Dear all, Once of our activities in this sprint related to the Glancesync is the modification of the images in order to disable the authentication of the ssh using user/password. We analyse also de possibility to check the security issue that you mention. BR, Fernando De: Silvio Cretti <silvio.cretti at create-net.org<mailto:silvio.cretti at create-net.org>> Fecha: Tuesday 2 June 2015 12:38 Para: "fiware-lab-recovery-tf at lists.fiware.org<mailto:fiware-lab-recovery-tf at lists.fiware.org>" <fiware-lab-recovery-tf at lists.fiware.org<mailto:fiware-lab-recovery-tf at lists.fiware.org>> Asunto: [Fiware-lab-recovery-tf] Fwd: Serious security issue!! Please check the images. This could be disruptive!! I will come back in the office tomorrow. Silvio Dear all, I am still out of office but given the urgency of the topic I prefer to inform you asap. Please read carefully the attached email and, given the topic, keep it confidential. Then probably it is better to have a telco tomorrow in order to be aligned on how to proceed. My idea is to have it late in the morning. I will send you an invitation this evening. I must thank Bernd and the Fraunhofer team for all their work and support. Best regards Silvio > > Dear Node Owners, > > We have been identifying a severe security issue and want to inform you about this and about suggested countermeasures. > > We noticed malicious traffic originating from a number of instances at the Berlin node. > We found that the at least two baseline images and the Orion Broker image have been infected by a root kit. > Since baseline images are affected it is reasonable to assume that also other, potentially all FIWARE images are affected too. > We checked that the images have not been modified since uploaded to the Berlin node. > > The root kit becomes active upon instantiation of an infected image and hides itself as SSH establishing connections to some well-known and already blacklisted remote C&C servers through source port 22 on IPv4 and IPv6. > > The root kit daemon hides itself as an SSH daemon and is only active for a few seconds, then terminating and restarting itself under a different PID. > We could not identify the process for this reason so far. > > As an immediate action we suggest the following: > Block any outgoing connection set-up attempt on tcp source port 22. SSHD is usually only listening on this port. > Disable user/password log-ins on any images and instances. We suggest to have a look on guestfish (http://libguestfs.org/guestfish.1.html) to modify images without instantiating. > Blacklist the following IP addresses: > 130.195.145.80 > 198.154.62.59 > 59.63.192.199 > 58.186.224.247 > 42.115.184.191 > 218.87.109.62 > 103.6.157.105 > None of these measures is sufficient to feel safe. They are suggested as an immediate reaction. > Please also verify the list above - we have been working under some pressure and mistakes might have happened. > > Best Regards, Bernd > > ============ > Bernd Bochow ________________________________ Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción. The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it. Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.fiware.org/private/fiware-lab-recovery-tf/attachments/20150602/a79e5c1d/attachment.html>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy