Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Mentioning USB sticks, cameras and other user peripherals may have been a bit of extrapolation/hyperbole on the article author's part. Though, in unSpawn's scenario, if a camera circuit board used the same parts as, say, a counterfeit router circuit board, you could end up with a situation whereby a dormant command in a camera transistor is activated when it plugs into a compromised PC which was activated when a compromised router was activated. If that scans as English, goodo!
I would think that if there are 5 percent of all chips are not genuine and that even if all were compromised, there would still be a fair confluence of events to activate them all. Not impossible, I guess, but as unSpawn says, it is more cost/time/etc effective to lock down the supply chain than to investigate every transistor and chip in existence.
http://forum.qnap.com/viewtopic.php?f=11&t=18863
H_texmex_H: Here's an article about NAS issues with backdoors. Since it mentions flash, the article may be discussing usb hardware. uSpawn covers the topic even better. Your posts elsewhere imply that you may have a better grasp on this topic than most users. Why do you keep insisting backdoor code in firmware makes no sense?
While in china, I had 4 different computers, all running Linux, rendered useless within hours, multiple times. I never run as root except during setup, and never do that while connected. The MBR was altered and the root partitions were corrupted. 3 of these systems were meant to be internet firewalls, the 4rth was my ancient hp laptop. Since then, whenever I have some time, I've been trying to learn how they did it.
http://forum.qnap.com/viewtopic.php?f=11&t=18863
H_texmex_H: Here's an article about NAS issues with backdoors. Since it mentions flash, the article may be discussing usb hardware. uSpawn covers the topic even better. Your posts elsewhere imply that you may have a better grasp on this topic than most users. Why do you keep insisting backdoor code in firmware makes no sense?
While in china, I had 4 different computers, all running Linux, rendered useless within hours, multiple times. I never run as root except during setup, and never do that while connected. The MBR was altered and the root partitions were corrupted. 3 of these systems were meant to be internet firewalls, the 4rth was my ancient hp laptop. Since then, whenever I have some time, I've been trying to learn how they did it.
Interesting article, but it has to do with encryption, and definitely there can be backdoors there.
Look, I'm not saying it's not possible for a USB drive to be carrying malware that can compromise your system, even add a backdoor, that's all possible. But, I don't think it's possible for it to do this on Linux (or at least near impossible). I just don't understand how it could. So you plug in this USB stick and it contains malware, nothing within Linux runs arbitrary code off a USB stick. The only way it could happen is if the mobo were planned ahead of time, or given an update to allow this, to run code off a USB stick if it meets certain criteria. Or there could be a hardware loophole that accidentally loads code from a USB stick that if structured properly could be run by the CPU. But, it's all so ... paranoid, so improbable ... ok, it's possible, but come on, this is probably not it at all, it's probably just some trojans on a USB stick that were designed for Window$.
Goodness, and I thought I was paranoid.
I also wish they would be more clear and specific in these types of articles. I mean they never really mention the details, I wanna know what is going on, exactly ... not just hints at what might be going on. Maybe they don't really know either ...
Last edited by H_TeXMeX_H; 02-10-2010 at 03:20 PM.
http://forum.qnap.com/viewtopic.php?f=11&t=18863While in china, I had 4 different computers, all running Linux, rendered useless within hours, multiple times. I never run as root except during setup, and never do that while connected. The MBR was altered and the root partitions were corrupted. 3 of these systems were meant to be internet firewalls, the 4rth was my ancient hp laptop. Since then, whenever I have some time, I've been trying to learn how they did it.
Is there something special about the fact that you were in China? I mean, give some context to this example. Were your systems sitting out where strangers could access them? Were they being run by others? IOW, did you and only you have control of the hardware? Did they have trivial passwords? Did they all have the same password? Did you put the same passwords back on them when you rebuilt them? Did they have ports open unrelated to their task as firewalls? IOW, how were these machines vulnerable to these exploits? If Linux were as vulnerable as your intimating, none of us would have usable machines. And yet, we do.
Well, to answer all the questions. This is really off-topic (backdoor hacks), but since you insist....
It was a start-up American company, I was brought in to oversee facilities and install machines. I brought my own laptop with Mepis on it. I was the only one with access to the computers, only 4 people total (3 chiefs and 1 indian). I setup one network at the new plant-site and one network each at 2 apartments. I bought parts to build 3 computers at a local computer mall. CPU at one store, motherboard & HD at another, chassis at another, etc... . I brought a CD with the linux firewall on it from home. I did not use the same passwords twice, did not have any software on a usb stick, (didn't have a usb stick). My Mepis laptop got trashed the 2nd day there within 30 minutes after connecting to the internet, while I was trying to check email (guarddog was on). By trashed I mean it suddenly became non-responsive as in locked-up, I had to cycle power as nothing seemed to be working, and then it wouldn't boot-up anymore. That was when we decided we needed a firewall and off to the store we went.
I've never seen such effective malicious attacks before. Especially the part where they kill the OS apparently just for fun, (this happened multiple times at each location). I use the same software in the US and have never had this problem, not even a hint of malware making it through. Every test I've found and run, reports my firewall as very good. So that's why I think it's a backdoor via the hardware that the cracker was accessing.
Also, the hp laptop was an AMD cpu and the others were intel on asus motherboards.
The SMM exploit handily explains what happened.... except the first victim was an AMD and the next victims were not intell DQ35 boards. And how the exploiter got root access is not understood, I'm thinking he didn't need it.
1 more thing... The city only had one ISP available, the phone company, several million users. The locations were geographically miles apart.
Last edited by yonnieboy; 02-10-2010 at 10:27 PM.
Reason: one more thing...
Nice account of things but since it's completely devoid of technical details it is not worth more than the average campfire story. With all due respect.
Well, to answer all the questions. This is really off-topic (backdoor hacks), but since you insist....
It was a start-up American company, I was brought in to oversee facilities and install machines. I brought my own laptop with Mepis on it. I was the only one with access to the computers, only 4 people total (3 chiefs and 1 indian). I setup one network at the new plant-site and one network each at 2 apartments. I bought parts to build 3 computers at a local computer mall. CPU at one store, motherboard & HD at another, chassis at another, etc... . I brought a CD with the linux firewall on it from home. I did not use the same passwords twice, did not have any software on a usb stick, (didn't have a usb stick). My Mepis laptop got trashed the 2nd day there within 30 minutes after connecting to the internet, while I was trying to check email (guarddog was on). By trashed I mean it suddenly became non-responsive as in locked-up, I had to cycle power as nothing seemed to be working, and then it wouldn't boot-up anymore. That was when we decided we needed a firewall and off to the store we went.
Did you rule out hardware failure, rather than instead assume it is some elaborate "backdoor" scheme from the start ?
I know anything made in China, especially electronics, has about 1000 % higher chance of failure than electronics produced is more serious countries (heck even the US). That doesn't mean there's any trojan or backdoor or anything, it just means sweatshop labor does not produce good quality products.
Unless you can prove that there exists something on one of the pieces of hardware that can cause this, this is 99 % likely to be hardware failure. Or do you have other info that makes you believe it to be a more sinister cause ?
This thread now enters a phase that can easily result in a stalemate. To avoid this I would like to point out the Linux Security forum deals with facts, not fiction. In practice this means that in this thread I would rather not read any more unsubstantiated claims. To keep things constructive, if anyone wants to continue discussing things, fine, but please back it up and preferably in a way that is not easily dismissible.
unSpawn : Thanks, it is a campfire story in the sense of what can one do when they get ambushed. I had very limited resources, and I'm not a network security guru. The point of my experience (the story) is that it glaringly exhibits that there are more exploits out there than just the SMM one referred to earlier that are not common knowledge.
The second time and thereafter, I observed the MBR was much larger and the root partitions were full. Also, the first piece of hardware that died was my Linksys wireless notebook adapter, it didn't work properly again after the first attack.
That is why I'm asking questions. I want to know more about alternative hardware/firmware routes (backdoor hacks) and possible ways to close them. I want to get or help develop a kit! A kit of minimum tools one should have and how to use it in just such a situation as what happened to me.
If I had the resources, I'd be willing to go back just to be able to gather helpful data.
H_texmex_H : I thought I had mentioned earlier that I had tested the crap out of the afflicted PCs and found nothing. I found a memory tester and ran it, I ran a harddisk bad block checking routine, found nothing. I used a PC exerciser to test for cpu and general hardware failures, found nothing. I kept the PCs running offline for 3 days, just to see if they were crashing due to faulty power supplies. And this was on 3 PCs. The new PCs had no issues, the owners gave me two days and then told me to stop and get on with the main other job, they refused to believe their windows PCs were compromised, so I continued with the firewall project on my own time at night. After having no success at keeping these PCs functional once connected to the internet, I gave up. I did not have adequate knowledge of what was happening nor adequate resources to fight it. I wasted at least 100 hours, testing, re-installing software, an exercise in futility. If I go back, I want to take with me a better set of tools and some training in how to use them.
I had no problems with connecting the linux PCs to the isp, it was just as easy as anywhere else on the planet. Browsing with Firefox or SeaMonkey was just as easy, email worked just like always. But.... anywhere between 30 minutes to 12 hours while being connected, the firewalls would crash. The first firewall PC lasted about 12 hours, long enough to build/install the other 2, then all hell broke loose.
The experience left me a believer in backdoor exploits. I couldn't enlist the isp to help me as I couldn't get someone on the phone to speak English well enough to get the issue across. They kept insisting I needed to use windows, Linux won't work, a firewall wasn't necessary, their ISP had no viruses, trojans or hackers. (their isp was perfect and they live in a perfect MS world)(sounded just like my local isp)
Interesting side note: none of the locals I met while there buy official copies of Windows, it's all pirated. I picked-up a new Thinkpad for one of the owners and the store clerk gave me a funny look when I asked for a new package of XP. The translator said they don't stock it, nobody ever buys it and then picked up a list of key codes to use and handed it to me.
there are more exploits out there (..) that are not common knowledge.
With all due respect but what you've done amounts to playing a game of "pin the tail": trying to match up snippets of disparate information blindfolded and glue them into a point of view you think applies to your past incidents. But you're not at fault there: it's human nature. So while it is true that there are and always will be vulnerabilities and exploits out there that are not common knowledge, as far as I can see that does not apply here. I'll try to outline why not but I'll try and keep it short because I see you're actually on a quest:
Quote:
Originally Posted by yonnieboy
I want to know more about alternative hardware/firmware routes (backdoor hacks) and possible ways to close them. I want to get or help develop a kit! A kit of minimum tools one should have and how to use it in just such a situation as what happened to me.
On the memory side of things, while theoretical and lab application of ring-0 exploits through SMM was proven [1,2] before Blue Pill, even Blue-pill itself requires at least one simple condition to be met: matching HW to work on. BIOSes are designed by different vendors so there is no mono-culture (I mean in ways similar to how malware spreads on say ClippyOS). (As an aside BIOS level attacks aren't exactly new and BIOS bugs not even rare.)
Next to that for rootkittage in general there are additional and obvious requirements:
2. a way into the system. And I don't mean silicon. Just your average vuln to exploit: recon -> noise -> auditing -> log watching.
3. access to the root account. Same as #2: detectable.
4. knowledge of the HW and your toolkit.
5. a worthy target. Simply said the targets value would really have to justify putting in that amount of effort.
Concluding from a theoretical and risk management point of view, chances you'd have been hit by a SMM-type of exploit are about zero and chances you'd have been hit by a silicon type of exploit are infinitesimal (ranging into the ludicrously). Wrt your quest for toolage, and as far as I understand things (which undoubtedly needs improvement), where SMM should work no AV will help detect things, nor would booting any OS, nor booting a Live CD but maybe you get some consolation from SMM Rootkit limitations and how to defeat it (and maybe from this if you have one and know how to work it).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.