Hi Silvio Is it possible to prepare an IP table for GE owners to limit the access on some IP address and to update GE images and maybe blueprints to improve the situation at least in a first step? BR Thierry De : fiware-lab-recovery-tf-bounces at lists.fiware.org [mailto:fiware-lab-recovery-tf-bounces at lists.fiware.org] De la part de Silvio Cretti Envoyé : mercredi 3 juin 2015 08:30 À : fiware-lab-recovery-tf at lists.fiware.org Objet : [Fiware-lab-recovery-tf] Fwd: [Xifi-WP5] Serious security issue!! FYI. Unfortunately (this is not by any means good for FIWARE Lab!) after this meeting we have to inform the users. I do not think it is possible to keep it hidden, but let's see what are the results of the meeting. If someone of you wants to attend (I know Fernando will attend), he is welcome. I will keep you informed. silvio ---------- Forwarded message ---------- From: Silvio Cretti <silvio.cretti at create-net.org<mailto:silvio.cretti at create-net.org>> Date: Tue, Jun 2, 2015 at 7:14 PM Subject: Re: [Xifi-WP5] Serious security issue!! To: "Bochow, Bernd" <bernd.bochow at fokus.fraunhofer.de<mailto:bernd.bochow at fokus.fraunhofer.de>> Cc: Sergio MORANT <smorant at images-et-reseaux.com<mailto:smorant at images-et-reseaux.com>>, Sean Murphy <sean at gopaddy.ch<mailto:sean at gopaddy.ch>>, "Wandekoken Grazioli Bruno Gaetano (gaea)" <gaea at zhaw.ch<mailto:gaea at zhaw.ch>>, "Günther, Thomas" <thomas.guenther at fokus.fraunhofer.de<mailto:thomas.guenther at fokus.fraunhofer.de>>, "wp5 at fi-xifi.eu<mailto:wp5 at fi-xifi.eu>" <wp5 at fi-xifi.eu<mailto:wp5 at fi-xifi.eu>>, federico facca <federico.facca at create-net.org<mailto:federico.facca at create-net.org>>, "Bohnert Thomas Michael (bohe)" <bohe at zhaw.ch<mailto:bohe at zhaw.ch>>, "Mamudi Valon (mamu)" <mamu at zhaw.ch<mailto:mamu at zhaw.ch>> Dear all, in order to discuss countermeasures to this security issue, I propose a telco tomorrow Wednesday June 3rd at 12.00. Here the minutes: https://docs.google.com/document/d/1DvM-c3kwDIMimGzUr3OrcNsQEVT-UiIK5_3sjaXgTew/edit?usp=sharing I think the presence of one representative for each infrastructure is needed but at least we need Bernd/Thomas and someone from Telefonica in the telco. Please Bernd/Thomas and Fernando, let me know if you can attend. Best regards, silvio On Tue, Jun 2, 2015 at 5:13 PM, Bochow, Bernd <bernd.bochow at fokus.fraunhofer.de<mailto:bernd.bochow at fokus.fraunhofer.de>> wrote: Dear All, We found that the remote Ps most likely also drive port 22 scan and brute force username/password attacks in parallel. We are checking that currently. It might be necessary to distinguish between incoming and outgoing traffic on port 22 and to trace conversations. It would be interesting to know if there are instances from images that are _not_ subject to that observations (i.e. that are seemingly not infected). Best Regards, Bernd ============ Bernd Bochow Next Generation Network Infrastructures Fraunhofer Institute for Open Communication Systems (FOKUS) Kaiserin-Augusta-Allee 31, D-10589 Berlin e-mail: bernd.bochow at fokus.fraunhofer.de<mailto:bernd.bochow at fokus.fraunhofer.de>, bernd.bochow at ieee.org<mailto:bernd.bochow at ieee.org> phone: +49 30 3463-7238<tel:%2B49%2030%203463-7238> fax: +49 30 3463-997238<tel:%2B49%2030%203463-997238> From: Sergio MORANT <smorant at images-et-reseaux.com<mailto:smorant at images-et-reseaux.com>> Date: Tuesday 2 June 2015 16:41 To: Sean Murphy <sean at gopaddy.ch<mailto:sean at gopaddy.ch>>, "Wandekoken Grazioli Bruno Gaetano (gaea)" <gaea at zhaw.ch<mailto:gaea at zhaw.ch>> Cc: Günther, Thomas <thomas.guenther at fokus.fraunhofer.de<mailto:thomas.guenther at fokus.fraunhofer.de>>, Silvio Cretti <silvio.cretti at create-net.org<mailto:silvio.cretti at create-net.org>>, "wp5 at fi-xifi.eu<mailto:wp5 at fi-xifi.eu>" <wp5 at fi-xifi.eu<mailto:wp5 at fi-xifi.eu>>, federico facca <federico.facca at create-net.org<mailto:federico.facca at create-net.org>>, "Bohnert Thomas Michael (bohe)" <bohe at zhaw.ch<mailto:bohe at zhaw.ch>>, "Mamudi Valon (mamu)" <mamu at zhaw.ch<mailto:mamu at zhaw.ch>> Subject: RE: [Xifi-WP5] Serious security issue!! Hi, I guess we should focus on outgoing connections only. In order to do so, we should focus for connections initiated from the instance (TCP flag SYN active) on the outgoing connection. Otherwise you will see also all the traffic coming from standard connections: tcpdump -i "eth2" -nn src port 22 and net 195.220.224.0/24<http://195.220.224.0/24> and 'tcp[tcpflags] & (tcp-syn) != 0' …. 14:20:11.456540 IP 195.220.224.8.22 > 221.235.189.245.38345: Flags [S.], seq 2944249903, ack 3486249040, win 14480, options [mss 1460,sackOK,TS val 1048107519 ecr 6706653,nop,wscale 7], length 0 …… Then we can verify the destination IP location (China in most of the cases) using Whois IP tools [cid:image001.jpg at 01D09DE1.8C8DA580] So we can conclude that this is not an authorized traffic. For the moment we have detected several instances that behaves like described above, all coming from the baseline images described by Bernd Best regards Sergio De : Sean Murphy [mailto:sean at gopaddy.ch] Envoyé : mardi 2 juin 2015 15:58 À : Wandekoken Grazioli Bruno Gaetano (gaea) Cc : Günther, Thomas; Silvio Cretti; wp5 at fi-xifi.eu<mailto:wp5 at fi-xifi.eu>; federico facca; Bohnert Thomas Michael (bohe); Mamudi Valon (mamu) Objet : Re: [Xifi-WP5] Serious security issue!! So basically, the conclusion here is that it looks like many of our VMs are compromised. We need to get this addressed quickly. BR, Seán. On Tue, Jun 2, 2015 at 3:48 PM, Wandekoken Grazioli Bruno Gaetano (gaea) <gaea at zhaw.ch<mailto:gaea at zhaw.ch>> wrote: Hi all, We were investigating a bit further and we found more ip adresses with similar network traffic. root at node-1:~# tcpdump -i eth2 src port 22 | grep ".ssh >" tcpdump: WARNING: eth2: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes 15:38:51.189616 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [P.], seq 1247424601:1247424985, ack 2671240100, win 195, options [nop,nop,TS val 386932715 ecr 41149876], length 384 15:38:51.195624 IP 160.85.2.37.ssh > 43.229.52.168.53511: Flags [.], ack 3466107547, win 247, options [nop,nop,TS val 325114782 ecr 41149879], length 0 15:38:51.196912 IP 160.85.2.37.ssh > 43.229.52.168.41633: Flags [S.], seq 1831469583, ack 2348125009, win 28960, options [mss 1460,sackOK,TS val 325114783 ecr 41149879,nop,wscale 7], length 0 15:38:51.197389 IP 160.85.2.36.ssh > 43.229.52.168.54271: Flags [P.], seq 2541947209:2541947277, ack 2982814501, win 247, options [nop,nop,TS val 1961950142 ecr 41149878], length 68 15:38:51.198344 IP 160.85.2.37.ssh > 43.229.52.168.53511: Flags [F.], seq 0, ack 2, win 247, options [nop,nop,TS val 325114783 ecr 41149879], length 0 15:38:51.215429 IP 160.85.2.75.ssh > 43.229.52.168.37072: Flags [.], ack 3873844386, win 247, options [nop,nop,TS val 1789122307 ecr 41149884], length 0 15:38:51.228006 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [.], ack 649, win 206, options [nop,nop,TS val 386932725 ecr 41149876], length 0 15:38:51.230332 IP 160.85.2.58.ssh > 117.122.200.147.20303: Flags [.], ack 1234683561, win 237, length 0 15:38:51.247801 IP 160.85.2.38.ssh > 43.229.52.168.40257: Flags [.], ack 2046073395, win 247, options [nop,nop,TS val 1792228242 ecr 41149892], length 0 15:38:51.254064 IP 160.85.2.38.ssh > 43.229.52.168.40257: Flags [P.], seq 0:848, ack 1, win 247, options [nop,nop,TS val 1792228243 ecr 41149892], length 848 15:38:51.255200 IP 160.85.2.31.ssh > 43.229.52.168.37915: Flags [.], ack 1726673222, win 247, options [nop,nop,TS val 1791902812 ecr 41149892], length 0 15:38:51.255891 IP 160.85.2.23.ssh > host98-229-dynamic.18-87-r.retail.telecomitalia.it.47653: Flags [P.], seq 1702351463:1702351531, ack 640722127, win 243, options [nop,nop,TS val 1769119395 ecr 29439026], length 68 15:38:51.261504 IP 160.85.2.31.ssh > 43.229.52.168.37915: Flags [P.], seq 0:848, ack 1, win 247, options [nop,nop,TS val 1791902814 ecr 41149892], length 848 15:38:51.274487 IP 160.85.2.53.ssh > 43.229.52.168.54116: Flags [.], ack 3479704829, win 134, options [nop,nop,TS val 1765793620 ecr 41149888], length 0 15:38:51.354746 IP 160.85.2.23.ssh > 43.229.52.168.52891: Flags [.], ack 3679730051, win 247, options [nop,nop,TS val 1769119420 ecr 41149909], length 0 15:38:51.369265 IP 160.85.2.37.ssh > 43.229.52.168.41633: Flags [.], ack 16, win 227, options [nop,nop,TS val 325114826 ecr 41149923], length 0 15:38:51.375708 IP 160.85.2.23.ssh > host98-229-dynamic.18-87-r.retail.telecomitalia.it.47653: Flags [.], ack 85, win 243, options [nop,nop,TS val 1769119425 ecr 29439196], length 0 15:38:51.819626 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [.], ack 989, win 216, options [nop,nop,TS val 386932872 ecr 41150032], length 0 15:38:51.819717 IP 160.85.2.93.ssh > 43.229.52.168.55147: Flags [P.], seq 1232:1284, ack 989, win 216, options [nop,nop,TS val 386932872 ecr 41150032], length 52 Best, Bruno. ________________________________ From: Sean Murphy [sean at gopaddy.ch<mailto:sean at gopaddy.ch>] Sent: Tuesday, June 02, 2015 3:27 PM To: Günther, Thomas Cc: Silvio Cretti; wp5 at fi-xifi.eu<mailto:wp5 at fi-xifi.eu>; federico facca; Bohnert Thomas Michael (bohe); Mamudi Valon (mamu) Subject: Re: [Xifi-WP5] Serious security issue!! Hi all, V good info. As you can see we already deactivated the is_public parameter, that the images are not available for the users anymore. Good approach - we will do the same. Please let us know if you’re experiencing similar network traffic. We have observed similar network traffic - here's a couple of lines 14:46:45.922628 IP 160.85.2.38.ssh > 43.229.52.137.57495: Flags [.], ack 137, win 247, options [nop,nop,TS val 1791446910 ecr 40368731], length 0 14:46:45.923968 IP 160.85.2.38.ssh > 43.229.52.137.57495: Flags [F.], seq 136, ack 138, win 247, options [nop,nop,TS val 1791446911 ecr 40368731], length 0 14:46:46.041869 IP 160.85.2.30.ssh > 43.229.52.137.55576: Flags [.], ack 1240, win 247, options [nop,nop,TS val 1812202096 ecr 40368761], length 0 We're working on getting more although now that we've installed the firewall rules, it seems the VMs may have stopped trying to connect to the remote servers. BR, Seán. Regards, Thomas Von: Sean Murphy [mailto:sean at gopaddy.ch<mailto:sean at gopaddy.ch>] Gesendet: Dienstag, 2. Juni 2015 13:28 An: Silvio Cretti Cc: wp5 at fi-xifi.eu<mailto:wp5 at fi-xifi.eu>; federico facca; Thomas Michael Bohnert; Mamudi Valon (mamu) Betreff: Re: [Xifi-WP5] Serious security issue!! Hi all, > Disable user/password log-ins on any images and instances. We suggest to have a look on guestfish We asked for this to be done on Apr 1 and followed up a few more times as it was obvious that the VMs would be compromised. We gave a list of images that we found which do not have password authentication disabled. (http://libguestfs.org/guestfish.1.html) to modify images without instantiating. Has anyone done this - I guess it would be good to share specific instructions on how to do this for each image instead of having everyone figure it out independently. > Blacklist the following IP addresses: > 130.195.145.80 > 198.154.62.59 > 59.63.192.199 > 58.186.224.247 > 42.115.184.191 > 218.87.109.62 > 103.6.157.105 > None of these measures is sufficient to feel safe. They are suggested as an immediate reaction. > Please also verify the list above - we have been working under some pressure and mistakes might have happened. @Bernd - some more qs: - can you tell us where you got the above list of IP addr's (for our info)? - can you tell us precisely which images have been compromised? Obviously, this is a serious issue and we need to: - get these images removed from our systems asap - kill any VMs which boot off these images (which presumably needs user interaction). BR, Seán. > Best Regards, Bernd > > ============ > Bernd Bochow _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.fiware.org/private/fiware-lab-recovery-tf/attachments/20150603/97b786f5/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 17894 bytes Desc: image001.jpg URL: <https://lists.fiware.org/private/fiware-lab-recovery-tf/attachments/20150603/97b786f5/attachment.jpg>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy