gentoo glsa i got owned

[niceflower]

Seen 2 or so vulnerabilities since 2017 in X11-libs and Qemu, i was using those and my gentoo got infected with
trojan and rootkit, i was using custom build grsec hardened sources, and only went surfing in Qemu, how they got in?
I was also running wine server with open ports i am not known with wine exploit,
I do not think it is possible to go online 100% secure

grsec complained about deny on preloader (wine related) it kept spamming in log, later on my logs all gone how weird is that,
Then on reboot i noticed a sneaky logo in top left corner
Second reboot the logo was gone.
Chkrootkit complained about trojan installed, false positieve?
Netstat when no netservices running i only saw wine port 30300 always listening.

When i was playing windows game in wine the mouse got taken over, later on i had cryptlock screen could do nothing.

I do NOT want to state that the attacker who ever it was had physical contact to the server, and i am not 100% sure they used the exploit in gentoo x11-libs and Qemu or even Wine.

I had iptables and grsec running following the gentoo handbook
The system got smashed to unbootable kernel panic.

[axl]

Let's think about this a bit.

You say you ran iptables. What does that mean?

For instance, you say, you ran another os to browse the net using qemu. Did you isolate that guest os from the host os using iptables? Because if you didn't, than break that guest and then ssh on the host.

What kind of game releases did you play on wine, and using what user? Was it root?

[niceflower]

[axl]

I'm not sure that it did. Seems a very complicated setup.

[niceflower]

I have no clue how they got in, i noticed grsec complaining about some wine modules preloaders being denied, then netstat showed me the wine server kept listening outisde non stop.
The attacker must had found exploit to load that rootkit.
That is why i suspect x11-libs, qemu wine.

[Zucca]

If you boot from some Live ISO, do you have the strange logo atill there? Try to boot from a ISO that has chkrootkit. Then test:

• Is your system infected right after boot? (networking disconnected)
• Does the system get infected some time after? (again without networking)
• Lastly if chkrootkit didn't detect anything run it after networking has been on for a while.

Remember chkrootkit can give you false positives, but also false negatives too.

Also if you cannot paste logs, or take screenshots, then take some camera/phone and simply take a picture. I'd be most interested on the logo you see when booting.

When using wine... To make it safe as possible, it should be ran inside a container/chroot with the least priviliges possible.
_________________
..: Zucca :..
Gentoo IRC channels reside on Libera.Chat.
--

[niceflower]

Hey zucca, i did not run in chroot, the system got smashed, but i still have the disk so i can boot it.

On the gentoo live dvd offline, chkrootkit gives no possibly bad report.
After some network connectivity chkrootkit gives possible trojan installed.
However this is with the hard disk unplugged.
The boot up logo was missing after second reboot.
I can not use the hacked host at the moment it is so horribly broken that it will not boot, the log files are all missing.

How do i prevent this type of attack next time?
Is it that easy to hijack a session on gentoo live dvd because to install xfce on gentoo in livedvd it takes about 5hours to install? So if i boot dvd to install get infected, then there is no point to install?

[ct85711]

Generally, a vm is an isolated system, so if an guest system was compromised, it shouldn't affect the host system. The other way does not follow, in that if your host is compromised, the guest system can also be compromised easily enough. If an guest system is able to compromise an host system, that is a critical issue.

Assuming you are booting the live cd on my host system (meaning qemu/vmware/virtualbox/etc.. is not used) is getting infected, it strongly points to an issue with your network and firewall. A live cd usually just runs off the cd (you don't need to install), and it shouldn't need to use the hd. You can easily unmount the hd partitions if they are mounted while running on a cd(this means the umount command, not physically unplugging the hd).

From the livecd, you can always mount the hd and repair the system (i.e. following the applicable steps in the installation guide to chroot to your partition)... Note: That is for later, first you need to figure out where the attack is coming in and fix that first. Then you can possible try saving some important files and/or repair the partition.

[Zucca]

[niceflower]

Ok,
In the post above u can see the exact same firewall script i am using with some additional ports to play online games.
I test the firewall all icmp is blocked i can not ping my own router.
In syctl.conf i do:
icmp broadcast = 0
Allow all Redirect = 0
Allow all Secure Redirect = 1

Changed ssh port
Made static arp

But what worries me is, how do i make sure i am not running heavy gui apps as root?
When i exit xfce xorg says you are not running as root.

So, i unplug hard disk, flash the uefi bios, boot gentoo linux live dvd, run the iptables script from above link, change /etc/sysctl, change ssh_conf, then do nothing, can it be hijacked that easy?

@zucca i thought about a worm but i do not know much about that.
There are no log files to check after a few hours they were gone.

Netstat -an
Shows on the live dvd:
68udp tcp listening
Netstat -tupn shows nothing, but netstat can be manipulated possibly.

[ct85711]

Some stuff is expected to run as root, so you should be mostly fine. The main thing that Zucca is meaning is that you are not starting firefox as root (as an example).

Now if you really want to play mean for the worm, you can always have syslog make a secondary/backup log in a different location (say like /root/logs/* as an example) so even if the worm deletes the main logs in the usual location it is unlikely to remove the logs in a non standard location.

Side Note: I forgot to mention, but you do not have to use Gentoo's live cd, you can use any other linux live cd.

[niceflower]

Oke, that is a good tip about making back up logs, however how do i stop this attack from happening?
Can the sketchy hard disk still be trusted after disk wipe to reinstall or do i need to buy a new one?
If it was a worm, how can i stop it?

[Zucca]

[niceflower]

I guess what i have learned is that the best way to stay secure is to go offline

[ct85711]

[ct85711]

[1clue]

Some things that should be obvious about VMs but people seem to not understand, or at least not think about. I scanned the entire thread but may have missed some points that may have already been mentioned.

1. The virtualization code (hypervisor or otherwise) is software which emulates hardware, sometimes in conjunction with virtualization-aware hardware. It's possible for a bug to exist in that code, and it's possible for that bug to cause a security failure. This type of code is usually heavily audited so the code will probably be fixed rapidly once it's known.
   
2. Virtualization code often contains code to share data and/or functionality with the host and vice versa, in the name of convenience.
   
3. That convenience code is usually associated with some level of risk. For example, a host-only virtual network card might be "opened up" for easy network access between a guest and a host. The lack of firewall rules on the host to prevent unauthorized guest access is an exploitable attack vector which actually has nothing at all to do with virtualization, other than it being a common configuration with security implications.
   
4. A shared disk between the host and guest (e.g. 9p driver or network share) is fine, but any infected file from any VM, when accessed by some other VM or the host, can infect the second system.
   
5. Risk is associated with shared functionality in the hardware as well, when that hardware is passed through to the VM. Examples I can think of (but don't know to actually be problematic) might be CPU serial number, or hardware accelerators which are not designed to be in a virtual environment. I know at one point video cards had some sort of state info that was not flushed when swapping from vm to vm. Again, anything found with respect to this sort of thing will probably be dealt with rapidly, or at least the virtualization software will stop sharing access to whatever feature by default.
   

Edit: As an example about hardware functionality being passed through to a VM, let's say you built and configured kvm and qemu with 'native' emulation. I have an Intel Atom C2758 board. It's an 8-core atom with built-in QuickAssist technology. QuickAssist is hardware acceleration for encryption and compression. You may be thinking AES instructions, but it's different. QuickAssist (QAT) is an extra processor that you can assign jobs of work to, fire it off and then go do something else while the accelerator does its thing. You come back for the results when it's done. AES has a dozen instructions or less, and QAT has dozens of encryption modes, lots of instructions. It's much more involved.

Furthermore, QAT is implemented on several processors and on several add-on cards. It seems that none of the implementations is consistent with any other implementation, so you can't just assume that code using QAT designed on one implementation will work on another implementation.

So getting back to virtualization, I have my theoretical KVM/QEMU setup and I use native mode so that QAT is usable by the guests. If there were a bug in my QAT functionality it's very possible that this might go undetected for awhile, and as such I may have exposed my host to risk by using this functionality on a guest.

[1clue]

Sorry for spamming the thread.

I just thought of a more tangible example of passed-through functionality being a threat.

Parallels/Mac has a feature where an application being run on a VM has access to the host, and vice versa. You can separately configure whether guests have access to host apps or vice versa.

Probably the most frequent example of this is where a Mac user wants a Windows VM so they can use Microsoft Windows products like Office. When you run in this transparent mode, it's hard to see that you're even in a VM. You don't see a Windows desktop at all, you simply have a Mac with Microsoft Word or Excel running.

So you have this Word document, you got it from your email on the Mac, and you double-click it. Due to the magic spell that is Parallels Mac, your Mac knows to run Word from your Windows VM. Your Windows VM, due to your convenience settings, has access to the Mac filesystem and writes there. Not really a huge threat so long as your Windows box is the only thing that can open a Word document.

So let's change it up a bit. You have LibreOffice for your Mac, and the malware is a macro virus using Word's macro script, whatever they call it. Your virus is no longer Windows-specific, and LibreOffice understands most of that scripting language. So now, depending on how you open it and on which machines, you could have infected both your host and your guest using the same email attachment.

[Zucca]

[Ant P.]

The best way to stay secure is to RTFM. Running hardened and every random "security" tweak you find on the internet does not make you invincible, it just means there are less things to blame other than yourself.

[niceflower]

I took the network offline so i can not netstat -tupln
Question, what would be a safer method to go back online; hard drive unplugged with live dvd gentoo iptables set
Or install gentoo after disk wipe? I am not sure if i can trust the disk, i might need to buy a new one, not sure if dd urandom, gdisk and cell clearing with hdparm, is enough to clear spy software from solid state drive.
Also when the live dvd gets attacked then there is no point in even installing gentoo on a disk.
Now i think about it, i could install gentoo on another network, then transfer the disk to my own network.

[Ant P.]

If your threat model is so far outside the realm of reality that you're doing 4 disk wipe passes in response to seeing a single line of text on the screen you didn't understand, then just stop using computers entirely. Nothing anyone here can offer is going to satisfy your paranoia, and the last thing we need is another help vampire on the same wavelength as miroR.

[Zucca]

[niceflower]

Sorry for not providing information, however i think i am not attacked, because i made a mistake with grub, i feel so dumb now
Since i stopped qemu i had no problems ty for post 1clue
https://forums.gentoo.org/viewtopic-t-1063208.html