‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, April 4, 2019 1:41 PM, Peter N. M. Hansteen <[email protected]>
wrote:
> On Wed, Apr 03, 2019 at 06:56:39PM +0000, Cord wrote:
>
Please read my last email to misc, I tried to explain again.
> If you see ssh sessions that shouldn't be there, kill those sessions.
Honestly this is not the problem.
>
> Then before they log in again, do whatever changes are required such as
> generating
> new keys, changing your password or similar, and of course clean up your sshd
> config.
>
> From your (not very precise) description it could even be that a separate set
> of
> binaries have been installed in addition to the system sshd. Look for those
> too.
>
> Basically, do not trust your system as it is. Wipe, reinstall and rebuild
> should be an option.
>
"Second time" of my title means:
Install first time openbsd desktop --> ssh key stealing --> hacked --> wipe and
reinstall
Install second time openbsd desktop --> not my webmail session opened --> maybe
hacked --> wipe and reinstall
Then you are saying I must wipe and reinstall once a month till the end of my
life ?
> For the webmail access, do change your password and if they support it, look
> into
> any multi-factor authentication options.
>
I don't know if this is useful. I mean if the hacker has the session cookie
probably he can browser my email without any authentication.
> Moving forward, learn how to read and interpret logs and for that matter
> packet captures.
>
ok, but a kernel rootkit doesn't leave traces.
> The information you have offered up does not give any indication how the
> suspected
> attackers got hold of enough information to get access (if indeed it is what
> happened).
>
> That information could possibly be found in your logs, but in my experience
> it is far
> more likely that somebody with access to the system made some stupid mistake
> such
> as clicking a link in a mailed webpage, speaking their password out loud
> within
> hearing distance of somebody with enough context information to be able to
> use it,
> or something else equally cringeworthy. Then your logs would only show a
> successful
> login, perhaps from somewhere unexpected, as the start of the compromise.
>
My openbsd desktop has no tcp services active, I have some udp listening that
is openvpn and chrome. But I have pf enabled.
If you want I can paste my pf conf. But it's few lines, and the last is "block
drop log all"
> I hope some of this stream of semi-random items is of some use.
>
thank you
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
