LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-18-2019, 08:51 PM   #1
Frickymind
LQ Newbie
 
Registered: Apr 2019
Posts: 7

Rep: Reputation: Disabled
Question Sudo and veracrypt calling IP addresses on password entry


Parrot GNU/Linux 4.6
Veracrypt 1.23

I've discovered something very weird and concerning.

I'm running Parrot OS 4.6. It's a new install I've only had up for a couple of days. I've installed Veracrypt 1.23 from an old archive I downloaded last year. I've also installed Opensnitch.

I went to open a veracrypt volume and after I entered the volume password opensnitch popped up a dialogue window announcing :

sudo -S-p /usr/bin/veracrypt --core-service

sudo is connecting to 139.99.96.146 on udp port 53 .
Source IP 192.1##.### (mine obviously)
Destination IP 139.99.96.146 User ID 0 (root) Process ID 2847.


A bit shocked, I blocked the connection. So then the administrator privileges required box opens and I enter my password.

The Veracrypt box pops up saying please wait and the progress bar bounces back and forward for ages. Finally, a message pops up saying:

" Bad file descriptor VeraCrypt::CoreService::StartElevated:157".


Ok. Weird. So I turn off my wifi connection, repeat the process exactly and the process goes completely normally and the volume opens.

I check the statistics of opensnitch and discover that two processes - exim4 and sudo were trying to connect to two IPs :

139.99.96.146:53

>>
Source: whois.arin.net
IP Address: 139.99.96.146
Name: VPS-SGP
Handle: NET-139-99-96-0-1
Registration Date: 1/12/18
Range: 139.99.96.0-139.99.99.255
Org: OVH Singapore PTE. LTD
Org Handle: OSPL-8
Address: 135 Cecil Street #10-01 Myp Plaza
City: SINGAPORE
State/Province:
Postal Code: 069536

>>



and



37.59.40.15:53


>>
Source: whois.ripe.net
IP Address: 37.59.40.15

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '37.59.0.0 - 37.59.63.255'

% Abuse contact for '37.59.0.0 - 37.59.63.255' is 'abuse@ovh.net'

inetnum: 37.59.0.0 - 37.59.63.255
netname: OVH
descr: OVH SAS
descr: Dedicated servers
descr: http://www.ovh.com
country: FR
admin-c: OK217-RIPE
tech-c: OTC2-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
created: 2012-02-15T15:09:01Z
last-modified: 2012-02-15T15:09:01Z
source: RIPE # Filtered

role: OVH Technical Contact
address: OVH SAS
address: 2 rue Kellermann
address: 59100 Roubaix
address: France
admin-c: OK217-RIPE
tech-c: GM84-RIPE
tech-c: SL10162-RIPE
nic-hdl: OTC2-RIPE
abuse-mailbox: abuse@ovh.net
mnt-by: OVH-MNT
created: 2004-01-28T17:42:29Z
last-modified: 2014-09-05T10:47:15Z
source: RIPE # Filtered

person: Octave Klaba
address: OVH SAS
address: 2 rue Kellermann
address: 59100 Roubaix
address: France
phone: +33 9 74 53 13 23
nic-hdl: OK217-RIPE
mnt-by: OVH-MNT
created: 1970-01-01T00:00:00Z
last-modified: 2017-10-30T21:44:51Z
source: RIPE # Filtered

% Information related to '37.59.0.0/16AS16276'

route: 37.59.0.0/16
descr: OVH ISP
descr: Paris, France
origin: AS16276
mnt-by: OVH-MNT
created: 2012-01-25T17:04:21Z
last-modified: 2012-01-25T17:04:21Z
source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.93.2 (ANGUS)
>>



These IPs also seem to link to PARROT SEC on some whois checks. The clock applet tries to connect to 139.99.96.146:53 on login.

Later I tried to run $ sudo caja from the terminal and the cursor flashed for ages before returning "sudo: unable to resolve host parrot: Temporary failure in name resolution" and then asking me for the password.

I have run the same veracrypt install in an ubuntu virtual machine and opensnitch does not log anything weird.

I have run Zulucrypt in Parrot and there was no message from opensnitch.

Anyone have a clue what is going on?



*Additionally, I have run RootKitHunter and got some warnings :

03:38:46] /usr/bin/lwp-request [ Warning ]

03:38:51] Info: Found file '/bin/egrep': it is whitelisted for the 'script replacement' check.

[03:38:51] Info: Found file '/bin/fgrep': it is whitelisted for the 'script replacement' check.

03:38:54] Info: Found file '/bin/which': it is whitelisted for the 'script replacement' check.

[03:41:57] Warning: The following suspicious (large) shared memory segments have been found:
[03:41:57] Process: /usr/bin/mate-panel PID: 1348 Owner: o1o Size: 128MB (configured size allowed: 1.0MB)
[03:41:57] Process: /usr/bin/caja PID: 1382 Owner: o1o Size: 4.0MB (configured size allowed: 1.0MB)
[03:41:57] Process: /usr/bin/caja PID: 1382 Owner: o1o Size: 128MB (configured size allowed: 1.0MB)
[03:41:57] Process: /usr/lib/firefox/firefox PID: 2002 Owner: o1o Size: 3.9MB (configured size allowed: 1.0MB)
[03:41:57] Process: /usr/lib/firefox/firefox PID: 2002 Owner: o1o Size: 3.9MB (configured size allowed: 1.0MB)
[03:41:57] Process: /usr/lib/firefox/firefox PID: 2002 Owner: o1o Size: 2.0MB (configured size allowed: 1.0MB)
[03:41:57] Process: /usr/lib/firefox/firefox PID: 2002 Owner: o1o Size: 2.0MB (configured size allowed: 1.0MB)
[03:41:57] Process: /usr/lib/x86_64-linux-gnu/polkit-mate/polkit-mate-authentication-agent-1 PID: 1488 Owner: o1o Size: 4.0MB (configured size allowed: 1.0MB)
[03:41:57] Process: /usr/bin/pluma PID: 27296 Owner: o1o Size: 16MB (configured size allowed: 1.0MB)
[03:41:58] Process: /usr/bin/caja PID: 26638 Owner: root Size: 16MB (configured size allowed: 1.0MB)
[03:41:58] Process: /usr/bin/caja PID: 26638 Owner: root Size: 64MB (configured size allowed: 1.0MB)



[03:42:56] Checking /dev for suspicious file types [ Warning ]
[03:42:56] Warning: Suspicious file types found in /dev:
[03:42:56] /dev/shm/mono.1125: data
[03:42:56] Checking for hidden files and directories [ Warning ]
[03:42:56] Warning: Hidden directory found: /etc/.java


I don't know how to proceed from here.

Any help would be much appreciated.

Many thanks.
F
 
Old 04-19-2019, 05:19 PM   #2
Frickymind
LQ Newbie
 
Registered: Apr 2019
Posts: 7

Original Poster
Rep: Reputation: Disabled
GIF

Here's a gif of the process if anyone is interested:

https://giphy.com/gifs/Wm8SaXQYZkuLjEJW6v
 
Old 04-19-2019, 05:29 PM   #3
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 19.1 MATE
Posts: 7,906
Blog Entries: 5

Rep: Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821
Port 53 is for DNS requests.

Check the contents of /etc/resolv.conf for the ParrotDNS/OpenNIC nameservers.
 
Old 04-19-2019, 07:19 PM   #4
Frickymind
LQ Newbie
 
Registered: Apr 2019
Posts: 7

Original Poster
Rep: Reputation: Disabled
Thanks for the reply.

Resolv.conf contains:

# ParrotDNS/OpenNIC
nameserver 139.99.96.146
nameserver 37.59.40.15
nameserver 185.121.177.177

# Round Robin
options rotate

So they're the Parrot OS namservers. But why are sudo and exim 4 calling these servers when I'm entering my password for certain commands and for opening veracrypt volumes? Why does the opening of the veracrypt volume go swiftly when the networking is disabled? Why doesn't this happen on Ubuntu or Mint in the same context?
 
Old 04-19-2019, 08:30 PM   #5
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 19.1 MATE
Posts: 7,906
Blog Entries: 5

Rep: Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821
As this appears to be Parrot-specific, if you don't get any answers here, perhaps you could ask on the Parrot forum (https://community.parrotsec.org/)?
 
Old 04-19-2019, 08:41 PM   #6
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 19.1 MATE
Posts: 7,906
Blog Entries: 5

Rep: Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821
A wee bit of Googling unearthed this: https://sourceforge.net/p/veracrypt/...read/f8dbb975/

What might be happening is that VeraCrypt searches for localhost, but Parrot's DNS protection kicks in and contacts their OpenNIC server.

Over to you to contact Parrot OS and also do some more Googling to determine how to prevent that "protection" kicking in for references to localhost.
 
Old 04-19-2019, 08:49 PM   #7
Frickymind
LQ Newbie
 
Registered: Apr 2019
Posts: 7

Original Poster
Rep: Reputation: Disabled
Thanks. Yeah, I've already seen that. But does that explain why other sudo operations, such as sudo caja would trigger the same behaviour?
 
Old 04-19-2019, 09:02 PM   #8
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 19.1 MATE
Posts: 7,906
Blog Entries: 5

Rep: Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821
Localhost is your local machine. It's not particularly surprising that a file manager will refer to it.
 
Old 04-20-2019, 02:53 AM   #9
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 11,490
Blog Entries: 8

Rep: Reputation: 3016Reputation: 3016Reputation: 3016Reputation: 3016Reputation: 3016Reputation: 3016Reputation: 3016Reputation: 3016Reputation: 3016Reputation: 3016Reputation: 3016
139.99.96.146 is parrotsec.
for me, this is just another proof that parrotsec isn't a very good distro at all.
(i have ranted about this before)
 
Old 04-21-2019, 06:31 PM   #10
Frickymind
LQ Newbie
 
Registered: Apr 2019
Posts: 7

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by ondoho View Post
139.99.96.146 is parrotsec.
for me, this is just another proof that parrotsec isn't a very good distro at all.
(i have ranted about this before)
Yeah,I'm in two minds about it. The website is very persuasive, but lacking much detailed information, a few important links are even empty. I gave them the benefit of the doubt and thought maybe it was a temporary lapse, but having used it for a bit I'm not sure if it has many advantages. From your understanding does it have any extra security measures which are missing from Ubuntu or Linux Mint apart from firejail being installed by default?

What Secure OS would you recommend for daily use? Qubes is a bit extreme for me.

Cheers

Last edited by Frickymind; 04-21-2019 at 06:32 PM.
 
Old 04-21-2019, 06:32 PM   #11
Frickymind
LQ Newbie
 
Registered: Apr 2019
Posts: 7

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by hydrurga View Post
Localhost is your local machine. It's not particularly surprising that a file manager will refer to it.
Ok, that makes sense. Thanks for the help.
 
Old 04-22-2019, 12:40 AM   #12
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 11,490
Blog Entries: 8

Rep: Reputation: 3016Reputation: 3016Reputation: 3016Reputation: 3016Reputation: 3016Reputation: 3016Reputation: 3016Reputation: 3016Reputation: 3016Reputation: 3016Reputation: 3016
Quote:
Originally Posted by Frickymind View Post
What Secure OS would you recommend for daily use?
open a can of worms.
first you need to define "Secure" (with a capital S), and your specific requirements.
Many people said it before me, I'll say it again: security (without a capital S) is how you use your machine, not something you install.
Granted, that's not the whole answer, but IMO any (GNU/Linux) OS can be secure, and none is if you don't use it that way.
 
Old 04-23-2019, 08:40 AM   #13
Frickymind
LQ Newbie
 
Registered: Apr 2019
Posts: 7

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by ondoho View Post
open a can of worms.
first you need to define "Secure" (with a capital S), and your specific requirements.
Many people said it before me, I'll say it again: security (without a capital S) is how you use your machine, not something you install.
Granted, that's not the whole answer, but IMO any (GNU/Linux) OS can be secure, and none is if you don't use it that way.
Yeah, I understand that it's probably a dumb question. I suppose I'm looking for a debian distro that has had some extra work put into making it secure for simpletons like me. Something with firejail, dns encryption, firewall enabled by default. Although i'm sure there are other factors I'm not aware of.

Let's make it easier. You don't think Parrot is a good distro at all. What would be 3 distros you would recommend as "good" ?
 
Old 04-23-2019, 10:55 AM   #14
Jan K.
LQ Newbie
 
Registered: Apr 2019
Location: Esbjerg
Posts: 6

Rep: Reputation: 2
Have you checked Distrowatch?

Top three should be "good" though some may prefer number 163...
 
Old 04-25-2019, 04:29 PM   #15
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 19.1 MATE
Posts: 7,906
Blog Entries: 5

Rep: Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821Reputation: 2821
Quote:
Originally Posted by Jan K. View Post
Have you checked Distrowatch?

Top three should be "good" though some may prefer number 163...
Probably the most ephemeral post I've seen on here due to the constant changes in the DistroWatch rankings.

For those looking in from 2029 (or even next week), the top 3 referred to are MX Linux, Manjaro and Mint. Number 163 is CRUX. As far as I am aware though, none of these have the extra protections by default that the OP is seeking (although these wouldn't be difficult to add in or configure, I imagine), while Manjaro is not a Debian-based distro, which was also one of the OP's wishes.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: How To Encrypt An USB Drive With VeraCrypt (Compatible With Windows, macOS and Linux) LXer Syndicated Linux News 0 10-19-2018 10:21 PM
LXer: The Ultimate Sudo FAQ To Sudo Or Not To Sudo? LXer Syndicated Linux News 13 04-13-2013 01:36 AM
[SOLVED] sudo password different from non-sudo password edrom Linux - Newbie 2 04-20-2012 03:00 PM
[SOLVED] sudo for a single command with no password entry tara Linux - General 3 04-21-2010 02:58 AM
odd recursion: calling "by hand" vs calling by cronscript... prx Programming 4 02-12-2005 04:59 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:04 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration