FYI. Unfortunately (this is not by any means good for FIWARE Lab!) after this meeting we have to inform the users. I do not think it is possible to keep it hidden, but let's see what are the results of the meeting. If someone of you wants to attend (I know Fernando will attend), he is welcome. I will keep you informed. silvio ---------- Forwarded message ---------- From: Silvio Cretti <silvio.cretti at create-net.org> Date: Tue, Jun 2, 2015 at 7:14 PM Subject: Re: [Xifi-WP5] Serious security issue!! To: "Bochow, Bernd" <bernd.bochow at fokus.fraunhofer.de> Cc: Sergio MORANT <smorant at images-et-reseaux.com>, Sean Murphy < sean at gopaddy.ch>, "Wandekoken Grazioli Bruno Gaetano (gaea)" <gaea at zhaw.ch>, "Günther, Thomas" <thomas.guenther at fokus.fraunhofer.de>, "wp5 at fi-xifi.eu" < wp5 at fi-xifi.eu>, federico facca <federico.facca at create-net.org>, "Bohnert Thomas Michael (bohe)" <bohe at zhaw.ch>, "Mamudi Valon (mamu)" <mamu at zhaw.ch> Dear all, in order to discuss countermeasures to this security issue, I propose a telco *tomorrow Wednesday June 3rd at 12.00.* Here the minutes: https://docs.google.com/document/d/1DvM-c3kwDIMimGzUr3OrcNsQEVT-UiIK5_3sjaXgTew/edit?usp=sharing I think the presence of one representative for each infrastructure is needed but at least we need Bernd/Thomas and someone from Telefonica in the telco. Please Bernd/Thomas and Fernando, let me know if you can attend. Best regards, silvio On Tue, Jun 2, 2015 at 5:13 PM, Bochow, Bernd < bernd.bochow at fokus.fraunhofer.de> wrote: > Dear All, > > We found that the remote Ps most likely also drive port 22 scan and > brute force username/password attacks in parallel. > We are checking that currently. > It might be necessary to distinguish between incoming and outgoing traffic > on port 22 and to trace conversations. > > It would be interesting to know if there are instances from images that > are _not_ subject to that observations (i.e. that are seemingly not > infected). > > Best Regards, Bernd > > ============ > Bernd Bochow > Next Generation Network Infrastructures > Fraunhofer Institute for Open Communication Systems (FOKUS) > Kaiserin-Augusta-Allee 31, D-10589 Berlin > e-mail: bernd.bochow at fokus.fraunhofer.de, bernd.bochow at ieee.org > phone: +49 30 3463-7238 > fax: +49 30 3463-997238 > > From: Sergio MORANT <smorant at images-et-reseaux.com> > Date: Tuesday 2 June 2015 16:41 > To: Sean Murphy <sean at gopaddy.ch>, "Wandekoken Grazioli Bruno Gaetano > (gaea)" <gaea at zhaw.ch> > Cc: Günther, Thomas <thomas.guenther at fokus.fraunhofer.de>, Silvio Cretti < > silvio.cretti at create-net.org>, "wp5 at fi-xifi.eu" <wp5 at fi-xifi.eu>, > federico facca <federico.facca at create-net.org>, "Bohnert Thomas Michael > (bohe)" <bohe at zhaw.ch>, "Mamudi Valon (mamu)" <mamu at zhaw.ch> > Subject: RE: [Xifi-WP5] Serious security issue!! > > Hi, > > I guess we should focus on outgoing connections only. In order to do so, > we should focus for connections initiated from the instance (TCP flag SYN > active) on the outgoing connection. Otherwise you will see also all the > traffic coming from standard connections: > > > > tcpdump -i "eth2" -nn src port 22 and net 195.220.224.0/24 and > 'tcp[tcpflags] & (tcp-syn) != 0' > > …. > > 14:20:11.456540 IP 195.220.224.8.22 > 221.235.189.245.38345: Flags [S.], > seq 2944249903, ack 3486249040, win 14480, options [mss 1460,sackOK,TS val > 1048107519 ecr 6706653,nop,wscale 7], length 0 > > …… > > > > Then we can verify the destination IP location (China in most of the > cases) using Whois IP tools > > > > > > So we can conclude that this is not an authorized traffic. > > > > For the moment we have detected several instances that behaves like > described above, all coming from the baseline images described by Bernd > > > > Best regards > > Sergio > > > > *De :* Sean Murphy [mailto:sean at gopaddy.ch <sean at gopaddy.ch>] > *Envoyé :* mardi 2 juin 2015 15:58 > *À :* Wandekoken Grazioli Bruno Gaetano (gaea) > *Cc :* Günther, Thomas; Silvio Cretti; wp5 at fi-xifi.eu; federico facca; > Bohnert Thomas Michael (bohe); Mamudi Valon (mamu) > *Objet :* Re: [Xifi-WP5] Serious security issue!! > > > > So basically, the conclusion here is that it looks like many of our VMs > are compromised. > > > > We need to get this addressed quickly. > > > > BR, > > Seán. > > > > > > On Tue, Jun 2, 2015 at 3:48 PM, Wandekoken Grazioli Bruno Gaetano (gaea) < > gaea at zhaw.ch> wrote: > > Hi all, > > We were investigating a bit further and we found more ip adresses with > similar network traffic. > > root at node-1:~# tcpdump -i eth2 src port 22 | grep ".ssh >" > tcpdump: WARNING: eth2: no IPv4 address assigned > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > > listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes > 15:38:51.189616 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [P.], seq > 1247424601:1247424985, ack 2671240100, win 195, options [nop,nop,TS val > 386932715 ecr 41149876], length 384 > 15:38:51.195624 IP 160.85.2.37.ssh > 43.229.52.168.53511: Flags [.], ack > 3466107547, win 247, options [nop,nop,TS val 325114782 ecr 41149879], > length 0 > 15:38:51.196912 IP 160.85.2.37.ssh > 43.229.52.168.41633: Flags [S.], seq > 1831469583, ack 2348125009, win 28960, options [mss 1460,sackOK,TS val > 325114783 ecr 41149879,nop,wscale 7], length 0 > 15:38:51.197389 IP 160.85.2.36.ssh > 43.229.52.168.54271: Flags [P.], seq > 2541947209:2541947277, ack 2982814501, win 247, options [nop,nop,TS val > 1961950142 ecr 41149878], length 68 > 15:38:51.198344 IP 160.85.2.37.ssh > 43.229.52.168.53511: Flags [F.], seq > 0, ack 2, win 247, options [nop,nop,TS val 325114783 ecr 41149879], length 0 > 15:38:51.215429 IP 160.85.2.75.ssh > 43.229.52.168.37072: Flags [.], ack > 3873844386, win 247, options [nop,nop,TS val 1789122307 ecr 41149884], > length 0 > 15:38:51.228006 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [.], ack > 649, win 206, options [nop,nop,TS val 386932725 ecr 41149876], length 0 > 15:38:51.230332 IP 160.85.2.58.ssh > 117.122.200.147.20303: Flags [.], ack > 1234683561, win 237, length 0 > 15:38:51.247801 IP 160.85.2.38.ssh > 43.229.52.168.40257: Flags [.], ack > 2046073395, win 247, options [nop,nop,TS val 1792228242 ecr 41149892], > length 0 > 15:38:51.254064 IP 160.85.2.38.ssh > 43.229.52.168.40257: Flags [P.], seq > 0:848, ack 1, win 247, options [nop,nop,TS val 1792228243 ecr 41149892], > length 848 > 15:38:51.255200 IP 160.85.2.31.ssh > 43.229.52.168.37915: Flags [.], ack > 1726673222, win 247, options [nop,nop,TS val 1791902812 ecr 41149892], > length 0 > 15:38:51.255891 IP 160.85.2.23.ssh > > host98-229-dynamic.18-87-r.retail.telecomitalia.it.47653: Flags [P.], seq > 1702351463:1702351531, ack 640722127, win 243, options [nop,nop,TS val > 1769119395 ecr 29439026], length 68 > 15:38:51.261504 IP 160.85.2.31.ssh > 43.229.52.168.37915: Flags [P.], seq > 0:848, ack 1, win 247, options [nop,nop,TS val 1791902814 ecr 41149892], > length 848 > 15:38:51.274487 IP 160.85.2.53.ssh > 43.229.52.168.54116: Flags [.], ack > 3479704829, win 134, options [nop,nop,TS val 1765793620 ecr 41149888], > length 0 > 15:38:51.354746 IP 160.85.2.23.ssh > 43.229.52.168.52891: Flags [.], ack > 3679730051, win 247, options [nop,nop,TS val 1769119420 ecr 41149909], > length 0 > 15:38:51.369265 IP 160.85.2.37.ssh > 43.229.52.168.41633: Flags [.], ack > 16, win 227, options [nop,nop,TS val 325114826 ecr 41149923], length 0 > 15:38:51.375708 IP 160.85.2.23.ssh > > host98-229-dynamic.18-87-r.retail.telecomitalia.it.47653: Flags [.], ack > 85, win 243, options [nop,nop,TS val 1769119425 ecr 29439196], length 0 > 15:38:51.819626 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [.], ack > 989, win 216, options [nop,nop,TS val 386932872 ecr 41150032], length 0 > 15:38:51.819717 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [P.], seq > 1232:1284, ack 989, win 216, options [nop,nop,TS val 386932872 ecr > 41150032], length 52 > > > Best, > Bruno. > ------------------------------ > > *From:* Sean Murphy [sean at gopaddy.ch] > *Sent:* Tuesday, June 02, 2015 3:27 PM > *To:* Günther, Thomas > *Cc:* Silvio Cretti; wp5 at fi-xifi.eu; federico facca; Bohnert Thomas > Michael (bohe); Mamudi Valon (mamu) > > *Subject:* Re: [Xifi-WP5] Serious security issue!! > > Hi all, > > > > V good info. > > > > As you can see we already deactivated the is_public parameter, that the > images are not available for the users anymore. > > > > Good approach - we will do the same. > > > > Please let us know if you’re experiencing similar network traffic. > > > > We have observed similar network traffic - here's a couple of lines > > > > 14:46:45.922628 IP 160.85.2.38.ssh > 43.229.52.137.57495: Flags [.], ack > 137, win 247, options [nop,nop,TS val 1791446910 ecr 40368731], length 0 > > 14:46:45.923968 IP 160.85.2.38.ssh > 43.229.52.137.57495: Flags [F.], seq > 136, ack 138, win 247, options [nop,nop,TS val 1791446911 ecr 40368731], > length 0 > > 14:46:46.041869 IP 160.85.2.30.ssh > 43.229.52.137.55576: Flags [.], ack > 1240, win 247, options [nop,nop,TS val 1812202096 ecr 40368761], length 0 > > > > We're working on getting more although now that we've installed the > firewall > > rules, it seems the VMs may have stopped trying to connect to the remote > > servers. > > > > BR, > > Seán. > > > > > > Regards, > > > > Thomas > > > > *Von:* Sean Murphy [mailto:sean at gopaddy.ch] > *Gesendet:* Dienstag, 2. Juni 2015 13:28 > *An:* Silvio Cretti > *Cc:* wp5 at fi-xifi.eu; federico facca; Thomas Michael Bohnert; Mamudi > Valon (mamu) > *Betreff:* Re: [Xifi-WP5] Serious security issue!! > > > > Hi all, > > > Disable user/password log-ins on any images and instances. We suggest > to have a look on guestfish > > We asked for this to be done on Apr 1 and followed up a few more times > > as it was obvious that the VMs would be compromised. We gave a list of > > images that we found which do not have password authentication disabled. > > (http://libguestfs.org/guestfish.1.html) to modify images without > instantiating. > > Has anyone done this - I guess it would be good to share specific > instructions on > > how to do this for each image instead of having everyone figure it out > independently. > > > Blacklist the following IP addresses: > > 130.195.145.80 > > 198.154.62.59 > > 59.63.192.199 > > 58.186.224.247 > > 42.115.184.191 > > 218.87.109.62 > > 103.6.157.105 > > None of these measures is sufficient to feel safe. They are suggested as > an immediate reaction. > > Please also verify the list above - we have been working under some > pressure and mistakes might have happened. > > @Bernd - some more qs: > > - can you tell us where you got the above list of IP addr's (for our info)? > > - can you tell us precisely which images have been compromised? > > > > Obviously, this is a serious issue and we need to: > > - get these images removed from our systems asap > > - kill any VMs which boot off these images (which presumably needs user > interaction). > > > > BR, > > Seán. > > > Best Regards, Bernd > > > > ============ > > Bernd Bochow > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.fiware.org/private/fiware-lab-recovery-tf/attachments/20150603/ea6989f0/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 17894 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-lab-recovery-tf/attachments/20150603/ea6989f0/attachment.jpg>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy