Visit Our UNIX and Linux User Community


What kind of hacking is going on here??


 
Thread Tools Search this Thread
Special Forums Cybersecurity What kind of hacking is going on here??
# 1  
Old 04-16-2011
Question What kind of hacking is going on here??

Connecting to the Internet with OpenVPN, the connection fails. Rerunning openvpn works second time round but the install is hacked at that point (e.g., a rogue 'java-security' update tries to install itself on 'yum update', yum however spots this and rejects the download, other basic things start to fail).

If I however open only a https udp port prior to bringing the network interface up and starting openvpn then all is fine.

Anyone any idea what is going on here?


Smilie

Last edited by Scott; 04-16-2011 at 07:49 PM..
# 2  
Old 04-17-2011
You really have not given us enough information to determine what is happening. However I would check for DNS spoofing and Man In the Middle attacks for starters.

What message is yum displaying when it rejects the download?
# 3  
Old 04-18-2011
OK, I've just watched Moxie Marlinspike from 2009:

thoughtcrime.org/software/sslstrip

It was a clean offline install of SL6, as soon as ifup exited the connect script attempted to connect openvpn. I didn't copy the ...messages output unfortunately. Second attempt it connected. Immediately followed with yum update, yum didn't attempt to synchronize with the repos, just went straight to a download of a file named 'java-security...' which was 70% complete when it started (leaving me sitting their wondering what was happening). Yum finished the download and immediately reported something hadn't checked (in future I will religiously log all these errors!), it made a second attempt which started from 0%, didn't take as long as the first attempt, which yum again rejected, yum did this approx. 4 times in total. The second time I ran yum update it behaved normally, as you would expect.

I've had continuous instances of the hacks Moxie describes for over a year now, so I think more or less certainly this is a MITM type hack. I've also had a SSL certificate error from one site (a Verizon cert. I think, the site was the local Police authority crime report form), and that is with the current install. However though with this current install none of the usual hacks have repeated (i.e., since tightening up the connect script). I am at this point anyway not sure what to do! Should I go mobile wireless!?

The main question I have at the moment is where could the data possibly be intercepted? A clean install, in a room with the door bolted behind me. This is a normal household Internet connection, I'm not using wifi (ethernet to the router), though I have a wifi router (could this have been compromised, and if so would it result in this problem?), which is connected to the Internet through a cable provider (Virgin cable). I can inspect the telecoms cable OK to the point it is in the ground.

The website this brought down btw was libraryweb.info (Library Web (UK)), I'm not a Unix admin. so this is all new territory.

---------- Post updated 18-04-11 at 11:08 AM ---------- Previous update was 17-04-11 at 08:42 PM ----------

Regarding the Police website and the rejected certificate. I was testing Konqueror 4.4.3, the same webpage however works fine with Firefox 3.6.3 (the cert. is accepted as valid).

I am though in Konqueror able to open the secure login page on the verisign website validated with a VeriSign certificate. So Konqueror is rejecting the VeriSign cert. on the Police website, but not on the actual verisign website itself.

Note if I accept the rejected certificate, when the page loads it is very sluggish, I find myself typing a few words before they actually appear in the text box (i.e., the display of the text being typed takes a second or two to catch up - this does not happen on any other web page). Also when I submit the page, it briefly (for a half second) reloads and redisplays itself positioned at the top of the page (not at the bottom where the submit button is), before displaying the acknowledgment of receipt page.

Also, I accepted the rejected cert., and submitted a crime report, and I'm confirming this now, but at this point it doesn't look as though the Police actually received the crime report setnt through to them (i.e., it didn't arrive).

merseyside.police.uk/index.aspx?articleid=2812 (page reporting the rejected cert.)
merseyside.police.uk/index.aspx?articleid=1646 (the linking page)

Screenshots of the certificate and chain attached.

Slackware 13 VirtualBox VM (default network interface, not a bridge) with SL6 host (OpenVPN connection to the Internet).

Is it a case of MITM passing most traffic through but listening for crime reports sent using the Police website?
What kind of hacking is going on here??-rejected_cert_1png
What kind of hacking is going on here??-rejected_cert_2png
What kind of hacking is going on here??-rejected_cert_3png
What kind of hacking is going on here??-rejected_cert_4png
What kind of hacking is going on here??-rejected_cert_5png


Last edited by GSO; 04-18-2011 at 08:42 AM..
# 4  
Old 04-18-2011
Quick update, the crime report I made on the webpage that Konqueror rejected the certificate did in fact arrive, the usual within 2 hours reply not being met in this case (I'm not sure exactly why!).

An additional thought returned to mind, konqueror didn't reject the certificate every time I went to the page for some odd reason, the cert. was initially rejected, but then I found I could access the page without the cert. error for a while, however the cert. error returned after maybe half a dozen accesses to the page. One other point, I'm using a more or less bare metal install (or the best a non-engineer can do at least - no more than twm etc.). (I also run home CCTV, though usually set my desktop up as a kiosk type login anyway.)

I've now changed VPN passwords using a mobile Internet connection, and servers while at it. Konqueror is still rejecting the page though. Checked one other site I know to be verified by VeriSign also and konqueror had no difficulty with it.

To conclude I am without a doubt being hacked badly (I've just tried to create a SL6 VM that was hacked almost immediately), though whether or not the phenomena with konqueror is a hack is still open I think.

If anyone has any tips on dealing with DNS spoofing and MITM attacks, books, webpages, etc., it would be appreciated.

Last edited by GSO; 04-18-2011 at 01:14 PM..

Previous Thread | Next Thread

8 More Discussions You Might Find Interesting

1. Linux

Kind of reverse engineering

Hi everyone, I'm a linux novice , in a training purpose i have to reconstruct under windows an application running under fedora 14, the application communicates with an STB device through RS232 in a first time and then through ethernet for firmware loading purpose. All what i know is how to run... (2 Replies)
Discussion started by: nidal
2 Replies

2. Programming

A different kind of counting in SQL

I am looking to do a count on a database table where some of the elements count double. Say the data is as follows: id value 1 X 2 Y 3 X 4 X 5 Y A regular count (SELECT value, COUNT(*) FROM data GROUP BY value) would yield: X 3 Y 2 However, Y happens to count double so the answer should... (2 Replies)
Discussion started by: figaro
2 Replies

3. Infrastructure Monitoring

sed help,,kind of urgent!!

Hello All, My problem is: I want to replace a line from a file with sed. The first word in that line is always the same in every server. The second line is server model, which of course will vary from platform to platform and I need to leave that word as it is. After the second word, I need to... (3 Replies)
Discussion started by: solaix14
3 Replies

4. Solaris

How to check the kind of file

Hi all, I'm working on Solaris 10 and I have to install some packets in which there are files of different kind. In this situation I need to know a command of UNIX/Solaris to check the kind of file. For example how can I know if the file has ISO or ASCII or BER or HEX format? Thank you... (4 Replies)
Discussion started by: Sunb3
4 Replies

5. Shell Programming and Scripting

Kind of knapsack problem

I need to run as many (thousands) very small cron jobs within a duration of 5 minutes and repeatedly through out the day. This kind of requirement would be up against system resources and limitations such as nproc, maxuprc, numbers of cron jobs allowed in crontab, RSS, SWAP, CPU and others that I... (3 Replies)
Discussion started by: ngungo
3 Replies

6. UNIX for Dummies Questions & Answers

What kind of Linux for the newbies?

I am one of the newbies. I want to load linux on my notebook, however, i am not sure which linux is the most recommend for the newbies. Could you please advise? Thanks you very much for any advise you may give me. Best Regards, SANLEN (2 Replies)
Discussion started by: sanlen
2 Replies

7. UNIX for Dummies Questions & Answers

how to determine which kind of unix is used

how can i determine which type of unix (solaris ,AIX,HP-UX...) is installed on the machine that i am working? (2 Replies)
Discussion started by: gfhgfnhhn
2 Replies

8. UNIX for Dummies Questions & Answers

what kind of UNIX

ok, so i want to figure out what type of UNIX i have and in this book im reading about it, it says that i can figure out what type i have by typing the command uname in the prompt. So i did this and it came up saying Darwin?? is that part of System V UNIX or BSD or do i have LINUX? if anyone can... (2 Replies)
Discussion started by: hiei
2 Replies

Featured Tech Videos