# gentoo glsa i got owned

## niceflower

Seen 2 or so vulnerabilities since 2017 in X11-libs and Qemu, i was using those and my gentoo got infected with 

trojan and rootkit, i was using custom build grsec hardened sources, and only went surfing in Qemu, how they got in? 

I was also running wine server with open ports i am not known with wine exploit,

I do not think it is possible to go online 100% secure

grsec complained about deny on preloader (wine related) it kept spamming in log, later on my logs all gone how weird is that,

Then on reboot i noticed a sneaky logo in top left corner

Second reboot the logo was gone.

Chkrootkit complained about trojan installed, false positieve?

Netstat when no netservices running i only saw wine port 30300 always listening.

When i was playing windows game in wine the mouse got taken over, later on i had cryptlock screen could do nothing.

I do NOT want to state that the attacker who ever it was had physical contact to the server, and i am not 100% sure they used the exploit in gentoo x11-libs and Qemu or even Wine.

I had iptables and grsec running following the gentoo handbook

The system got smashed to unbootable kernel panic.

----------

## axl

Let's think about this a bit. 

You say you ran iptables. What does that mean? 

For instance, you say, you ran another os to browse the net using qemu. Did you isolate that guest os from the host os using iptables? Because if you didn't, than break that guest and then ssh on the host. 

What kind of game releases did you play on wine, and using what user? Was it root?

----------

## niceflower

 *axl wrote:*   

> Let's think about this a bit. 
> 
> You say you ran iptables. What does that mean? 
> 
> For instance, you say, you ran another os to browse the net using qemu. Did you isolate that guest os from the host os using iptables? Because if you didn't, than break that guest and then ssh on the host. 
> ...

 

I used this iptables script: https://forums.gentoo.org/viewtopic-p-7578926.html#7578926

With some additional ports open to play counterstrike go steam + secondlife and in Wine i was playing Aion Online and WildStar Online, i was playing these games on custom hardened sources kernel with xorg and xfce, running as user.

I was running xubuntu latest iso at that time in the Qemu client with Gentoo ~amd64 as the host.

In xubuntu client i had ufw default deny in allow out, i could not ping outside in xubuntu.

The xubuntu client however did connect to cheezy websites, but i though nothing can migrate to the gentoo host?

What do you mean isolate client from host with iptables?Last edited by niceflower on Tue May 09, 2017 12:35 pm; edited 1 time in total

----------

## axl

I'm not sure that it did. Seems a very complicated setup.

----------

## niceflower

I have no clue how they got in, i noticed grsec complaining about some wine modules preloaders being denied, then netstat showed me the wine server kept listening outisde non stop. 

The attacker must had found exploit to load that rootkit.

That is why i suspect x11-libs, qemu wine.

----------

## Zucca

If you boot from some Live ISO, do you have the strange logo atill there? Try to boot from a ISO that has chkrootkit. Then test:Is your system infected right after boot? (networking disconnected)Does the system get infected some time after? (again without networking)Lastly if chkrootkit didn't detect anything run it after networking has been on for a while.

Remember chkrootkit can give you false positives, but also false negatives too.

Also if you cannot paste logs, or take screenshots, then take some camera/phone and simply take a picture. I'd be most interested on the logo you see when booting.

When using wine... To make it safe as possible, it should be ran inside a container/chroot with the least priviliges possible.

----------

## niceflower

Hey zucca, i did not run in chroot, the system got smashed, but i still have the disk so i can boot it.

On the gentoo live dvd offline, chkrootkit gives no possibly bad report.

After some network connectivity chkrootkit gives possible trojan installed.

However this is with the hard disk unplugged.

The boot up logo was missing after second reboot.

I can not use the hacked host at the moment it is so horribly broken that it will not boot, the log files are all missing.

How do i prevent this type of attack next time?

Is it that easy to hijack a session on gentoo live dvd because to install xfce on gentoo in livedvd it takes about 5hours to install? So if i boot dvd to install get infected, then there is no point to install?

----------

## ct85711

Generally, a vm is an isolated system, so if an guest system was compromised, it shouldn't affect the host system.  The other way does not follow, in that if your host is compromised, the guest system can also be compromised easily enough.  If an guest system is able to compromise an host system, that is a critical issue.

Assuming you are booting the live cd on my host system (meaning qemu/vmware/virtualbox/etc.. is not used) is getting infected, it strongly points to an issue with your network and firewall.  A live cd usually just runs off the cd (you don't need to install), and it shouldn't need to use the hd.  You can easily unmount the hd partitions if they are mounted while running on a cd(this means the umount command, not physically unplugging the hd).

From the livecd, you can always mount the hd and repair the system (i.e. following the applicable steps in the installation guide to chroot to your partition)...  Note:  That is for later, first you need to figure out where the attack is coming in and fix that first.   Then you can possible try saving some important files and/or repair the partition.

----------

## Zucca

 *niceflower wrote:*   

> How do i prevent this type of attack next time?

 As the attack seems to come from network (or the worm/rootkit is being activated from outside) you should check all the networking equipment you have for some known vurneabilities.

Have you seen any suspicious activity in the logs? Like someone loggin in via ssh? Or even telnet?

If you can paste the output of "netstat -tupla". Best if you can run that before networking turned on and after when chkrootkit thinks it detected something fishy.

----------

## niceflower

Ok,

In the post above u can see the exact same firewall script i am using with some additional ports to play online games.

I test the firewall all icmp is blocked i can not ping my own router.

In syctl.conf i do:

icmp broadcast = 0

Allow all Redirect = 0

Allow all Secure Redirect = 1

Changed ssh port

Made static arp

But what worries me is, how do i make sure i am not running heavy gui apps as root?

When i exit xfce xorg says you are not running as root.

So, i unplug hard disk, flash the uefi bios, boot gentoo linux live dvd, run the iptables script from above link, change /etc/sysctl, change ssh_conf, then do nothing, can it be hijacked that easy?

@zucca i thought about a worm but i do not know much about that.

There are no log files to check after a few hours they were gone.

Netstat -an

Shows on the live dvd:

68udp tcp listening

Netstat -tupn shows nothing, but netstat can be manipulated possibly.

----------

## ct85711

Some stuff is expected to run as root, so you should be mostly fine.  The main thing that Zucca is meaning is that you are not starting firefox as root (as an example).

Now if you really want to play mean for the worm, you can always have syslog make a secondary/backup log in a different location (say like /root/logs/* as an example) so even if the worm deletes the main logs in the usual location it is unlikely to remove the logs in a non standard location.

Side Note:  I forgot to mention, but you do not have to use Gentoo's live cd, you can use any other linux live cd.

----------

## niceflower

Oke, that is a good tip about making back up logs, however how do i stop this attack from happening?

Can the sketchy hard disk still be trusted after disk wipe to reinstall or do i need to buy a new one?

If it was a worm, how can i stop it?

----------

## Zucca

 *niceflower wrote:*   

> Netstat -an
> 
> Shows on the live dvd:
> 
> 68udp tcp listening
> ...

 

You forgot the -l switch, which specifically makes netstat to list open (listening) ports.

----------

## niceflower

I guess what i have learned is that the best way to stay secure is to go offline

----------

## ct85711

 *Quote:*   

> Oke, that is a good tip about making back up logs, however how do i stop this attack from happening?
> 
> Can the sketchy hard disk still be trusted after disk wipe to reinstall or do i need to buy a new one?
> 
> If it was a worm, how can i stop it?

 

Ok, as far as the first question, it depends on how the attacker got in.  If the attacker is exploiting a open port, we can easily adjust the firewall to restrict on that port.  Just like if the attacker managed to get in through from user account, we can adjust the password for those accounts, to not letting them to be logged into from remotely and such.

As far as wiping the drive and stuff, yes after you wipe a drive, you should be to consider it safe.  I know of few viruses that would stay around after a drive being wiped, and those are rather rare.  Now on wiping, you have a couple choices on what level of wiping you want to do.  You can always just do a simple reformat, which I believe just wipes the partition table and puts in a new blank one, effectively un-referencing everything that was on the drive (though not necessarily removed).  This would be the fastest and easiest to do, allowing you to get on with rebuilding your system faster.  Otherwise you can get into low level formatting/wiping, i.e. writing the entire drive with garbage/zero's.  This is much more intensive on the drive and much more safer.  However, it can take quite a bit of time to write to the entire drive (depending on the size of the drive).  This can be repeated for how many times you wish, depending on how secure you want the drive to be wiped (effectively multiplying the time by the number of cycles through).  I would only consider replacing with a new drive, if the drive is rather old or it is starting to fail.  It's like, I have 1 drive that is over 10 years old and still running fine (no dead sectors found yet); that drive I'd consider going ahead and possibly replacing before it fails.

Note:  Doing a low level formatting (filling with garbage/zeros) can identify bad sectors, and/or possible push it over the line to start failing.  Any drive can start failing over time, low level formatting does it because you are writing so much to the drive that can cause something to degrade enough to fail.  That would have happened either way, just possibly pushed back later in time.

----------

## ct85711

 *Quote:*   

> I guess what i have learned is that the best way to stay secure is to go offline

 

Everything is based on the level of risk you are willing to take.  Can you handle not having internet connection?  Few people can manage to stay offline and still be productive.  So the key is to mitigate the amount of risk you are willing to take compared to your productivity.  One way we can reduce the risk, is by ensuring you have a secure firewall.

----------

## 1clue

Some things that should be obvious about VMs but people seem to not understand, or at least not think about. I scanned the entire thread but may have missed some points that may have already been mentioned.

The virtualization code (hypervisor or otherwise) is software which emulates hardware, sometimes in conjunction with virtualization-aware hardware. It's possible for a bug to exist in that code, and it's possible for that bug to cause a security failure. This type of code is usually heavily audited so the code will probably be fixed rapidly once it's known.

Virtualization code often contains code to share data and/or functionality with the host and vice versa, in the name of convenience.

That convenience code is usually associated with some level of risk.  For example, a host-only virtual network card might be "opened up" for easy network access between a guest and a host.  The lack of firewall rules on the host to prevent unauthorized guest access is an exploitable attack vector which actually has nothing at all to do with virtualization, other than it being a common configuration with security implications.

A shared disk between the host and guest (e.g. 9p driver or network share) is fine, but any infected file from any VM, when accessed by some other VM or the host, can infect the second system.

Risk is associated with shared functionality in the hardware as well, when that hardware is passed through to the VM.  Examples I can think of (but don't know to actually be problematic) might be CPU serial number, or hardware accelerators which are not designed to be in a virtual environment. I know at one point video cards had some sort of state info that was not flushed when swapping from vm to vm. Again, anything found with respect to this sort of thing will probably be dealt with rapidly, or at least the virtualization software will stop sharing access to whatever feature by default.

Edit: As an example about hardware functionality being passed through to a VM, let's say you built and configured kvm and qemu with 'native' emulation. I have an Intel Atom C2758 board. It's an 8-core atom with built-in QuickAssist technology. QuickAssist is hardware acceleration for encryption and compression.  You may be thinking AES instructions, but it's different.  QuickAssist (QAT) is an extra processor that you can assign jobs of work to, fire it off and then go do something else while the accelerator does its thing. You come back for the results when it's done. AES has a dozen instructions or less, and QAT has dozens of encryption modes, lots of instructions. It's much more involved.

Furthermore, QAT is implemented on several processors and on several add-on cards.  It seems that none of the implementations is consistent with any other implementation, so you can't just assume that code using QAT designed on one implementation will work on another implementation.

So getting back to virtualization, I have my theoretical KVM/QEMU setup and I use native mode so that QAT is usable by the guests. If there were a bug in my QAT functionality it's very possible that this might go undetected for awhile, and as such I may have exposed my host to risk by using this functionality on a guest.

----------

## 1clue

Sorry for spamming the thread.

I just thought of a more tangible example of passed-through functionality being a threat.

Parallels/Mac has a feature where an application being run on a VM has access to the host, and vice versa. You can separately configure whether guests have access to host apps or vice versa.

Probably the most frequent example of this is where a Mac user wants a Windows VM so they can use Microsoft Windows products like Office. When you run in this transparent mode, it's hard to see that you're even in a VM. You don't see a Windows desktop at all, you simply have a Mac with Microsoft Word or Excel running.

So you have this Word document, you got it from your email on the Mac, and you double-click it. Due to the magic spell that is Parallels Mac, your Mac knows to run Word from your Windows VM. Your Windows VM, due to your convenience settings, has access to the Mac filesystem and writes there.  Not really a huge threat so long as your Windows box is the only thing that can open a Word document.

So let's change it up a bit.  You have LibreOffice for your Mac, and the malware is a macro virus using Word's macro script, whatever they call it. Your virus is no longer Windows-specific, and LibreOffice understands most of that scripting language. So now, depending on how you open it and on which machines, you could have infected both your host and your guest using the same email attachment.

----------

## Zucca

 *niceflower wrote:*   

> I guess what i have learned is that the best way to stay secure is to go offline

 If you could just post the netstat output I asked so we could start from somewhere.

Use wgetpaste for example to redirect the output to some pastebin.

----------

## Ant P.

The best way to stay secure is to RTFM. Running hardened and every random "security" tweak you find on the internet does not make you invincible, it just means there are less things to blame other than yourself.

----------

## niceflower

I took the network offline so i can not netstat -tupln

Question, what would be a safer method to go back online; hard drive unplugged with live dvd gentoo iptables set 

Or install gentoo after disk wipe? I am not sure if i can trust the disk, i might need to buy a new one, not sure if dd urandom, gdisk and cell clearing with hdparm, is enough to clear spy software from solid state drive.

Also when the live dvd gets attacked then there is no point in even installing gentoo on a disk.

Now i think about it, i could install gentoo on another network, then transfer the disk to my own network.

----------

## Ant P.

If your threat model is so far outside the realm of reality that you're doing 4 disk wipe passes in response to seeing a single line of text on the screen you didn't understand, then just stop using computers entirely. Nothing anyone here can offer is going to satisfy your paranoia, and the last thing we need is another help vampire on the same wavelength as miroR.

----------

## Zucca

 *Ant P. wrote:*   

> ...to seeing a single line of text on the screen you didn't understand...

 Yup. I still haven't seen a single screenshot, pastebin, photo from the display...

It's impossible to help.

At this point I give up. I come back when there's actually some material that I can use to help.

----------

## niceflower

Sorry for not providing information, however i think i am not attacked, because i made a mistake with grub, i feel so dumb now  :Sad: 

Since i stopped qemu i had no problems ty for post 1clue

https://forums.gentoo.org/viewtopic-t-1063208.html

----------

