraud that was
small amounts over a full year. VERY few women stayed with McGraw-Hill's "BIX"
or "Byte Information eXchange" through that year. I was too damn stubborn to be
run out. But - damn - CC fraud was the Secret Service's domain? Washington DC
was hopelessly screwed up even then.
{^_^} Joanne
On 2014-10-04 21:26, Paul Robert Marino wrote:
you may be right Interpol's economic crimes division might be the
right way to go Ive never considered that before.
On Sat, Oct 4, 2014 at 8:56 PM, Nico Kadel-Garcia nka...@gmail.com wrote:
On Sat, Oct 4, 2014 at 9:26 PM, Bill Maidment b...@maidment.me wrote:
There used to be an organisation called Interpol to deal with international crime. I haven't heard anything recent about them; do they still exist?
Regards
Bill Maidment
Interpol still exists, they've a web site hat
https://www.interpol.int/. Since we've gone way off this mailing
list's announced purpose, I'll stop here.
Re: Final Solution to Chinese Break in
Well it looks like in 2003 it was transfered to the new at that tim DHS. It originally was not a waste of money because the FBI didn't exist yet so it was vital at the time. Can it be consolidated now? Yes; but that doesn't mean a new conglomerate agency would do a good job.All things said and done outside of the protection of the president and other dignitaries the secret service has a long history of being very good and efficient at their originally mandated job even in the internet age which is to really with finance related crimes originally meaning preventing the circulation of fake currency.I think a new agency needs to be developed with a strict mandate of international internet crimes; however I don't trust modern politicians to do a great job of designing it to work in our best interests. Honestly I don't think they know enough about the subject to even know if they are or are not doing the right thing.-- Sent from my HP Pre3On Oct 5, 2014 2:04 PM, Jason Bronner jason.bron...@gmail.com wrote: Its under DHS now and has been under DHS for quite a while. Initially thats who is tasked with investigating counterfeiting US currency and is why they were a division of the Treasury Dept. Had a nice chat with one of their reps when I was still in management and someone shot a fake 100 through my safe and i filled out the paperwork on it at the bank. On Sun, Oct 5, 2014 at 11:54 AM, jdow j...@earthlink.net wrote:Like I say, our government is totally disorganized and overbloated. Law enforcement should be part of DoJ not Treasury. But, we gotta waste money somehow so we get a mishmash of a hodgepodge. nuff said - except to note that I wanted a chance to live enough that I illegally carried a .38 special for most of that year and slept with it under the pillow. Surrender is for victims. I gave up being a victim and liked the feeling.
{o.o}
On 2014-10-05 06:27, Paul Robert Marino wrote:
That is because the secret service is part of the treasury department oddly
enough. Even though they are most know for protecting the president they are
actually a law enforcement agency.
-- Sent from my HP Pre3
On Oct 5, 2014 2:54 AM, jdow j...@earthlink.net wrote:
If credit card fraud was involved you might check with the Secret Service. At
least in the mid 80s credit card fraud was investigated by the Secret Service.
Ive no freaking idea why; but, during an investigation about some online
stalking featuring me as one of the victims credit card fraud was involved. I
was interviewed about it by a Secret Service agent and an FBI agent
concurrently. Both were just a touch out of their depth. Sigi Kluger was
ultimately prosecuted for the CC fraud, not the stalking, not the death threats,
not the bodily harm (chop me up and feed me to his dog) but CC fraud that was
small amounts over a full year. VERY few women stayed with McGraw-Hills BIX
or Byte Information eXchange through that year. I was too damn stubborn to be
run out. But - damn - CC fraud was the Secret Services domain? Washington DC
was hopelessly screwed up even then.
{^_^} Joanne
On 2014-10-04 21:26, Paul Robert Marino wrote:
you may be right Interpols economic crimes division might be the
right way to go Ive never considered that before.
On Sat, Oct 4, 2014 at 8:56 PM, Nico Kadel-Garcia nka...@gmail.com wrote:
On Sat, Oct 4, 2014 at 9:26 PM, Bill Maidment b...@maidment.me wrote:
There used to be an organisation called Interpol to deal with international
crime. I havent heard anything recent about them; do they still exist?
Regards
Bill Maidment
Interpol still exists, theyve a web site hat
https://www.interpol.int/. Since weve gone way off this mailing
lists announced purpose, Ill stop here.
Re: Final Solution to Chinese Break in
One other problem is the FBI can only investigate criminals operating within the united states they really can't do any thing if the criminal is operating out of an other country due to their mandated scope of enforcement.In fact internet crimes are really difficult for any law enforcement because they are usually international and there for exceed their jurisdiction. The laws that limit jurisdiction are ment to protect our rights and prevent any one law enforcement agency from having enough power to threaten the government; however this makes it nearly impossible for any one of them to truly investigate internet crimes. What is needed is a new agency who's jurisdiction is international internet crimes; however that also presents its own risks because if you think the NSA is bad about respecting our rights just wait to see what an international agency tasked with tracking internet crimes would do.-- Sent from my HP Pre3On Oct 3, 2014 12:30 AM, Nico Kadel-Garcia nka...@gmail.com wrote: On Thu, Oct 2, 2014 at 4:02 PM, Larry Linder larry.lin...@micro-controls.com wrote: on May 22 Our server was broken into by some one in China. How it happened is that we had had a hole in our firewall so employees could access out server from the field. This had worked pretty well - until the AT Motorola modem died and they install two new ones and left the port to the ssh open. *Ouch*. Dude, you've my sympathies. This sort of thing is precisely why I argue with people about the concept of "we have a firewall, so we don't need to be so rigorous about our internal network security". And oh, yes, the old standby "who would want to hack us?" The people who did this job had more than a working knowledge of networks, Linux and files systems. We were wondering how they could create a directory at end of file system was a puzzle. They had root privilege, ssh, and with access to bash they were in. And the kernel. Don't forget that with that level of access, they can manipulate the modules in your kernel. How did they covered their tracks so well? "messages" was there but filled with nonsense and file in /var/log that tells you who and what was sent was touched was now missing. "security" was there and you could see the And since they owned root, they could replace core system libraries, even corrupting compilers. *nothing* rebuilt on that host can be trusted. repeated access attempts to break in again. "cron" was changed so daily backups were done after they down loaded all new files. "crontab -e" no longer worked. We made a copy of the OS onto old disk and removed disk from the system. There were so many charges to the OS and files in /etc that we did not even try to repair it. There were 1000's of differences between new install and copy of old system. I personally think the bash problem is over blown because they have to get threw modem, firewall, ssh before they can use "bash". That is *one* instance, and not really relevant to the circumstances you described. In fact, many systems expose SSH to the Internet at large for "git" repository access, and for telecommuting access to firewalls and routers. The big problem with "shellshock" was that attempts to restrict the available commands for such access, for example inside "ForceCommands" controlled SSH "authrozed_keys" files, could now broken out of and allow full local shell access. Once you have *that* on a critical server, your hard crunch outershell is cracked open and your soft chewy underbelly exposed. One question remains and that is what code and script did they use to run the system?? Gods only know. there are so *many* rootkits in the wild, and so much theft of private SSH keys and brute force attacks or theft of passwords, it's hard to know how they got in. If anyone wants details and IP's I will send it to them on an individual basis. We contacted the FBI and after a telephone interview, they were sort of interested but I think the problem is so big they don't have time to work little stuff. My personal experience with the FBI and computer crime is that they are simply not competent. They accept information eagerly and do nothing at all helpful with it. They have a very poor track record of getting crackers to turn each other in and abusing the resulting immunity from prosecution, and not actually investigating or prosecuting more than the tiniest fraction of crimes reported. This is a little disjointed because it happened over a long time. Larry Linder As I mention, you have my sympathies. It'a a good reminder to keep your internal systems updated from known attack vectors.
RE: Final Solution to Chinese Break in
There used to be an organisation called Interpol to deal with international crime. I haven't heard anything recent about them; do they still exist? Regards Bill Maidment -Original message- From:Paul Robert Marino prmari...@gmail.com Sent: Sunday 5th October 2014 9:14 To: Nico Kadel-Garcia nka...@gmail.com; Larry Linder larry.lin...@micro-controls.com Cc: SCIENTIFIC-LINUX-USERS@FNAL.GOV scientific-linux-users@fnal.gov Subject: Re: Final Solution to Chinese Break in One other problem is the FBI can only investigate criminals operating within the united states they really can't do any thing if the criminal is operating out of an other country due to their mandated scope of enforcement. In fact internet crimes are really difficult for any law enforcement because they are usually international and there for exceed their jurisdiction. The laws that limit jurisdiction are ment to protect our rights and prevent any one law enforcement agency from having enough power to threaten the government; however this makes it nearly impossible for any one of them to truly investigate internet crimes. What is needed is a new agency who's jurisdiction is international internet crimes; however that also presents its own risks because if you think the NSA is bad about respecting our rights just wait to see what an international agency tasked with tracking internet crimes would do. -- Sent from my HP Pre3
Re: Final Solution to Chinese Break in
On Fri, Oct 3, 2014 at 1:44 AM, Brad Cable b...@bcable.net wrote: repeated access attempts to break in again. cron was changed so daily backups were done after they down loaded all new files. crontab -e no longer worked. We made a copy of the OS onto old disk and removed disk from the system. There were so many charges to the OS and files in /etc that we did not even try to repair it. There were 1000's of differences between new install and copy of old system. I personally think the bash problem is over blown because they have to get threw modem, firewall, ssh before they can use bash. That is *one* instance, and not really relevant to the circumstances you described. In fact, many systems expose SSH to the Internet at large for git repository access, and for telecommuting access to firewalls and routers. The big problem with shellshock was that attempts to restrict the available commands for such access, for example inside ForceCommands controlled SSH authrozed_keys files, could now broken out of and allow full local shell access. Once you have *that* on a critical server, your hard crunch outershell is cracked open and your soft chewy underbelly exposed. Does git-shell use bash at all for its execution? Shouldn't git-shell fix most of these issues? I'm not sure git-shell wouldn't fix this issue, but introduce a raft of configuration issues. I was referring to the commonplace use of the SSH 'ForceCommands' option o restrict operations by a shared service account, such as the SSH credentials used for 'g...@github.com:/username/reponame access, and even Github reported vulnerability to this problem for some accounts. The use of 'git-shell' for such shared service accounts is an intriguing approach I've not personally tried: thinking about it, it *sounds* like it might work wel. I'm quite curious how Github and Bitbucket and git.centos.org do it. Github, at least, did report partial vulnerability, which the've addressed. It wouldn't do bupkiss for most svn+ssh or rsync over SSH backup setups.
Re: Final Solution to Chinese Break in
On 3/10/2014 10:27 PM, Nico Kadel-Garcia wrote: On Fri, Oct 3, 2014 at 1:44 AM, Brad Cable b...@bcable.net wrote: repeated access attempts to break in again. cron was changed so daily backups were done after they down loaded all new files. crontab -e no longer worked. We made a copy of the OS onto old disk and removed disk from the system. There were so many charges to the OS and files in /etc that we did not even try to repair it. There were 1000's of differences between new install and copy of old system. I personally think the bash problem is over blown because they have to get threw modem, firewall, ssh before they can use bash. That is *one* instance, and not really relevant to the circumstances you described. In fact, many systems expose SSH to the Internet at large for git repository access, and for telecommuting access to firewalls and routers. The big problem with shellshock was that attempts to restrict the available commands for such access, for example inside ForceCommands controlled SSH authrozed_keys files, could now broken out of and allow full local shell access. Once you have *that* on a critical server, your hard crunch outershell is cracked open and your soft chewy underbelly exposed. Does git-shell use bash at all for its execution? Shouldn't git-shell fix most of these issues? I'm not sure git-shell wouldn't fix this issue, but introduce a raft of configuration issues. I was referring to the commonplace use of the SSH 'ForceCommands' option o restrict operations by a shared service account, such as the SSH credentials used for 'g...@github.com:/username/reponame access, and even Github reported vulnerability to this problem for some accounts. The use of 'git-shell' for such shared service accounts is an intriguing approach I've not personally tried: thinking about it, it *sounds* like it might work wel. I'm quite curious how Github and Bitbucket and git.centos.org do it. Github, at least, did report partial vulnerability, which the've addressed. It wouldn't do bupkiss for most svn+ssh or rsync over SSH backup setups. rsync actually has an 'rrsync' utility in /usr/share/doc/rsync-x/support/ It is preferred to use this as the ForceCommand section of ssh config. This prevents getting a full shell and (should) resolve this issue. -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: Final Solution to Chinese Break in
On Thu, Oct 02, 2014 at 04:02:56PM -0400, Larry Linder wrote: on May 22 Our server was broken into by some one in China. ... By this you mean that you saw IP addresses assigned to an ISP in China, the actual attackers could have been anywhere in the world, right? -- Konstantin Olchanski Data Acquisition Systems: The Bytes Must Flow! Email: olchansk-at-triumf-dot-ca Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada
Re: Final Solution to Chinese Break in
On Thu, Oct 2, 2014 at 4:02 PM, Larry Linder larry.lin...@micro-controls.com wrote: on May 22 Our server was broken into by some one in China. How it happened is that we had had a hole in our firewall so employees could access out server from the field. This had worked pretty well - until the AT Motorola modem died and they install two new ones and left the port to the ssh open. *Ouch*. Dude, you've my sympathies. This sort of thing is precisely why I argue with people about the concept of we have a firewall, so we don't need to be so rigorous about our internal network security. And oh, yes, the old standby who would want to hack us? The people who did this job had more than a working knowledge of networks, Linux and files systems. We were wondering how they could create a directory at end of file system was a puzzle. They had root privilege, ssh, and with access to bash they were in. And the kernel. Don't forget that with that level of access, they can manipulate the modules in your kernel. How did they covered their tracks so well? messages was there but filled with nonsense and file in /var/log that tells you who and what was sent was touched was now missing. security was there and you could see the And since they owned root, they could replace core system libraries, even corrupting compilers. *nothing* rebuilt on that host can be trusted. repeated access attempts to break in again. cron was changed so daily backups were done after they down loaded all new files. crontab -e no longer worked. We made a copy of the OS onto old disk and removed disk from the system. There were so many charges to the OS and files in /etc that we did not even try to repair it. There were 1000's of differences between new install and copy of old system. I personally think the bash problem is over blown because they have to get threw modem, firewall, ssh before they can use bash. That is *one* instance, and not really relevant to the circumstances you described. In fact, many systems expose SSH to the Internet at large for git repository access, and for telecommuting access to firewalls and routers. The big problem with shellshock was that attempts to restrict the available commands for such access, for example inside ForceCommands controlled SSH authrozed_keys files, could now broken out of and allow full local shell access. Once you have *that* on a critical server, your hard crunch outershell is cracked open and your soft chewy underbelly exposed. One question remains and that is what code and script did they use to run the system?? Gods only know. there are so *many* rootkits in the wild, and so much theft of private SSH keys and brute force attacks or theft of passwords, it's hard to know how they got in. If anyone wants details and IP's I will send it to them on an individual basis. We contacted the FBI and after a telephone interview, they were sort of interested but I think the problem is so big they don't have time to work little stuff. My personal experience with the FBI and computer crime is that they are simply not competent. They accept information eagerly and do nothing at all helpful with it. They have a very poor track record of getting crackers to turn each other in and abusing the resulting immunity from prosecution, and not actually investigating or prosecuting more than the tiniest fraction of crimes reported. This is a little disjointed because it happened over a long time. Larry Linder As I mention, you have my sympathies. It'a a good reminder to keep your internal systems updated from known attack vectors.
