Please check the images. This could be disruptive!! I will come back in the office tomorrow. Silvio Dear all, I am still out of office but given the urgency of the topic I prefer to inform you asap. Please read carefully the attached email and, given the topic, keep it confidential. Then probably it is better to have a telco tomorrow in order to be aligned on how to proceed. My idea is to have it late in the morning. I will send you an invitation this evening. I must thank Bernd and the Fraunhofer team for all their work and support. Best regards Silvio > > Dear Node Owners, > > We have been identifying a severe security issue and want to inform you about this and about suggested countermeasures. > > We noticed malicious traffic originating from a number of instances at the Berlin node. > We found that the at least two baseline images and the Orion Broker image have been infected by a root kit. > Since baseline images are affected it is reasonable to assume that also other, potentially all FIWARE images are affected too. > We checked that the images have not been modified since uploaded to the Berlin node. > > The root kit becomes active upon instantiation of an infected image and hides itself as SSH establishing connections to some well-known and already blacklisted remote C&C servers through source port 22 on IPv4 and IPv6. > > The root kit daemon hides itself as an SSH daemon and is only active for a few seconds, then terminating and restarting itself under a different PID. > We could not identify the process for this reason so far. > > As an immediate action we suggest the following: > Block any outgoing connection set-up attempt on tcp source port 22. SSHD is usually only listening on this port. > Disable user/password log-ins on any images and instances. We suggest to have a look on guestfish (http://libguestfs.org/guestfish.1.html) to modify images without instantiating. > Blacklist the following IP addresses: > 130.195.145.80 > 198.154.62.59 > 59.63.192.199 > 58.186.224.247 > 42.115.184.191 > 218.87.109.62 > 103.6.157.105 > None of these measures is sufficient to feel safe. They are suggested as an immediate reaction. > Please also verify the list above - we have been working under some pressure and mistakes might have happened. > > Best Regards, Bernd > > ============ > Bernd Bochow -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.fiware.org/private/fiware-lab-recovery-tf/attachments/20150602/9415994c/attachment.html>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy