From silvio.cretti at create-net.org Tue Jun 2 12:38:58 2015 From: silvio.cretti at create-net.org (Silvio Cretti) Date: Tue, 2 Jun 2015 12:38:58 +0200 Subject: [Fiware-lab-recovery-tf] Fwd: Serious security issue!! In-Reply-To: References: Message-ID: Please check the images. This could be disruptive!! I will come back in the office tomorrow. Silvio Dear all, I am still out of office but given the urgency of the topic I prefer to inform you asap. Please read carefully the attached email and, given the topic, keep it confidential. Then probably it is better to have a telco tomorrow in order to be aligned on how to proceed. My idea is to have it late in the morning. I will send you an invitation this evening. I must thank Bernd and the Fraunhofer team for all their work and support. Best regards Silvio > > Dear Node Owners, > > We have been identifying a severe security issue and want to inform you about this and about suggested countermeasures. > > We noticed malicious traffic originating from a number of instances at the Berlin node. > We found that the at least two baseline images and the Orion Broker image have been infected by a root kit. > Since baseline images are affected it is reasonable to assume that also other, potentially all FIWARE images are affected too. > We checked that the images have not been modified since uploaded to the Berlin node. > > The root kit becomes active upon instantiation of an infected image and hides itself as SSH establishing connections to some well-known and already blacklisted remote C&C servers through source port 22 on IPv4 and IPv6. > > The root kit daemon hides itself as an SSH daemon and is only active for a few seconds, then terminating and restarting itself under a different PID. > We could not identify the process for this reason so far. > > As an immediate action we suggest the following: > Block any outgoing connection set-up attempt on tcp source port 22. SSHD is usually only listening on this port. > Disable user/password log-ins on any images and instances. We suggest to have a look on guestfish (http://libguestfs.org/guestfish.1.html) to modify images without instantiating. > Blacklist the following IP addresses: > 130.195.145.80 > 198.154.62.59 > 59.63.192.199 > 58.186.224.247 > 42.115.184.191 > 218.87.109.62 > 103.6.157.105 > None of these measures is sufficient to feel safe. They are suggested as an immediate reaction. > Please also verify the list above - we have been working under some pressure and mistakes might have happened. > > Best Regards, Bernd > > ============ > Bernd Bochow -------------- next part -------------- An HTML attachment was scrubbed... URL: From fernando.lopezaguilar at telefonica.com Tue Jun 2 14:37:12 2015 From: fernando.lopezaguilar at telefonica.com (FERNANDO LOPEZ AGUILAR) Date: Tue, 2 Jun 2015 12:37:12 +0000 Subject: [Fiware-lab-recovery-tf] Fwd: Serious security issue!! In-Reply-To: References: Message-ID: Dear all, Once of our activities in this sprint related to the Glancesync is the modification of the images in order to disable the authentication of the ssh using user/password. We analyse also de possibility to check the security issue that you mention. BR, Fernando De: Silvio Cretti > Fecha: Tuesday 2 June 2015 12:38 Para: "fiware-lab-recovery-tf at lists.fiware.org" > Asunto: [Fiware-lab-recovery-tf] Fwd: Serious security issue!! Please check the images. This could be disruptive!! I will come back in the office tomorrow. Silvio Dear all, I am still out of office but given the urgency of the topic I prefer to inform you asap. Please read carefully the attached email and, given the topic, keep it confidential. Then probably it is better to have a telco tomorrow in order to be aligned on how to proceed. My idea is to have it late in the morning. I will send you an invitation this evening. I must thank Bernd and the Fraunhofer team for all their work and support. Best regards Silvio > > Dear Node Owners, > > We have been identifying a severe security issue and want to inform you about this and about suggested countermeasures. > > We noticed malicious traffic originating from a number of instances at the Berlin node. > We found that the at least two baseline images and the Orion Broker image have been infected by a root kit. > Since baseline images are affected it is reasonable to assume that also other, potentially all FIWARE images are affected too. > We checked that the images have not been modified since uploaded to the Berlin node. > > The root kit becomes active upon instantiation of an infected image and hides itself as SSH establishing connections to some well-known and already blacklisted remote C&C servers through source port 22 on IPv4 and IPv6. > > The root kit daemon hides itself as an SSH daemon and is only active for a few seconds, then terminating and restarting itself under a different PID. > We could not identify the process for this reason so far. > > As an immediate action we suggest the following: > Block any outgoing connection set-up attempt on tcp source port 22. SSHD is usually only listening on this port. > Disable user/password log-ins on any images and instances. We suggest to have a look on guestfish (http://libguestfs.org/guestfish.1.html) to modify images without instantiating. > Blacklist the following IP addresses: > 130.195.145.80 > 198.154.62.59 > 59.63.192.199 > 58.186.224.247 > 42.115.184.191 > 218.87.109.62 > 103.6.157.105 > None of these measures is sufficient to feel safe. They are suggested as an immediate reaction. > Please also verify the list above - we have been working under some pressure and mistakes might have happened. > > Best Regards, Bernd > > ============ > Bernd Bochow ________________________________ Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener informaci?n privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilizaci?n, divulgaci?n y/o copia sin autorizaci?n puede estar prohibida en virtud de la legislaci?n vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma v?a y proceda a su destrucci?n. The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it. Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinat?rio, pode conter informa??o privilegiada ou confidencial e ? para uso exclusivo da pessoa ou entidade de destino. Se n?o ? vossa senhoria o destinat?rio indicado, fica notificado de que a leitura, utiliza??o, divulga??o e/ou c?pia sem autoriza??o pode estar proibida em virtude da legisla??o vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destrui??o -------------- next part -------------- An HTML attachment was scrubbed... URL: From juanjose.hierro at telefonica.com Wed Jun 3 08:00:26 2015 From: juanjose.hierro at telefonica.com (Juanjo Hierro) Date: Wed, 3 Jun 2015 08:00:26 +0200 Subject: [Fiware-lab-recovery-tf] FI-health tool not working Message-ID: <556E97FA.7060002@telefonica.com> Folks, The FI-health tool, whose last release was recently announced by Fernando on Basecamp, is not working. I hope this doesn't mean that the FIWARE Lab is not working (at least I can connnect to the portal, I haven't made further tests). Just let you know since we have sold users this is a tool they should use to check availability of the nodes. Best regards, -- Juanjo ______________________________________________________ Coordinator and Chief Architect, FIWARE platform CTO Industrial IoT, Telef?nica email: juanjose.hierro at telefonica.com twitter: @JuanjoHierro You can follow FIWARE at: website: http://www.fiware.org twitter: @FIWARE facebook: http://www.facebook.com/pages/FI-WARE/251366491587242 linkedIn: http://www.linkedin.com/groups/FIWARE-4239932 ________________________________ Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener informaci?n privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilizaci?n, divulgaci?n y/o copia sin autorizaci?n puede estar prohibida en virtud de la legislaci?n vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma v?a y proceda a su destrucci?n. The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it. Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinat?rio, pode conter informa??o privilegiada ou confidencial e ? para uso exclusivo da pessoa ou entidade de destino. Se n?o ? vossa senhoria o destinat?rio indicado, fica notificado de que a leitura, utiliza??o, divulga??o e/ou c?pia sem autoriza??o pode estar proibida em virtude da legisla??o vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destrui??o From silvio.cretti at create-net.org Wed Jun 3 08:30:18 2015 From: silvio.cretti at create-net.org (Silvio Cretti) Date: Wed, 3 Jun 2015 08:30:18 +0200 Subject: [Fiware-lab-recovery-tf] Fwd: [Xifi-WP5] Serious security issue!! In-Reply-To: References: <48d9c3241d4747c4a4cd6ee80f4590c5@SRV-MAIL-001.zhaw.ch> <0C04C33AD646DA489C2BDCFE1C5E5A12516214D5@DIRAC.fokus.fraunhofer.de> <601a22bb22b841b9bddf244f66de9080@SRV-MAIL-001.zhaw.ch> <098753CA80BAB341B9BC035FDF3356DE01186083@IR-lan-dc01.lanfeust.local> Message-ID: FYI. Unfortunately (this is not by any means good for FIWARE Lab!) after this meeting we have to inform the users. I do not think it is possible to keep it hidden, but let's see what are the results of the meeting. If someone of you wants to attend (I know Fernando will attend), he is welcome. I will keep you informed. silvio ---------- Forwarded message ---------- From: Silvio Cretti Date: Tue, Jun 2, 2015 at 7:14 PM Subject: Re: [Xifi-WP5] Serious security issue!! To: "Bochow, Bernd" Cc: Sergio MORANT , Sean Murphy < sean at gopaddy.ch>, "Wandekoken Grazioli Bruno Gaetano (gaea)" , "G?nther, Thomas" , "wp5 at fi-xifi.eu" < wp5 at fi-xifi.eu>, federico facca , "Bohnert Thomas Michael (bohe)" , "Mamudi Valon (mamu)" Dear all, in order to discuss countermeasures to this security issue, I propose a telco *tomorrow Wednesday June 3rd at 12.00.* Here the minutes: https://docs.google.com/document/d/1DvM-c3kwDIMimGzUr3OrcNsQEVT-UiIK5_3sjaXgTew/edit?usp=sharing I think the presence of one representative for each infrastructure is needed but at least we need Bernd/Thomas and someone from Telefonica in the telco. Please Bernd/Thomas and Fernando, let me know if you can attend. Best regards, silvio On Tue, Jun 2, 2015 at 5:13 PM, Bochow, Bernd < bernd.bochow at fokus.fraunhofer.de> wrote: > Dear All, > > We found that the remote Ps most likely also drive port 22 scan and > brute force username/password attacks in parallel. > We are checking that currently. > It might be necessary to distinguish between incoming and outgoing traffic > on port 22 and to trace conversations. > > It would be interesting to know if there are instances from images that > are _not_ subject to that observations (i.e. that are seemingly not > infected). > > Best Regards, Bernd > > ============ > Bernd Bochow > Next Generation Network Infrastructures > Fraunhofer Institute for Open Communication Systems (FOKUS) > Kaiserin-Augusta-Allee 31, D-10589 Berlin > e-mail: bernd.bochow at fokus.fraunhofer.de, bernd.bochow at ieee.org > phone: +49 30 3463-7238 > fax: +49 30 3463-997238 > > From: Sergio MORANT > Date: Tuesday 2 June 2015 16:41 > To: Sean Murphy , "Wandekoken Grazioli Bruno Gaetano > (gaea)" > Cc: G?nther, Thomas , Silvio Cretti < > silvio.cretti at create-net.org>, "wp5 at fi-xifi.eu" , > federico facca , "Bohnert Thomas Michael > (bohe)" , "Mamudi Valon (mamu)" > Subject: RE: [Xifi-WP5] Serious security issue!! > > Hi, > > I guess we should focus on outgoing connections only. In order to do so, > we should focus for connections initiated from the instance (TCP flag SYN > active) on the outgoing connection. Otherwise you will see also all the > traffic coming from standard connections: > > > > tcpdump -i "eth2" -nn src port 22 and net 195.220.224.0/24 and > 'tcp[tcpflags] & (tcp-syn) != 0' > > ?. > > 14:20:11.456540 IP 195.220.224.8.22 > 221.235.189.245.38345: Flags [S.], > seq 2944249903, ack 3486249040, win 14480, options [mss 1460,sackOK,TS val > 1048107519 ecr 6706653,nop,wscale 7], length 0 > > ?? > > > > Then we can verify the destination IP location (China in most of the > cases) using Whois IP tools > > > > > > So we can conclude that this is not an authorized traffic. > > > > For the moment we have detected several instances that behaves like > described above, all coming from the baseline images described by Bernd > > > > Best regards > > Sergio > > > > *De :* Sean Murphy [mailto:sean at gopaddy.ch ] > *Envoy? :* mardi 2 juin 2015 15:58 > *? :* Wandekoken Grazioli Bruno Gaetano (gaea) > *Cc :* G?nther, Thomas; Silvio Cretti; wp5 at fi-xifi.eu; federico facca; > Bohnert Thomas Michael (bohe); Mamudi Valon (mamu) > *Objet :* Re: [Xifi-WP5] Serious security issue!! > > > > So basically, the conclusion here is that it looks like many of our VMs > are compromised. > > > > We need to get this addressed quickly. > > > > BR, > > Se?n. > > > > > > On Tue, Jun 2, 2015 at 3:48 PM, Wandekoken Grazioli Bruno Gaetano (gaea) < > gaea at zhaw.ch> wrote: > > Hi all, > > We were investigating a bit further and we found more ip adresses with > similar network traffic. > > root at node-1:~# tcpdump -i eth2 src port 22 | grep ".ssh >" > tcpdump: WARNING: eth2: no IPv4 address assigned > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > > listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes > 15:38:51.189616 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [P.], seq > 1247424601:1247424985, ack 2671240100, win 195, options [nop,nop,TS val > 386932715 ecr 41149876], length 384 > 15:38:51.195624 IP 160.85.2.37.ssh > 43.229.52.168.53511: Flags [.], ack > 3466107547, win 247, options [nop,nop,TS val 325114782 ecr 41149879], > length 0 > 15:38:51.196912 IP 160.85.2.37.ssh > 43.229.52.168.41633: Flags [S.], seq > 1831469583, ack 2348125009, win 28960, options [mss 1460,sackOK,TS val > 325114783 ecr 41149879,nop,wscale 7], length 0 > 15:38:51.197389 IP 160.85.2.36.ssh > 43.229.52.168.54271: Flags [P.], seq > 2541947209:2541947277, ack 2982814501, win 247, options [nop,nop,TS val > 1961950142 ecr 41149878], length 68 > 15:38:51.198344 IP 160.85.2.37.ssh > 43.229.52.168.53511: Flags [F.], seq > 0, ack 2, win 247, options [nop,nop,TS val 325114783 ecr 41149879], length 0 > 15:38:51.215429 IP 160.85.2.75.ssh > 43.229.52.168.37072: Flags [.], ack > 3873844386, win 247, options [nop,nop,TS val 1789122307 ecr 41149884], > length 0 > 15:38:51.228006 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [.], ack > 649, win 206, options [nop,nop,TS val 386932725 ecr 41149876], length 0 > 15:38:51.230332 IP 160.85.2.58.ssh > 117.122.200.147.20303: Flags [.], ack > 1234683561, win 237, length 0 > 15:38:51.247801 IP 160.85.2.38.ssh > 43.229.52.168.40257: Flags [.], ack > 2046073395, win 247, options [nop,nop,TS val 1792228242 ecr 41149892], > length 0 > 15:38:51.254064 IP 160.85.2.38.ssh > 43.229.52.168.40257: Flags [P.], seq > 0:848, ack 1, win 247, options [nop,nop,TS val 1792228243 ecr 41149892], > length 848 > 15:38:51.255200 IP 160.85.2.31.ssh > 43.229.52.168.37915: Flags [.], ack > 1726673222, win 247, options [nop,nop,TS val 1791902812 ecr 41149892], > length 0 > 15:38:51.255891 IP 160.85.2.23.ssh > > host98-229-dynamic.18-87-r.retail.telecomitalia.it.47653: Flags [P.], seq > 1702351463:1702351531, ack 640722127, win 243, options [nop,nop,TS val > 1769119395 ecr 29439026], length 68 > 15:38:51.261504 IP 160.85.2.31.ssh > 43.229.52.168.37915: Flags [P.], seq > 0:848, ack 1, win 247, options [nop,nop,TS val 1791902814 ecr 41149892], > length 848 > 15:38:51.274487 IP 160.85.2.53.ssh > 43.229.52.168.54116: Flags [.], ack > 3479704829, win 134, options [nop,nop,TS val 1765793620 ecr 41149888], > length 0 > 15:38:51.354746 IP 160.85.2.23.ssh > 43.229.52.168.52891: Flags [.], ack > 3679730051, win 247, options [nop,nop,TS val 1769119420 ecr 41149909], > length 0 > 15:38:51.369265 IP 160.85.2.37.ssh > 43.229.52.168.41633: Flags [.], ack > 16, win 227, options [nop,nop,TS val 325114826 ecr 41149923], length 0 > 15:38:51.375708 IP 160.85.2.23.ssh > > host98-229-dynamic.18-87-r.retail.telecomitalia.it.47653: Flags [.], ack > 85, win 243, options [nop,nop,TS val 1769119425 ecr 29439196], length 0 > 15:38:51.819626 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [.], ack > 989, win 216, options [nop,nop,TS val 386932872 ecr 41150032], length 0 > 15:38:51.819717 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [P.], seq > 1232:1284, ack 989, win 216, options [nop,nop,TS val 386932872 ecr > 41150032], length 52 > > > Best, > Bruno. > ------------------------------ > > *From:* Sean Murphy [sean at gopaddy.ch] > *Sent:* Tuesday, June 02, 2015 3:27 PM > *To:* G?nther, Thomas > *Cc:* Silvio Cretti; wp5 at fi-xifi.eu; federico facca; Bohnert Thomas > Michael (bohe); Mamudi Valon (mamu) > > *Subject:* Re: [Xifi-WP5] Serious security issue!! > > Hi all, > > > > V good info. > > > > As you can see we already deactivated the is_public parameter, that the > images are not available for the users anymore. > > > > Good approach - we will do the same. > > > > Please let us know if you?re experiencing similar network traffic. > > > > We have observed similar network traffic - here's a couple of lines > > > > 14:46:45.922628 IP 160.85.2.38.ssh > 43.229.52.137.57495: Flags [.], ack > 137, win 247, options [nop,nop,TS val 1791446910 ecr 40368731], length 0 > > 14:46:45.923968 IP 160.85.2.38.ssh > 43.229.52.137.57495: Flags [F.], seq > 136, ack 138, win 247, options [nop,nop,TS val 1791446911 ecr 40368731], > length 0 > > 14:46:46.041869 IP 160.85.2.30.ssh > 43.229.52.137.55576: Flags [.], ack > 1240, win 247, options [nop,nop,TS val 1812202096 ecr 40368761], length 0 > > > > We're working on getting more although now that we've installed the > firewall > > rules, it seems the VMs may have stopped trying to connect to the remote > > servers. > > > > BR, > > Se?n. > > > > > > Regards, > > > > Thomas > > > > *Von:* Sean Murphy [mailto:sean at gopaddy.ch] > *Gesendet:* Dienstag, 2. Juni 2015 13:28 > *An:* Silvio Cretti > *Cc:* wp5 at fi-xifi.eu; federico facca; Thomas Michael Bohnert; Mamudi > Valon (mamu) > *Betreff:* Re: [Xifi-WP5] Serious security issue!! > > > > Hi all, > > > Disable user/password log-ins on any images and instances. We suggest > to have a look on guestfish > > We asked for this to be done on Apr 1 and followed up a few more times > > as it was obvious that the VMs would be compromised. We gave a list of > > images that we found which do not have password authentication disabled. > > (http://libguestfs.org/guestfish.1.html) to modify images without > instantiating. > > Has anyone done this - I guess it would be good to share specific > instructions on > > how to do this for each image instead of having everyone figure it out > independently. > > > Blacklist the following IP addresses: > > 130.195.145.80 > > 198.154.62.59 > > 59.63.192.199 > > 58.186.224.247 > > 42.115.184.191 > > 218.87.109.62 > > 103.6.157.105 > > None of these measures is sufficient to feel safe. They are suggested as > an immediate reaction. > > Please also verify the list above - we have been working under some > pressure and mistakes might have happened. > > @Bernd - some more qs: > > - can you tell us where you got the above list of IP addr's (for our info)? > > - can you tell us precisely which images have been compromised? > > > > Obviously, this is a serious issue and we need to: > > - get these images removed from our systems asap > > - kill any VMs which boot off these images (which presumably needs user > interaction). > > > > BR, > > Se?n. > > > Best Regards, Bernd > > > > ============ > > Bernd Bochow > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 17894 bytes Desc: not available URL: From thierry.nagellen at orange.com Wed Jun 3 09:42:05 2015 From: thierry.nagellen at orange.com (thierry.nagellen at orange.com) Date: Wed, 3 Jun 2015 07:42:05 +0000 Subject: [Fiware-lab-recovery-tf] Fwd: [Xifi-WP5] Serious security issue!! In-Reply-To: References: <48d9c3241d4747c4a4cd6ee80f4590c5@SRV-MAIL-001.zhaw.ch> <0C04C33AD646DA489C2BDCFE1C5E5A12516214D5@DIRAC.fokus.fraunhofer.de> <601a22bb22b841b9bddf244f66de9080@SRV-MAIL-001.zhaw.ch> <098753CA80BAB341B9BC035FDF3356DE01186083@IR-lan-dc01.lanfeust.local> Message-ID: <10452_1433317326_556EAFCE_10452_463_1_976A65C5A08ADF49B9A8523F7F81925CC71147@OPEXCLILM43.corporate.adroot.infra.ftgroup> Hi Silvio Is it possible to prepare an IP table for GE owners to limit the access on some IP address and to update GE images and maybe blueprints to improve the situation at least in a first step? BR Thierry De : fiware-lab-recovery-tf-bounces at lists.fiware.org [mailto:fiware-lab-recovery-tf-bounces at lists.fiware.org] De la part de Silvio Cretti Envoy? : mercredi 3 juin 2015 08:30 ? : fiware-lab-recovery-tf at lists.fiware.org Objet : [Fiware-lab-recovery-tf] Fwd: [Xifi-WP5] Serious security issue!! FYI. Unfortunately (this is not by any means good for FIWARE Lab!) after this meeting we have to inform the users. I do not think it is possible to keep it hidden, but let's see what are the results of the meeting. If someone of you wants to attend (I know Fernando will attend), he is welcome. I will keep you informed. silvio ---------- Forwarded message ---------- From: Silvio Cretti > Date: Tue, Jun 2, 2015 at 7:14 PM Subject: Re: [Xifi-WP5] Serious security issue!! To: "Bochow, Bernd" > Cc: Sergio MORANT >, Sean Murphy >, "Wandekoken Grazioli Bruno Gaetano (gaea)" >, "G?nther, Thomas" >, "wp5 at fi-xifi.eu" >, federico facca >, "Bohnert Thomas Michael (bohe)" >, "Mamudi Valon (mamu)" > Dear all, in order to discuss countermeasures to this security issue, I propose a telco tomorrow Wednesday June 3rd at 12.00. Here the minutes: https://docs.google.com/document/d/1DvM-c3kwDIMimGzUr3OrcNsQEVT-UiIK5_3sjaXgTew/edit?usp=sharing I think the presence of one representative for each infrastructure is needed but at least we need Bernd/Thomas and someone from Telefonica in the telco. Please Bernd/Thomas and Fernando, let me know if you can attend. Best regards, silvio On Tue, Jun 2, 2015 at 5:13 PM, Bochow, Bernd > wrote: Dear All, We found that the remote Ps most likely also drive port 22 scan and brute force username/password attacks in parallel. We are checking that currently. It might be necessary to distinguish between incoming and outgoing traffic on port 22 and to trace conversations. It would be interesting to know if there are instances from images that are _not_ subject to that observations (i.e. that are seemingly not infected). Best Regards, Bernd ============ Bernd Bochow Next Generation Network Infrastructures Fraunhofer Institute for Open Communication Systems (FOKUS) Kaiserin-Augusta-Allee 31, D-10589 Berlin e-mail: bernd.bochow at fokus.fraunhofer.de, bernd.bochow at ieee.org phone: +49 30 3463-7238 fax: +49 30 3463-997238 From: Sergio MORANT > Date: Tuesday 2 June 2015 16:41 To: Sean Murphy >, "Wandekoken Grazioli Bruno Gaetano (gaea)" > Cc: G?nther, Thomas >, Silvio Cretti >, "wp5 at fi-xifi.eu" >, federico facca >, "Bohnert Thomas Michael (bohe)" >, "Mamudi Valon (mamu)" > Subject: RE: [Xifi-WP5] Serious security issue!! Hi, I guess we should focus on outgoing connections only. In order to do so, we should focus for connections initiated from the instance (TCP flag SYN active) on the outgoing connection. Otherwise you will see also all the traffic coming from standard connections: tcpdump -i "eth2" -nn src port 22 and net 195.220.224.0/24 and 'tcp[tcpflags] & (tcp-syn) != 0' ?. 14:20:11.456540 IP 195.220.224.8.22 > 221.235.189.245.38345: Flags [S.], seq 2944249903, ack 3486249040, win 14480, options [mss 1460,sackOK,TS val 1048107519 ecr 6706653,nop,wscale 7], length 0 ?? Then we can verify the destination IP location (China in most of the cases) using Whois IP tools [cid:image001.jpg at 01D09DE1.8C8DA580] So we can conclude that this is not an authorized traffic. For the moment we have detected several instances that behaves like described above, all coming from the baseline images described by Bernd Best regards Sergio De : Sean Murphy [mailto:sean at gopaddy.ch] Envoy? : mardi 2 juin 2015 15:58 ? : Wandekoken Grazioli Bruno Gaetano (gaea) Cc : G?nther, Thomas; Silvio Cretti; wp5 at fi-xifi.eu; federico facca; Bohnert Thomas Michael (bohe); Mamudi Valon (mamu) Objet : Re: [Xifi-WP5] Serious security issue!! So basically, the conclusion here is that it looks like many of our VMs are compromised. We need to get this addressed quickly. BR, Se?n. On Tue, Jun 2, 2015 at 3:48 PM, Wandekoken Grazioli Bruno Gaetano (gaea) > wrote: Hi all, We were investigating a bit further and we found more ip adresses with similar network traffic. root at node-1:~# tcpdump -i eth2 src port 22 | grep ".ssh >" tcpdump: WARNING: eth2: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes 15:38:51.189616 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [P.], seq 1247424601:1247424985, ack 2671240100, win 195, options [nop,nop,TS val 386932715 ecr 41149876], length 384 15:38:51.195624 IP 160.85.2.37.ssh > 43.229.52.168.53511: Flags [.], ack 3466107547, win 247, options [nop,nop,TS val 325114782 ecr 41149879], length 0 15:38:51.196912 IP 160.85.2.37.ssh > 43.229.52.168.41633: Flags [S.], seq 1831469583, ack 2348125009, win 28960, options [mss 1460,sackOK,TS val 325114783 ecr 41149879,nop,wscale 7], length 0 15:38:51.197389 IP 160.85.2.36.ssh > 43.229.52.168.54271: Flags [P.], seq 2541947209:2541947277, ack 2982814501, win 247, options [nop,nop,TS val 1961950142 ecr 41149878], length 68 15:38:51.198344 IP 160.85.2.37.ssh > 43.229.52.168.53511: Flags [F.], seq 0, ack 2, win 247, options [nop,nop,TS val 325114783 ecr 41149879], length 0 15:38:51.215429 IP 160.85.2.75.ssh > 43.229.52.168.37072: Flags [.], ack 3873844386, win 247, options [nop,nop,TS val 1789122307 ecr 41149884], length 0 15:38:51.228006 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [.], ack 649, win 206, options [nop,nop,TS val 386932725 ecr 41149876], length 0 15:38:51.230332 IP 160.85.2.58.ssh > 117.122.200.147.20303: Flags [.], ack 1234683561, win 237, length 0 15:38:51.247801 IP 160.85.2.38.ssh > 43.229.52.168.40257: Flags [.], ack 2046073395, win 247, options [nop,nop,TS val 1792228242 ecr 41149892], length 0 15:38:51.254064 IP 160.85.2.38.ssh > 43.229.52.168.40257: Flags [P.], seq 0:848, ack 1, win 247, options [nop,nop,TS val 1792228243 ecr 41149892], length 848 15:38:51.255200 IP 160.85.2.31.ssh > 43.229.52.168.37915: Flags [.], ack 1726673222, win 247, options [nop,nop,TS val 1791902812 ecr 41149892], length 0 15:38:51.255891 IP 160.85.2.23.ssh > host98-229-dynamic.18-87-r.retail.telecomitalia.it.47653: Flags [P.], seq 1702351463:1702351531, ack 640722127, win 243, options [nop,nop,TS val 1769119395 ecr 29439026], length 68 15:38:51.261504 IP 160.85.2.31.ssh > 43.229.52.168.37915: Flags [P.], seq 0:848, ack 1, win 247, options [nop,nop,TS val 1791902814 ecr 41149892], length 848 15:38:51.274487 IP 160.85.2.53.ssh > 43.229.52.168.54116: Flags [.], ack 3479704829, win 134, options [nop,nop,TS val 1765793620 ecr 41149888], length 0 15:38:51.354746 IP 160.85.2.23.ssh > 43.229.52.168.52891: Flags [.], ack 3679730051, win 247, options [nop,nop,TS val 1769119420 ecr 41149909], length 0 15:38:51.369265 IP 160.85.2.37.ssh > 43.229.52.168.41633: Flags [.], ack 16, win 227, options [nop,nop,TS val 325114826 ecr 41149923], length 0 15:38:51.375708 IP 160.85.2.23.ssh > host98-229-dynamic.18-87-r.retail.telecomitalia.it.47653: Flags [.], ack 85, win 243, options [nop,nop,TS val 1769119425 ecr 29439196], length 0 15:38:51.819626 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [.], ack 989, win 216, options [nop,nop,TS val 386932872 ecr 41150032], length 0 15:38:51.819717 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [P.], seq 1232:1284, ack 989, win 216, options [nop,nop,TS val 386932872 ecr 41150032], length 52 Best, Bruno. ________________________________ From: Sean Murphy [sean at gopaddy.ch] Sent: Tuesday, June 02, 2015 3:27 PM To: G?nther, Thomas Cc: Silvio Cretti; wp5 at fi-xifi.eu; federico facca; Bohnert Thomas Michael (bohe); Mamudi Valon (mamu) Subject: Re: [Xifi-WP5] Serious security issue!! Hi all, V good info. As you can see we already deactivated the is_public parameter, that the images are not available for the users anymore. Good approach - we will do the same. Please let us know if you?re experiencing similar network traffic. We have observed similar network traffic - here's a couple of lines 14:46:45.922628 IP 160.85.2.38.ssh > 43.229.52.137.57495: Flags [.], ack 137, win 247, options [nop,nop,TS val 1791446910 ecr 40368731], length 0 14:46:45.923968 IP 160.85.2.38.ssh > 43.229.52.137.57495: Flags [F.], seq 136, ack 138, win 247, options [nop,nop,TS val 1791446911 ecr 40368731], length 0 14:46:46.041869 IP 160.85.2.30.ssh > 43.229.52.137.55576: Flags [.], ack 1240, win 247, options [nop,nop,TS val 1812202096 ecr 40368761], length 0 We're working on getting more although now that we've installed the firewall rules, it seems the VMs may have stopped trying to connect to the remote servers. BR, Se?n. Regards, Thomas Von: Sean Murphy [mailto:sean at gopaddy.ch] Gesendet: Dienstag, 2. Juni 2015 13:28 An: Silvio Cretti Cc: wp5 at fi-xifi.eu; federico facca; Thomas Michael Bohnert; Mamudi Valon (mamu) Betreff: Re: [Xifi-WP5] Serious security issue!! Hi all, > Disable user/password log-ins on any images and instances. We suggest to have a look on guestfish We asked for this to be done on Apr 1 and followed up a few more times as it was obvious that the VMs would be compromised. We gave a list of images that we found which do not have password authentication disabled. (http://libguestfs.org/guestfish.1.html) to modify images without instantiating. Has anyone done this - I guess it would be good to share specific instructions on how to do this for each image instead of having everyone figure it out independently. > Blacklist the following IP addresses: > 130.195.145.80 > 198.154.62.59 > 59.63.192.199 > 58.186.224.247 > 42.115.184.191 > 218.87.109.62 > 103.6.157.105 > None of these measures is sufficient to feel safe. They are suggested as an immediate reaction. > Please also verify the list above - we have been working under some pressure and mistakes might have happened. @Bernd - some more qs: - can you tell us where you got the above list of IP addr's (for our info)? - can you tell us precisely which images have been compromised? Obviously, this is a serious issue and we need to: - get these images removed from our systems asap - kill any VMs which boot off these images (which presumably needs user interaction). BR, Se?n. > Best Regards, Bernd > > ============ > Bernd Bochow _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 17894 bytes Desc: image001.jpg URL: From silvio.cretti at create-net.org Wed Jun 3 09:58:49 2015 From: silvio.cretti at create-net.org (Silvio Cretti) Date: Wed, 3 Jun 2015 09:58:49 +0200 Subject: [Fiware-lab-recovery-tf] Fwd: [Xifi-WP5] Serious security issue!! In-Reply-To: <10452_1433317326_556EAFCE_10452_463_1_976A65C5A08ADF49B9A8523F7F81925CC71147@OPEXCLILM43.corporate.adroot.infra.ftgroup> References: <48d9c3241d4747c4a4cd6ee80f4590c5@SRV-MAIL-001.zhaw.ch> <0C04C33AD646DA489C2BDCFE1C5E5A12516214D5@DIRAC.fokus.fraunhofer.de> <601a22bb22b841b9bddf244f66de9080@SRV-MAIL-001.zhaw.ch> <098753CA80BAB341B9BC035FDF3356DE01186083@IR-lan-dc01.lanfeust.local> <10452_1433317326_556EAFCE_10452_463_1_976A65C5A08ADF49B9A8523F7F81925CC71147@OPEXCLILM43.corporate.adroot.infra.ftgroup> Message-ID: Hi Thierry, yes we could do something. But the biggest problem now is that we have distributed images that, when instantiated, create corrupted VM and now we have to handle the fact that there are hundreds of VMs running in FIWARE Lab with this potential problem. Best regards silvio On Wed, Jun 3, 2015 at 9:42 AM, wrote: > Hi Silvio > > > > Is it possible to prepare an IP table for GE owners to limit the access on > some IP address and to update GE images and maybe blueprints to improve the > situation at least in a first step? > > > > BR > > Thierry > > > > *De :* fiware-lab-recovery-tf-bounces at lists.fiware.org [mailto: > fiware-lab-recovery-tf-bounces at lists.fiware.org] *De la part de* Silvio > Cretti > *Envoy? :* mercredi 3 juin 2015 08:30 > *? :* fiware-lab-recovery-tf at lists.fiware.org > *Objet :* [Fiware-lab-recovery-tf] Fwd: [Xifi-WP5] Serious security > issue!! > > > > FYI. > > Unfortunately (this is not by any means good for FIWARE Lab!) after this > meeting we have to inform the users. I do not think it is possible to keep > it hidden, but let's see what are the results of the meeting. > > If someone of you wants to attend (I know Fernando will attend), he is > welcome. > > I will keep you informed. > > silvio > > ---------- Forwarded message ---------- > From: *Silvio Cretti* > Date: Tue, Jun 2, 2015 at 7:14 PM > Subject: Re: [Xifi-WP5] Serious security issue!! > To: "Bochow, Bernd" > Cc: Sergio MORANT , Sean Murphy < > sean at gopaddy.ch>, "Wandekoken Grazioli Bruno Gaetano (gaea)" , > "G?nther, Thomas" , "wp5 at fi-xifi.eu" > , federico facca , > "Bohnert Thomas Michael (bohe)" , "Mamudi Valon (mamu)" < > mamu at zhaw.ch> > > Dear all, > > in order to discuss countermeasures to this security issue, I propose a > telco *tomorrow Wednesday June 3rd at 12.00.* > > Here the minutes: > > > https://docs.google.com/document/d/1DvM-c3kwDIMimGzUr3OrcNsQEVT-UiIK5_3sjaXgTew/edit?usp=sharing > > > > I think the presence of one representative for each infrastructure is > needed but at least we need Bernd/Thomas and someone from Telefonica in the > telco. > > Please Bernd/Thomas and Fernando, let me know if you can attend. > > Best regards, > > silvio > > > > > > On Tue, Jun 2, 2015 at 5:13 PM, Bochow, Bernd < > bernd.bochow at fokus.fraunhofer.de> wrote: > > Dear All, > > > > We found that the remote Ps most likely also drive port 22 scan and brute > force username/password attacks in parallel. > > We are checking that currently. > > It might be necessary to distinguish between incoming and outgoing traffic > on port 22 and to trace conversations. > > > > It would be interesting to know if there are instances from images that > are _*not*_ subject to that observations (i.e. that are seemingly not > infected). > > > > Best Regards, Bernd > > > > ============ > Bernd Bochow > Next Generation Network Infrastructures > > Fraunhofer Institute for Open Communication Systems (FOKUS) > > Kaiserin-Augusta-Allee 31, D-10589 Berlin > e-mail: bernd.bochow at fokus.fraunhofer.de, bernd.bochow at ieee.org > phone: +49 30 3463-7238 > fax: +49 30 3463-997238 > > > > *From: *Sergio MORANT > *Date: *Tuesday 2 June 2015 16:41 > *To: *Sean Murphy , "Wandekoken Grazioli Bruno Gaetano > (gaea)" > *Cc: *G?nther, Thomas , Silvio > Cretti , "wp5 at fi-xifi.eu" , > federico facca , "Bohnert Thomas Michael > (bohe)" , "Mamudi Valon (mamu)" > *Subject: *RE: [Xifi-WP5] Serious security issue!! > > > > Hi, > > I guess we should focus on outgoing connections only. In order to do so, > we should focus for connections initiated from the instance (TCP flag SYN > active) on the outgoing connection. Otherwise you will see also all the > traffic coming from standard connections: > > > > tcpdump -i "eth2" -nn src port 22 and net 195.220.224.0/24 and > 'tcp[tcpflags] & (tcp-syn) != 0' > > ?. > > 14:20:11.456540 IP 195.220.224.8.22 > 221.235.189.245.38345: Flags [S.], > seq 2944249903, ack 3486249040, win 14480, options [mss 1460,sackOK,TS val > 1048107519 ecr 6706653,nop,wscale 7], length 0 > > ?? > > > > Then we can verify the destination IP location (China in most of the > cases) using Whois IP tools > > > > > > So we can conclude that this is not an authorized traffic. > > > > For the moment we have detected several instances that behaves like > described above, all coming from the baseline images described by Bernd > > > > Best regards > > Sergio > > > > *De :* Sean Murphy [mailto:sean at gopaddy.ch ] > *Envoy? :* mardi 2 juin 2015 15:58 > *? :* Wandekoken Grazioli Bruno Gaetano (gaea) > *Cc :* G?nther, Thomas; Silvio Cretti; wp5 at fi-xifi.eu; federico facca; > Bohnert Thomas Michael (bohe); Mamudi Valon (mamu) > *Objet :* Re: [Xifi-WP5] Serious security issue!! > > > > So basically, the conclusion here is that it looks like many of our VMs > are compromised. > > > > We need to get this addressed quickly. > > > > BR, > > Se?n. > > > > > > On Tue, Jun 2, 2015 at 3:48 PM, Wandekoken Grazioli Bruno Gaetano (gaea) < > gaea at zhaw.ch> wrote: > > Hi all, > > We were investigating a bit further and we found more ip adresses with > similar network traffic. > > root at node-1:~# tcpdump -i eth2 src port 22 | grep ".ssh >" > tcpdump: WARNING: eth2: no IPv4 address assigned > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > > listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes > 15:38:51.189616 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [P.], seq > 1247424601:1247424985, ack 2671240100, win 195, options [nop,nop,TS val > 386932715 ecr 41149876], length 384 > 15:38:51.195624 IP 160.85.2.37.ssh > 43.229.52.168.53511: Flags [.], ack > 3466107547, win 247, options [nop,nop,TS val 325114782 ecr 41149879], > length 0 > 15:38:51.196912 IP 160.85.2.37.ssh > 43.229.52.168.41633: Flags [S.], seq > 1831469583, ack 2348125009, win 28960, options [mss 1460,sackOK,TS val > 325114783 ecr 41149879,nop,wscale 7], length 0 > 15:38:51.197389 IP 160.85.2.36.ssh > 43.229.52.168.54271: Flags [P.], seq > 2541947209:2541947277, ack 2982814501, win 247, options [nop,nop,TS val > 1961950142 ecr 41149878], length 68 > 15:38:51.198344 IP 160.85.2.37.ssh > 43.229.52.168.53511: Flags [F.], seq > 0, ack 2, win 247, options [nop,nop,TS val 325114783 ecr 41149879], length 0 > 15:38:51.215429 IP 160.85.2.75.ssh > 43.229.52.168.37072: Flags [.], ack > 3873844386, win 247, options [nop,nop,TS val 1789122307 ecr 41149884], > length 0 > 15:38:51.228006 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [.], ack > 649, win 206, options [nop,nop,TS val 386932725 ecr 41149876], length 0 > 15:38:51.230332 IP 160.85.2.58.ssh > 117.122.200.147.20303: Flags [.], ack > 1234683561, win 237, length 0 > 15:38:51.247801 IP 160.85.2.38.ssh > 43.229.52.168.40257: Flags [.], ack > 2046073395, win 247, options [nop,nop,TS val 1792228242 ecr 41149892], > length 0 > 15:38:51.254064 IP 160.85.2.38.ssh > 43.229.52.168.40257: Flags [P.], seq > 0:848, ack 1, win 247, options [nop,nop,TS val 1792228243 ecr 41149892], > length 848 > 15:38:51.255200 IP 160.85.2.31.ssh > 43.229.52.168.37915: Flags [.], ack > 1726673222, win 247, options [nop,nop,TS val 1791902812 ecr 41149892], > length 0 > 15:38:51.255891 IP 160.85.2.23.ssh > > host98-229-dynamic.18-87-r.retail.telecomitalia.it.47653: Flags [P.], seq > 1702351463:1702351531, ack 640722127, win 243, options [nop,nop,TS val > 1769119395 ecr 29439026], length 68 > 15:38:51.261504 IP 160.85.2.31.ssh > 43.229.52.168.37915: Flags [P.], seq > 0:848, ack 1, win 247, options [nop,nop,TS val 1791902814 ecr 41149892], > length 848 > 15:38:51.274487 IP 160.85.2.53.ssh > 43.229.52.168.54116: Flags [.], ack > 3479704829, win 134, options [nop,nop,TS val 1765793620 ecr 41149888], > length 0 > 15:38:51.354746 IP 160.85.2.23.ssh > 43.229.52.168.52891: Flags [.], ack > 3679730051, win 247, options [nop,nop,TS val 1769119420 ecr 41149909], > length 0 > 15:38:51.369265 IP 160.85.2.37.ssh > 43.229.52.168.41633: Flags [.], ack > 16, win 227, options [nop,nop,TS val 325114826 ecr 41149923], length 0 > 15:38:51.375708 IP 160.85.2.23.ssh > > host98-229-dynamic.18-87-r.retail.telecomitalia.it.47653: Flags [.], ack > 85, win 243, options [nop,nop,TS val 1769119425 ecr 29439196], length 0 > 15:38:51.819626 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [.], ack > 989, win 216, options [nop,nop,TS val 386932872 ecr 41150032], length 0 > 15:38:51.819717 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [P.], seq > 1232:1284, ack 989, win 216, options [nop,nop,TS val 386932872 ecr > 41150032], length 52 > > > Best, > Bruno. > ------------------------------ > > *From:* Sean Murphy [sean at gopaddy.ch] > *Sent:* Tuesday, June 02, 2015 3:27 PM > *To:* G?nther, Thomas > *Cc:* Silvio Cretti; wp5 at fi-xifi.eu; federico facca; Bohnert Thomas > Michael (bohe); Mamudi Valon (mamu) > > *Subject:* Re: [Xifi-WP5] Serious security issue!! > > Hi all, > > > > V good info. > > > > As you can see we already deactivated the is_public parameter, that the > images are not available for the users anymore. > > > > Good approach - we will do the same. > > > > Please let us know if you?re experiencing similar network traffic. > > > > We have observed similar network traffic - here's a couple of lines > > > > 14:46:45.922628 IP 160.85.2.38.ssh > 43.229.52.137.57495: Flags [.], ack > 137, win 247, options [nop,nop,TS val 1791446910 ecr 40368731], length 0 > > 14:46:45.923968 IP 160.85.2.38.ssh > 43.229.52.137.57495: Flags [F.], seq > 136, ack 138, win 247, options [nop,nop,TS val 1791446911 ecr 40368731], > length 0 > > 14:46:46.041869 IP 160.85.2.30.ssh > 43.229.52.137.55576: Flags [.], ack > 1240, win 247, options [nop,nop,TS val 1812202096 ecr 40368761], length 0 > > > > We're working on getting more although now that we've installed the > firewall > > rules, it seems the VMs may have stopped trying to connect to the remote > > servers. > > > > BR, > > Se?n. > > > > > > Regards, > > > > Thomas > > > > *Von:* Sean Murphy [mailto:sean at gopaddy.ch] > *Gesendet:* Dienstag, 2. Juni 2015 13:28 > *An:* Silvio Cretti > *Cc:* wp5 at fi-xifi.eu; federico facca; Thomas Michael Bohnert; Mamudi > Valon (mamu) > *Betreff:* Re: [Xifi-WP5] Serious security issue!! > > > > Hi all, > > > Disable user/password log-ins on any images and instances. We suggest > to have a look on guestfish > > We asked for this to be done on Apr 1 and followed up a few more times > > as it was obvious that the VMs would be compromised. We gave a list of > > images that we found which do not have password authentication disabled. > > (http://libguestfs.org/guestfish.1.html) to modify images without > instantiating. > > Has anyone done this - I guess it would be good to share specific > instructions on > > how to do this for each image instead of having everyone figure it out > independently. > > > Blacklist the following IP addresses: > > 130.195.145.80 > > 198.154.62.59 > > 59.63.192.199 > > 58.186.224.247 > > 42.115.184.191 > > 218.87.109.62 > > 103.6.157.105 > > None of these measures is sufficient to feel safe. They are suggested as > an immediate reaction. > > Please also verify the list above - we have been working under some > pressure and mistakes might have happened. > > @Bernd - some more qs: > > - can you tell us where you got the above list of IP addr's (for our info)? > > - can you tell us precisely which images have been compromised? > > > > Obviously, this is a serious issue and we need to: > > - get these images removed from our systems asap > > - kill any VMs which boot off these images (which presumably needs user > interaction). > > > > BR, > > Se?n. > > > Best Regards, Bernd > > > > ============ > > Bernd Bochow > > > > > > > > > > > > _________________________________________________________________________________________________________________________ > > Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. > > This message and its attachments may contain confidential or privileged information that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and delete this message and its attachments. > As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. > Thank you. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 17894 bytes Desc: not available URL: From silvio.cretti at create-net.org Wed Jun 3 12:57:07 2015 From: silvio.cretti at create-net.org (Silvio Cretti) Date: Wed, 3 Jun 2015 12:57:07 +0200 Subject: [Fiware-lab-recovery-tf] Fwd: [Xifi-WP5] Serious security issue!! In-Reply-To: References: <48d9c3241d4747c4a4cd6ee80f4590c5@SRV-MAIL-001.zhaw.ch> <0C04C33AD646DA489C2BDCFE1C5E5A12516214D5@DIRAC.fokus.fraunhofer.de> <601a22bb22b841b9bddf244f66de9080@SRV-MAIL-001.zhaw.ch> <098753CA80BAB341B9BC035FDF3356DE01186083@IR-lan-dc01.lanfeust.local> <10452_1433317326_556EAFCE_10452_463_1_976A65C5A08ADF49B9A8523F7F81925CC71147@OPEXCLILM43.corporate.adroot.infra.ftgroup> Message-ID: We have just ended the telco on this issue and luckily things are not so bad: after a further investigation Berlin node came out with the result that currently the images are not corrupted. Nevertheless we are (all the lab is) under massive security attach and we need to set up some countermeasures asap. The idea is to set up a check/action list for tackling the security problems and for verifying if a image/VM is corrupted or not. Moreover creating a "security task force" would be important. One of the most important action to do asap is to disable username/passwd access. This will be done by TID in the new images that will be deployed soon. You can find the detailed minutes here: https://docs.google.com/document/d/1DvM-c3kwDIMimGzUr3OrcNsQEVT-UiIK5_3sjaXgTew/edit?usp=sharing In any case the important thing is that we do not have a trojan horse in our images and it is not needed to inform users about a security risk/attach. Best regards silvio On Wed, Jun 3, 2015 at 9:58 AM, Silvio Cretti wrote: > Hi Thierry, > yes we could do something. > But the biggest problem now is that we have distributed images that, when > instantiated, create corrupted VM and now we have to handle the fact that > there are hundreds of VMs running in FIWARE Lab with this potential problem. > Best regards > silvio > > > On Wed, Jun 3, 2015 at 9:42 AM, wrote: > >> Hi Silvio >> >> >> >> Is it possible to prepare an IP table for GE owners to limit the access >> on some IP address and to update GE images and maybe blueprints to improve >> the situation at least in a first step? >> >> >> >> BR >> >> Thierry >> >> >> >> *De :* fiware-lab-recovery-tf-bounces at lists.fiware.org [mailto: >> fiware-lab-recovery-tf-bounces at lists.fiware.org] *De la part de* Silvio >> Cretti >> *Envoy? :* mercredi 3 juin 2015 08:30 >> *? :* fiware-lab-recovery-tf at lists.fiware.org >> *Objet :* [Fiware-lab-recovery-tf] Fwd: [Xifi-WP5] Serious security >> issue!! >> >> >> >> FYI. >> >> Unfortunately (this is not by any means good for FIWARE Lab!) after this >> meeting we have to inform the users. I do not think it is possible to keep >> it hidden, but let's see what are the results of the meeting. >> >> If someone of you wants to attend (I know Fernando will attend), he is >> welcome. >> >> I will keep you informed. >> >> silvio >> >> ---------- Forwarded message ---------- >> From: *Silvio Cretti* >> Date: Tue, Jun 2, 2015 at 7:14 PM >> Subject: Re: [Xifi-WP5] Serious security issue!! >> To: "Bochow, Bernd" >> Cc: Sergio MORANT , Sean Murphy < >> sean at gopaddy.ch>, "Wandekoken Grazioli Bruno Gaetano (gaea)" < >> gaea at zhaw.ch>, "G?nther, Thomas" , " >> wp5 at fi-xifi.eu" , federico facca < >> federico.facca at create-net.org>, "Bohnert Thomas Michael (bohe)" < >> bohe at zhaw.ch>, "Mamudi Valon (mamu)" >> >> Dear all, >> >> in order to discuss countermeasures to this security issue, I propose a >> telco *tomorrow Wednesday June 3rd at 12.00.* >> >> Here the minutes: >> >> >> https://docs.google.com/document/d/1DvM-c3kwDIMimGzUr3OrcNsQEVT-UiIK5_3sjaXgTew/edit?usp=sharing >> >> >> >> I think the presence of one representative for each infrastructure is >> needed but at least we need Bernd/Thomas and someone from Telefonica in the >> telco. >> >> Please Bernd/Thomas and Fernando, let me know if you can attend. >> >> Best regards, >> >> silvio >> >> >> >> >> >> On Tue, Jun 2, 2015 at 5:13 PM, Bochow, Bernd < >> bernd.bochow at fokus.fraunhofer.de> wrote: >> >> Dear All, >> >> >> >> We found that the remote Ps most likely also drive port 22 scan and brute >> force username/password attacks in parallel. >> >> We are checking that currently. >> >> It might be necessary to distinguish between incoming and outgoing >> traffic on port 22 and to trace conversations. >> >> >> >> It would be interesting to know if there are instances from images that >> are _*not*_ subject to that observations (i.e. that are seemingly not >> infected). >> >> >> >> Best Regards, Bernd >> >> >> >> ============ >> Bernd Bochow >> Next Generation Network Infrastructures >> >> Fraunhofer Institute for Open Communication Systems (FOKUS) >> >> Kaiserin-Augusta-Allee 31, D-10589 Berlin >> e-mail: bernd.bochow at fokus.fraunhofer.de, bernd.bochow at ieee.org >> phone: +49 30 3463-7238 >> fax: +49 30 3463-997238 >> >> >> >> *From: *Sergio MORANT >> *Date: *Tuesday 2 June 2015 16:41 >> *To: *Sean Murphy , "Wandekoken Grazioli Bruno Gaetano >> (gaea)" >> *Cc: *G?nther, Thomas , Silvio >> Cretti , "wp5 at fi-xifi.eu" , >> federico facca , "Bohnert Thomas Michael >> (bohe)" , "Mamudi Valon (mamu)" >> *Subject: *RE: [Xifi-WP5] Serious security issue!! >> >> >> >> Hi, >> >> I guess we should focus on outgoing connections only. In order to do so, >> we should focus for connections initiated from the instance (TCP flag SYN >> active) on the outgoing connection. Otherwise you will see also all the >> traffic coming from standard connections: >> >> >> >> tcpdump -i "eth2" -nn src port 22 and net 195.220.224.0/24 and >> 'tcp[tcpflags] & (tcp-syn) != 0' >> >> ?. >> >> 14:20:11.456540 IP 195.220.224.8.22 > 221.235.189.245.38345: Flags [S.], >> seq 2944249903, ack 3486249040, win 14480, options [mss 1460,sackOK,TS val >> 1048107519 ecr 6706653,nop,wscale 7], length 0 >> >> ?? >> >> >> >> Then we can verify the destination IP location (China in most of the >> cases) using Whois IP tools >> >> >> >> >> >> So we can conclude that this is not an authorized traffic. >> >> >> >> For the moment we have detected several instances that behaves like >> described above, all coming from the baseline images described by Bernd >> >> >> >> Best regards >> >> Sergio >> >> >> >> *De :* Sean Murphy [mailto:sean at gopaddy.ch ] >> *Envoy? :* mardi 2 juin 2015 15:58 >> *? :* Wandekoken Grazioli Bruno Gaetano (gaea) >> *Cc :* G?nther, Thomas; Silvio Cretti; wp5 at fi-xifi.eu; federico facca; >> Bohnert Thomas Michael (bohe); Mamudi Valon (mamu) >> *Objet :* Re: [Xifi-WP5] Serious security issue!! >> >> >> >> So basically, the conclusion here is that it looks like many of our VMs >> are compromised. >> >> >> >> We need to get this addressed quickly. >> >> >> >> BR, >> >> Se?n. >> >> >> >> >> >> On Tue, Jun 2, 2015 at 3:48 PM, Wandekoken Grazioli Bruno Gaetano (gaea) < >> gaea at zhaw.ch> wrote: >> >> Hi all, >> >> We were investigating a bit further and we found more ip adresses with >> similar network traffic. >> >> root at node-1:~# tcpdump -i eth2 src port 22 | grep ".ssh >" >> tcpdump: WARNING: eth2: no IPv4 address assigned >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >> >> listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes >> 15:38:51.189616 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [P.], seq >> 1247424601:1247424985, ack 2671240100, win 195, options [nop,nop,TS val >> 386932715 ecr 41149876], length 384 >> 15:38:51.195624 IP 160.85.2.37.ssh > 43.229.52.168.53511: Flags [.], ack >> 3466107547, win 247, options [nop,nop,TS val 325114782 ecr 41149879], >> length 0 >> 15:38:51.196912 IP 160.85.2.37.ssh > 43.229.52.168.41633: Flags [S.], seq >> 1831469583, ack 2348125009, win 28960, options [mss 1460,sackOK,TS val >> 325114783 ecr 41149879,nop,wscale 7], length 0 >> 15:38:51.197389 IP 160.85.2.36.ssh > 43.229.52.168.54271: Flags [P.], seq >> 2541947209:2541947277, ack 2982814501, win 247, options [nop,nop,TS val >> 1961950142 ecr 41149878], length 68 >> 15:38:51.198344 IP 160.85.2.37.ssh > 43.229.52.168.53511: Flags [F.], seq >> 0, ack 2, win 247, options [nop,nop,TS val 325114783 ecr 41149879], length 0 >> 15:38:51.215429 IP 160.85.2.75.ssh > 43.229.52.168.37072: Flags [.], ack >> 3873844386, win 247, options [nop,nop,TS val 1789122307 ecr 41149884], >> length 0 >> 15:38:51.228006 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [.], ack >> 649, win 206, options [nop,nop,TS val 386932725 ecr 41149876], length 0 >> 15:38:51.230332 IP 160.85.2.58.ssh > 117.122.200.147.20303: Flags [.], >> ack 1234683561, win 237, length 0 >> 15:38:51.247801 IP 160.85.2.38.ssh > 43.229.52.168.40257: Flags [.], ack >> 2046073395, win 247, options [nop,nop,TS val 1792228242 ecr 41149892], >> length 0 >> 15:38:51.254064 IP 160.85.2.38.ssh > 43.229.52.168.40257: Flags [P.], seq >> 0:848, ack 1, win 247, options [nop,nop,TS val 1792228243 ecr 41149892], >> length 848 >> 15:38:51.255200 IP 160.85.2.31.ssh > 43.229.52.168.37915: Flags [.], ack >> 1726673222, win 247, options [nop,nop,TS val 1791902812 ecr 41149892], >> length 0 >> 15:38:51.255891 IP 160.85.2.23.ssh > >> host98-229-dynamic.18-87-r.retail.telecomitalia.it.47653: Flags [P.], seq >> 1702351463:1702351531, ack 640722127, win 243, options [nop,nop,TS val >> 1769119395 ecr 29439026], length 68 >> 15:38:51.261504 IP 160.85.2.31.ssh > 43.229.52.168.37915: Flags [P.], seq >> 0:848, ack 1, win 247, options [nop,nop,TS val 1791902814 ecr 41149892], >> length 848 >> 15:38:51.274487 IP 160.85.2.53.ssh > 43.229.52.168.54116: Flags [.], ack >> 3479704829, win 134, options [nop,nop,TS val 1765793620 ecr 41149888], >> length 0 >> 15:38:51.354746 IP 160.85.2.23.ssh > 43.229.52.168.52891: Flags [.], ack >> 3679730051, win 247, options [nop,nop,TS val 1769119420 ecr 41149909], >> length 0 >> 15:38:51.369265 IP 160.85.2.37.ssh > 43.229.52.168.41633: Flags [.], ack >> 16, win 227, options [nop,nop,TS val 325114826 ecr 41149923], length 0 >> 15:38:51.375708 IP 160.85.2.23.ssh > >> host98-229-dynamic.18-87-r.retail.telecomitalia.it.47653: Flags [.], ack >> 85, win 243, options [nop,nop,TS val 1769119425 ecr 29439196], length 0 >> 15:38:51.819626 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [.], ack >> 989, win 216, options [nop,nop,TS val 386932872 ecr 41150032], length 0 >> 15:38:51.819717 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [P.], seq >> 1232:1284, ack 989, win 216, options [nop,nop,TS val 386932872 ecr >> 41150032], length 52 >> >> >> Best, >> Bruno. >> ------------------------------ >> >> *From:* Sean Murphy [sean at gopaddy.ch] >> *Sent:* Tuesday, June 02, 2015 3:27 PM >> *To:* G?nther, Thomas >> *Cc:* Silvio Cretti; wp5 at fi-xifi.eu; federico facca; Bohnert Thomas >> Michael (bohe); Mamudi Valon (mamu) >> >> *Subject:* Re: [Xifi-WP5] Serious security issue!! >> >> Hi all, >> >> >> >> V good info. >> >> >> >> As you can see we already deactivated the is_public parameter, that the >> images are not available for the users anymore. >> >> >> >> Good approach - we will do the same. >> >> >> >> Please let us know if you?re experiencing similar network traffic. >> >> >> >> We have observed similar network traffic - here's a couple of lines >> >> >> >> 14:46:45.922628 IP 160.85.2.38.ssh > 43.229.52.137.57495: Flags [.], ack >> 137, win 247, options [nop,nop,TS val 1791446910 ecr 40368731], length 0 >> >> 14:46:45.923968 IP 160.85.2.38.ssh > 43.229.52.137.57495: Flags [F.], seq >> 136, ack 138, win 247, options [nop,nop,TS val 1791446911 ecr 40368731], >> length 0 >> >> 14:46:46.041869 IP 160.85.2.30.ssh > 43.229.52.137.55576: Flags [.], ack >> 1240, win 247, options [nop,nop,TS val 1812202096 ecr 40368761], length 0 >> >> >> >> We're working on getting more although now that we've installed the >> firewall >> >> rules, it seems the VMs may have stopped trying to connect to the remote >> >> servers. >> >> >> >> BR, >> >> Se?n. >> >> >> >> >> >> Regards, >> >> >> >> Thomas >> >> >> >> *Von:* Sean Murphy [mailto:sean at gopaddy.ch] >> *Gesendet:* Dienstag, 2. Juni 2015 13:28 >> *An:* Silvio Cretti >> *Cc:* wp5 at fi-xifi.eu; federico facca; Thomas Michael Bohnert; Mamudi >> Valon (mamu) >> *Betreff:* Re: [Xifi-WP5] Serious security issue!! >> >> >> >> Hi all, >> >> > Disable user/password log-ins on any images and instances. We suggest >> to have a look on guestfish >> >> We asked for this to be done on Apr 1 and followed up a few more times >> >> as it was obvious that the VMs would be compromised. We gave a list of >> >> images that we found which do not have password authentication disabled. >> >> (http://libguestfs.org/guestfish.1.html) to modify images without >> instantiating. >> >> Has anyone done this - I guess it would be good to share specific >> instructions on >> >> how to do this for each image instead of having everyone figure it out >> independently. >> >> > Blacklist the following IP addresses: >> > 130.195.145.80 >> > 198.154.62.59 >> > 59.63.192.199 >> > 58.186.224.247 >> > 42.115.184.191 >> > 218.87.109.62 >> > 103.6.157.105 >> > None of these measures is sufficient to feel safe. They are suggested >> as an immediate reaction. >> > Please also verify the list above - we have been working under some >> pressure and mistakes might have happened. >> >> @Bernd - some more qs: >> >> - can you tell us where you got the above list of IP addr's (for our >> info)? >> >> - can you tell us precisely which images have been compromised? >> >> >> >> Obviously, this is a serious issue and we need to: >> >> - get these images removed from our systems asap >> >> - kill any VMs which boot off these images (which presumably needs user >> interaction). >> >> >> >> BR, >> >> Se?n. >> >> > Best Regards, Bernd >> > >> > ============ >> > Bernd Bochow >> >> >> >> >> >> >> >> >> >> >> >> _________________________________________________________________________________________________________________________ >> >> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc >> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler >> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, >> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. >> >> This message and its attachments may contain confidential or privileged information that may be protected by law; >> they should not be distributed, used or copied without authorisation. >> If you have received this email in error, please notify the sender and delete this message and its attachments. >> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. >> Thank you. >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 17894 bytes Desc: not available URL: From fernando.lopezaguilar at telefonica.com Wed Jun 3 14:28:10 2015 From: fernando.lopezaguilar at telefonica.com (FERNANDO LOPEZ AGUILAR) Date: Wed, 3 Jun 2015 12:28:10 +0000 Subject: [Fiware-lab-recovery-tf] FI-health tool not working In-Reply-To: <556E97FA.7060002@telefonica.com> References: <556E97FA.7060002@telefonica.com> Message-ID: Dear Juanjo, The FI-health tool is working. Maybe it was some temporal connectivity problem or other problem that we have to check but the application is Running without problems. Fernando El 03/06/15 08:00, "Juanjo Hierro" escribi?: >Folks, > > The FI-health tool, whose last release was recently announced by >Fernando on Basecamp, is not working. > > I hope this doesn't mean that the FIWARE Lab is not working (at least >I can connnect to the portal, I haven't made further tests). Just let >you know since we have sold users this is a tool they should use to >check availability of the nodes. > > Best regards, > >-- Juanjo > >______________________________________________________ > >Coordinator and Chief Architect, FIWARE platform >CTO Industrial IoT, Telef?nica > >email: juanjose.hierro at telefonica.com >twitter: @JuanjoHierro > >You can follow FIWARE at: > website: http://www.fiware.org > twitter: @FIWARE > facebook: http://www.facebook.com/pages/FI-WARE/251366491587242 > linkedIn: http://www.linkedin.com/groups/FIWARE-4239932 > > >________________________________ > >Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, >puede contener informaci?n privilegiada o confidencial y es para uso >exclusivo de la persona o entidad de destino. Si no es usted. el >destinatario indicado, queda notificado de que la lectura, utilizaci?n, >divulgaci?n y/o copia sin autorizaci?n puede estar prohibida en virtud de >la legislaci?n vigente. Si ha recibido este mensaje por error, le rogamos >que nos lo comunique inmediatamente por esta misma v?a y proceda a su >destrucci?n. > >The information contained in this transmission is privileged and >confidential information intended only for the use of the individual or >entity named above. If the reader of this message is not the intended >recipient, you are hereby notified that any dissemination, distribution >or copying of this communication is strictly prohibited. If you have >received this transmission in error, do not read it. Please immediately >reply to the sender that you have received this communication in error >and then delete it. > >Esta mensagem e seus anexos se dirigem exclusivamente ao seu >destinat?rio, pode conter informa??o privilegiada ou confidencial e ? >para uso exclusivo da pessoa ou entidade de destino. Se n?o ? vossa >senhoria o destinat?rio indicado, fica notificado de que a leitura, >utiliza??o, divulga??o e/ou c?pia sem autoriza??o pode estar proibida em >virtude da legisla??o vigente. Se recebeu esta mensagem por erro, >rogamos-lhe que nos o comunique imediatamente por esta mesma via e >proceda a sua destrui??o >_______________________________________________ >Fiware-lab-recovery-tf mailing list >Fiware-lab-recovery-tf at lists.fiware.org >https://lists.fiware.org/listinfo/fiware-lab-recovery-tf ________________________________ Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener informaci?n privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilizaci?n, divulgaci?n y/o copia sin autorizaci?n puede estar prohibida en virtud de la legislaci?n vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma v?a y proceda a su destrucci?n. The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it. Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinat?rio, pode conter informa??o privilegiada ou confidencial e ? para uso exclusivo da pessoa ou entidade de destino. Se n?o ? vossa senhoria o destinat?rio indicado, fica notificado de que a leitura, utiliza??o, divulga??o e/ou c?pia sem autoriza??o pode estar proibida em virtude da legisla??o vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destrui??o From silvio.cretti at create-net.org Thu Jun 4 15:31:56 2015 From: silvio.cretti at create-net.org (Silvio Cretti) Date: Thu, 4 Jun 2015 15:31:56 +0200 Subject: [Fiware-lab-recovery-tf] Status of infograph for the FIWARE Lab nodes In-Reply-To: References: <555B64C0.4040000@telefonica.com> <555C6E72.7080006@telefonica.com> <555F3A69.9090605@telefonica.com> <057EAF32-9B4D-449D-BD3C-99F4F8C075F7@create-net.org> Message-ID: Dear all, we really want to put into production the new infographic before the XIFI review (next week). So please let us know you decision on this. Best regards, silvio On Tue, May 26, 2015 at 5:00 PM, Silvio Cretti wrote: > Hi all, > we implemented something that could fit with solution 3: if a node doesn't > send data, then it is grayed and a tool tip is showed providing the > timestamp of the last update. > Please have a look here: > http://infographic.lab.fi-ware.eu// > Please let us know if it is ok and if it could be moved in production. > Best regards, > silvio > > On Mon, May 25, 2015 at 2:45 PM, Federico Michele Facca < > federico.facca at create-net.org> wrote: > >> dear stefano and juanjo, >> attilio already fixed the APIs, he is now updating the graphics. when >> ready on the demo url, he will inform you. >> >> best, >> federico >> >> On Fri, May 22, 2015 at 6:39 PM, stefano de panfilis < >> stefano.depanfilis at eng.it> wrote: >> >>> dear federico and juanjo, >>> >>> >>> i also prefer option 3, but avoiding to be too punishing/negative, the >>> sentence should be something like: >>> >>> "last updated at hh:mm:ss on dd/mm" >>> >>> ciao, >>> stefano >>> >>> >>> 2015-05-22 16:24 GMT+02:00 Federico Michele Facca < >>> federico.facca at create-net.org>: >>> >>>> >>>> >>>> > On 22/mag/2015, at 16:17, Juanjo Hierro < >>>> juanjose.hierro at telefonica.com> wrote: >>>> > >>>> > >>>> > Did you announce the availability of the infographic recently on >>>> Basecamp? Just to be on sync. >>>> >>>> >>>> not really, i can do in the weekend, unless you prefer to do it! >>>> >>>> > >>>> > To answer your question: I believe that when a node doesn't provide >>>> data, at least the node should be listed with either: >>>> > ? showing a message ("unable to gather data"); or >>>> > ? showing the last gathered data (this would require marking >>>> the message with some special color or note) >>>> > ? showing a message ("unable to gather data (latest gathered >>>> data from /