From nobody Sun Nov 28 09:16:25 2021 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 0F3E718B007C for ; Sun, 28 Nov 2021 09:16:30 +0000 (UTC) (envelope-from se@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4J22sn58NQz3Bym; Sun, 28 Nov 2021 09:16:29 +0000 (UTC) (envelope-from se@freebsd.org) Received: from [IPV6:2003:cd:5f2e:2500:f0fa:80ce:6608:8313] (p200300cd5f2e2500f0fa80ce66088313.dip0.t-ipconnect.de [IPv6:2003:cd:5f2e:2500:f0fa:80ce:6608:8313]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: se/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4049AC014; Sun, 28 Nov 2021 09:16:29 +0000 (UTC) (envelope-from se@freebsd.org) Message-ID: Date: Sun, 28 Nov 2021 10:16:25 +0100 List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.3.2 Subject: Does not appear to be (too) malicious ... Content-Language: en-US To: freebsd-hackers References: <05580cd8-1bbf-8783-b190-40d9cdacade6@m5p.com> From: Stefan Esser In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------jJawxrU5A1eSOwo2T9I0TDz1" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1638090989; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=D9VjLFSEvav7TqSyj8Kp/2Gx+Zx9zwRavxYhBIBRr8M=; b=G/WNu5qxu1jgVaqV7MV7cyAHjD5SYxLwZ0ALBGktPUn5igY0nT8lftdQ35P+tyaSay+lm/ /fJaP7JZ7taoRiYQ28d9eAFUtAHXx6g7GQ0twLTdGzDOX3eSu3cqv9Loc06oO+n/850F4/ s2WThO9KB8+6Ys1U3v7JIqcAD3YXj5EeKGciSNa8kU3Ptuvs4PqDyAYPUG9tbiAR702Qr2 sWIPOLpsbQvH5dopGCyeR8zsH881VjhFoF6W5i3D1Pvt516r19RCgslNHZDWvgZ+X/ypd5 XLRWIn78/2xFfBp699ZBlulysQPJl1TVWgokyuk0bKTsNrJIvrEasi1G7gXB2g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1638090989; a=rsa-sha256; cv=none; b=TgmzVUeGdXlYwuLeGC8yqCk7UX5ny9l2OZT38tul9+QpDonScy5KH3dRnvGxL8MV4QYd/F ICApAXJXwOpCA3waBZtQ7wJwwOYLAsrGde4qZRrM1O1UQs1USpVo/wxo/Vm0flwp9xb6vB gZodF1TT5hE3L9QHYDNOrQxiqZ5iTn4I8jEc5ModSoT1OUxIA9DI8F5JjJbwZ/Zsik82O/ fzNrXlxvgaR1mR7RH3DIBO0AOoG6JtKcMTDHGA62mt491XiFSc0L2GaT+HJVS3neHI3Cp8 TcT4kh5ceSKLtNO0rRDFNpjxtBIKRMqI6Kmbz/lxccboMt4mkMg/B6jY6YmXWQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------jJawxrU5A1eSOwo2T9I0TDz1 Content-Type: multipart/mixed; boundary="------------r89bkpw8tJuQV0dww9P5PQpt"; protected-headers="v1" From: Stefan Esser To: freebsd-hackers Message-ID: Subject: Does not appear to be (too) malicious ... References: <05580cd8-1bbf-8783-b190-40d9cdacade6@m5p.com> In-Reply-To: --------------r89bkpw8tJuQV0dww9P5PQpt Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am 28.11.21 um 02:06 schrieb Mario Lobo: > On Sat, Nov 27, 2021, 20:27 George Mitchell wr= ote: >=20 >> On 11/27/21 17:40, Obsto Clades via freebsd-hackers wrote: >>> I hacked on the FreeBSD source code to produce a version of the OS th= at >>> cannot be remotely hacked. Before you tell me that is impossible, I >>> have an answer to that response on my FAQ page. >>> >>> If you are interested in checking out my OS, you can find instruction= s >>> on my site's home page: https://obstoclades.tech/ >>> >>> I invite you to check it out. >>> >> >> Hmm, my mother told me never to click on links in strange emails ... >> -- George >> >=20 > curl http://obstoclades.tech [...] >

Connection denied by Geolocation Setting.

>

Reason: Blocked country:

>

The connection was denied because this country is blocked in = the > Geolocation settings.

>

Please contact your administrator for assistance.

> >
WatchGuard Technologies, Inc.
> > > $ fetch --no-verify-peer -v -o /tmp/obstoclades.html https://obstoclades.= tech resolving server address: obstoclades.tech:443 SSL options: 82004854 Verify hostname TLSv1.3 connection established using TLS_AES_256_GCM_SHA384 Certificate subject: /CN=3Dobstoclades.tech Certificate issuer: /C=3DUS/O=3DLet's Encrypt/CN=3DR3 requesting https://obstoclades.tech/ fetch: https://obstoclades.tech: size of remote file is not known local size / mtime: 34916 / 1638088913 /tmp/obstoclades.html 34 kB 181 kBps 00s There is actual contents in this file, and it does not seem to contain an= y malicious parts. It starts with: Security is a Joke And besides the jquery.min.js dowloaded from ajax.googleapis.com only the= following short and apparently benign script is downloaded as obstoclades= =2Ejs: /* * File: obstoclades.js * Copyright (c) 2017 Obsto Clades, LLC */ $(document).ready(function() { var $content =3D $(".content").hide(); $(".img").on("click", function (e) { $(this).parent().parent().toggleClass("expanded"); var ttt =3D $(this).parent().children(".tooltiptext"); if ($(this).parent().parent().hasClass("expanded")) { ttt.replaceWith("Click to close"); } else { ttt.replaceWith("Click to open"); } $(this).parent().parent().next().slideToggle(); }); var textHeight =3D $("#left-side-header-text").height(); $("#old_english_sheepdog").height(textHeight).width(textHeight); $("#button").click(function() { $("#contactus-form").submit(); }) }); He invites to attack his server using a SSH login with provided credentia= ls, and offers US$1000 for any successful modification of the test server. Se= e the following video, which shows that root on the consonle and root via s= u in the SSH session get quite different environments: https://obstoclades.tech/video/demo-video.mp4 This looks like a setup with lots of restrictions applied, probably noexe= c mounts of temporary file systems and the like, possibly jails and/or MAC restrictions. He thinks that an embedded system configured that way could not be attack= ed, but explains that his concept is limited to e.g. IoT use cases (what he calls "single-purpose computer system"). Anyway, I could not find any malicious content on the web server. Accessi= ng with a SSH session (obviously configured to not allow backwards tunneling= ) should also not be too dangerous from a dumb terminal (but beware of esca= pe sequence attacks possible with ANSI terminals, e.g. reprogramming of func= tion keys with "ESC[code;string;...p"). It looks to me like kind of a honeypot setup gathering attack attempts to= see whether a throw-away system can withstand them. All attack attempts a= re logged, either to learn how to perform them, or to actually improve the security of his protection concept in case of a successful break-in. Regards, STefan --------------r89bkpw8tJuQV0dww9P5PQpt-- --------------jJawxrU5A1eSOwo2T9I0TDz1 Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsB5BAABCAAjFiEEo3HqZZwL7MgrcVMTR+u171r99UQFAmGjSOkFAwAAAAAACgkQR+u171r99UQ3 Wwf8Dk21TWeuXp++0S2nN41g9aATwGvAdujX9WXQLRTEVYPufzLULK3uJcexbzlBIS4/oOrcVaMD A0PpJx5XBd7GhnijkfPGal1fE3D/rJmnFwE70U8PYbc/9YsR8yVZcZIoLixDZtu5/dqEhhkRRk9K WkCNg8+l/I/eUEA1UpU1xBfgw2GOQC9rlCMdxqVWodS+yUP/V3w43sOPXbOwdxOlwBsZaBABZhXD mw+v7t/ocQeNGmd1575sTKuNds+GETIrrDfUrVulhrYMCbgzhdQZ5yZRNWNhzNudu6CD9z+QEqRS tHdNxm5EUUtBL4QnOxUY0UpZ3t7ZUceKFFGRIhJ/QA== =KTD3 -----END PGP SIGNATURE----- --------------jJawxrU5A1eSOwo2T9I0TDz1--