--- Begin Message ---
Package: Debian lxde CD 1, Tor
Version: 8.8.0, 0.2.5.14-1-i386
Kernel: 3.16.0-4-686-pae#1 SMP Debian 3.16.43-2
Let me start with apologizing for my sloppiness about the rules for bug
reporting.
I'm in lousy shape, my nerves are wrecked and I'm certified ill with
burn-out-syndrome.
I'm writing this mail in the hope to contribute to the enhancement of Linux.
Also sorry for writing so much, I wanted to give all info that might be useful.
I guess the abstract of the whole thing is, that my router seems compromised
and seemingly compromises my Debian 8 installation.
I get a lot of bad tcp to see in Wireshark, and then the PC makes connections
on its own.
The text is basically three blocks. My first observations, written out of
memory, right after it happened.
The second a more systematic attempt to observe what is going on.
I enumerated all IPs to which or from which suspicious connections are made at
the end.
After a third fresh re-install, I really don't want to stuff even more text in
this mail. So I'll sum it up in just a few lines here.
The first thing I did was apt-get upgrade. Lots of bad tcp. It does the DHCP
stuff on its own afterwards, ifdown fails with "interface not configured"
though ifconfig shows it with ip4 and ip6 adresses and I can use the internet.
Besides that, nothing suspicious. No connections, nothing.
Until I install tor. Now it starts to connect on its own. To different IPs. One
indeed a tor server, one the MIT - 128.31.0.39 port 9101.
The most peculiar thing:
After I block everything in iptables, it sends out DNS requests for the IPs I
blocked as suspicious. But backwards. Like 30.178.168.192 instead of
192.168.178.30.
Nonetheless, the router resolves them to the same host names that I see when
doing iptables -L. Saw that for the first time yesterday.
I seriously believe that the router somehow compromises the debian
installation.
Original text:
I think I probably have a bug in my debian 8 installation.
Prologue:
My Windows laptop is infected with malware. That I know for sure.
My router seems compromised too. I'm pretty sure about that by now.
So I installed debian 8.8.0 on a PC.
Aware of the compromised router, I set the input chain of iptables to "allow
established" and drop everything else.
I set the output chain to block the multicast packets to 224.0.0.0/24, that it
starts sending as soon as a network device is connected, but allow all else.
I can't block the DNS server, so the frequent DNS requests it sends go out.
The forward chain as well as all ip6tables chains get default policy drop.
Yesterday (4th of June) I connect the computer to the router and download some
packages with apt-get. Then do an apt-get upgrade.
I block source and destination port 80 in input and output chain to not get
accidentally compromised through some manipulated website and surf a bit.
After next restart I notice that ifconfig displays the eth0 interface, without
it being in /etc/network/interfaces. Since it does this also right after fresh
installation, I assume this is normal.
After plugging the network cable in, eth0 now has an IP6 address. Also this it
does right after installation too, so I assume this is normal too.
Still it is odd. I would prefer my interfaces only having an IP, when I say so
in /etc/network/interfaces. And preferably only an IP6 adress if I configure it
for that.
I think here is where the strange part starts:
I start a Wireshark capture and seemingly my computer is merrily chatting with
104.131.11.214's port 8080. Using IP4 addresses. Despite ifconfig displaying
only an IP6 address for the interface. And me never having done an ifup or the
interface being in /etc/network/interfaces.
It could be that the connection (which is also in the iptables logs) is from
tor, which is one of the packages I installed yesterday.
But the behavior of the network interface being up and configured without an
entry in the interfaces file, seems to me like either the system's not caring
about the interfaces file, or the compromised router managed to compromise the
debian installation despite all pre-cautions.
A third option would be, that the installation CD got compromised at download
already.
For further testing, I dropped everything but destination/source port 53 and
443 in output/input chains of iptables.
When I then start Wireshark and plug the cable in, I get a number of packets
with target IP 239.255.255.250 from the router.
After a short time Wireshark reports, that the interface has been closed and
stops capture.
After putting an entry for eth0 in /etc/network/interfaces and an ifup the
internet seems to work normal.
Somewhere in the depths of the packets with destination 239.255.255.250 it says
something about UPnP.
If I recall it right, UPnP is the service of a router to allow programms on
computers connected to it, to open their own ports. As I perceive this as a
security risk, I usually disable it, when available. The FritzBox I actually
use, doesn't seem to have UPnP at all.
So I get an even stronger impression, that the router compromised the PC and
after the blocking, started to send the packages because it lost contact to its
counterpart.
Maybe I'm wrong and this is all normal, but if not, I assume that there must be
a bug that has been exploited.
Unfortunately I can't give you more info on what happened.
I only used apt-get to install some packages. Used Iceweasel to download
Firefox (https), downloaded NoScript for Firefox first thing and made sure I
only connect to https.
...for completeness, I did some more testing.
Freshly installed system. First download Wireshark. Then followed the
procedure: restart without network cable, start Wireshark, plug in network
cable, observe, ifup, observe, apt-get install, ifdown, plug out network cable,
restart...
The first few packages, everything seems normal. Two or three multicast
packages from the router after I plug the network cable in. Then silence.
The dhcp stuff after ifup, then silence.
Colorcoding of all packages during apt-get install is green background and
looks nice.
With the 5th package I start getting loads of bad tcp. Re-transmission,
suspected fast re-transmission and ack dup. The last from my computer outbound.
After the next restart, things still appear normal at first, so I download the
next package. Tor.
Again a lot of bad tcp.
For the first time Wireshark pops-up a window "interface is closed, stop
capture" after ifdown. Never did that before. Also did not do it again
I have a break for about 20min, during which the router's power cable is
plugged out for 5-10 min.
After restart and plugging the cable in, for the first time I see a number of
ARP requests "Who has 192.168.178.30", the IP usually assigned to the PC. Again
it looks like it lost something. Didn't do that before. The requests come with
approximately a bit more than 1 per second and continue till I do ifup.
I do the ifup, and instantly receive two packages, tagged ACK, from servers in
the i-net. Source port 9000 and 9001. Sure no rest of an old connection.
Then some bad tcp.
After a while the computer sends a SYN to 217.79.179.177:9001, a connection is
made.
After a while some more bad tcp and now it sends a SYN to one of the IPs the
first two packets came from and connects with it.
I eventually do an ifdown, but keep Wireshark open and wait. And promptly I see
a new DHCP negotiation and the connection starts again. Without me doing
anything to it.
Well, another restart, cable in and waiting some time before starting
Wireshark. And of course there is a connection already and my computer merrily
exchanging packets.
Since the last package I installed was tor, I can of course not safely say,
that this isn't just tor. But I think it isn't supposed to connect on its own
like that?
Made another try with a freshly installed system. Installed Wireshark from the
packages that were in /var/cache/apt/archives after the last install.
Wireshark on, cable in, ifup, apt-get update - lots of bad tcp.
Restart computer, Wireshark on, cable in, waiting and it does the DHCP stuff.
No ifup from my side. Ifdown fails - interface not configured. At least no
actual connections as it seems. But I think it isn't supposed to do that?
I test the connection with apt-get upgrade - works fine. Just a lot of bad tcp
again.
I guess it's vain to write more. I believe my router might be compromised. And
it seems like it compromises the Debian PC.
I can't say if it gives me a compromised package (would have to be Wireshark I
guess), or if it's the bad tcp stuff, that let's it get in. But unless the CD I
install from is compromised already, I guess it exploits a bug.
I can't test if the phenomena occur only for http connections. The CD doesn't
contain a browser and apt-transport-https failed to work. Certificate doesn't
match host. No idea if this is a problem with the certificates of mirrors or if
my router screwed it up.
Sorry for packing so much in one mail. I'm not used to make bug reports.
I hope if you can't help me, you can at least tell me what is going on on my
computer and with my router.
Thanks in advance for your efforts
Kind regards
Frank Papst
Appendix:
Imho suspicious connections to and from:
104.131.11.214:8080
51.254.35.151:9000
89.163.247.115:9001
95.169.188.103:443
217.79.179.177:9001
91.250.84.156:9001
85.229.84.141:443
46.101.104.245:
128.31.0.39:9101 (the one after the nine is not a typo)
-------------------------------------------------------------------------------------------------
FreeMail powered by mail.de - MEHR SICHERHEIT, SERIOSITÄT UND KOMFORT
--- End Message ---
