--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: Mz Debian 8 installation seems to get compromised by my router
- From: frank papst <frank.papst@mail.de>
- Date: Mon, 12 Jun 2017 12:39:21 +0200
- Message-id: <20170612103921.B56F280083@smtp04.mail.de>
Package: Debian lxde CD 1, Tor
Version: 8.8.0, 0.2.5.14-1-i386
Kernel: 3.16.0-4-686-pae#1 SMP Debian 3.16.43-2
Let me start with apologizing for my sloppiness about the rules for bug reporting.
I'm in lousy shape, my nerves are wrecked and I'm certified ill with burn-out-syndrome.
I'm writing this mail in the hope to contribute to the enhancement of Linux.
Also sorry for writing so much, I wanted to give all info that might be useful.
I guess the abstract of the whole thing is, that my router seems compromised and seemingly compromises my Debian 8 installation.
I get a lot of bad tcp to see in Wireshark, and then the PC makes connections on its own.
The text is basically three blocks. My first observations, written out of memory, right after it happened.
The second a more systematic attempt to observe what is going on.
I enumerated all IPs to which or from which suspicious connections are made at the end.
After a third fresh re-install, I really don't want to stuff even more text in this mail. So I'll sum it up in just a few lines here.
The first thing I did was apt-get upgrade. Lots of bad tcp. It does the DHCP stuff on its own afterwards, ifdown fails with "interface not configured" though ifconfig shows it with ip4 and ip6 adresses and I can use the internet.
Besides that, nothing suspicious. No connections, nothing.
Until I install tor. Now it starts to connect on its own. To different IPs. One indeed a tor server, one the MIT - 128.31.0.39 port 9101.
The most peculiar thing:
After I block everything in iptables, it sends out DNS requests for the IPs I blocked as suspicious. But backwards. Like 30.178.168.192 instead of 192.168.178.30.
Nonetheless, the router resolves them to the same host names that I see when doing iptables -L. Saw that for the first time yesterday.
I seriously believe that the router somehow compromises the debian installation.
Original text:
I think I probably have a bug in my debian 8 installation.
Prologue:
My Windows laptop is infected with malware. That I know for sure.
My router seems compromised too. I'm pretty sure about that by now.
So I installed debian 8.8.0 on a PC.
Aware of the compromised router, I set the input chain of iptables to "allow established" and drop everything else.
I set the output chain to block the multicast packets to 224.0.0.0/24, that it starts sending as soon as a network device is connected, but allow all else.
I can't block the DNS server, so the frequent DNS requests it sends go out.
The forward chain as well as all ip6tables chains get default policy drop.
Yesterday (4th of June) I connect the computer to the router and download some packages with apt-get. Then do an apt-get upgrade.
I block source and destination port 80 in input and output chain to not get accidentally compromised through some manipulated website and surf a bit.
After next restart I notice that ifconfig displays the eth0 interface, without it being in /etc/network/interfaces. Since it does this also right after fresh installation, I assume this is normal.
After plugging the network cable in, eth0 now has an IP6 address. Also this it does right after installation too, so I assume this is normal too.
Still it is odd. I would prefer my interfaces only having an IP, when I say so in /etc/network/interfaces. And preferably only an IP6 adress if I configure it for that.
I think here is where the strange part starts:
I start a Wireshark capture and seemingly my computer is merrily chatting with 104.131.11.214's port 8080. Using IP4 addresses. Despite ifconfig displaying only an IP6 address for the interface. And me never having done an ifup or the interface being in /etc/network/interfaces.
It could be that the connection (which is also in the iptables logs) is from tor, which is one of the packages I installed yesterday.
But the behavior of the network interface being up and configured without an entry in the interfaces file, seems to me like either the system's not caring about the interfaces file, or the compromised router managed to compromise the debian installation despite all pre-cautions.
A third option would be, that the installation CD got compromised at download already.
For further testing, I dropped everything but destination/source port 53 and 443 in output/input chains of iptables.
When I then start Wireshark and plug the cable in, I get a number of packets with target IP 239.255.255.250 from the router.
After a short time Wireshark reports, that the interface has been closed and stops capture.
After putting an entry for eth0 in /etc/network/interfaces and an ifup the internet seems to work normal.
Somewhere in the depths of the packets with destination 239.255.255.250 it says something about UPnP.
If I recall it right, UPnP is the service of a router to allow programms on computers connected to it, to open their own ports. As I perceive this as a security risk, I usually disable it, when available. The FritzBox I actually use, doesn't seem to have UPnP at all.
So I get an even stronger impression, that the router compromised the PC and after the blocking, started to send the packages because it lost contact to its counterpart.
Maybe I'm wrong and this is all normal, but if not, I assume that there must be a bug that has been exploited.
Unfortunately I can't give you more info on what happened.
I only used apt-get to install some packages. Used Iceweasel to download Firefox (https), downloaded NoScript for Firefox first thing and made sure I only connect to https.
...for completeness, I did some more testing.
Freshly installed system. First download Wireshark. Then followed the procedure: restart without network cable, start Wireshark, plug in network cable, observe, ifup, observe, apt-get install, ifdown, plug out network cable, restart...
The first few packages, everything seems normal. Two or three multicast packages from the router after I plug the network cable in. Then silence.
The dhcp stuff after ifup, then silence.
Colorcoding of all packages during apt-get install is green background and looks nice.
With the 5th package I start getting loads of bad tcp. Re-transmission, suspected fast re-transmission and ack dup. The last from my computer outbound.
After the next restart, things still appear normal at first, so I download the next package. Tor.
Again a lot of bad tcp.
For the first time Wireshark pops-up a window "interface is closed, stop capture" after ifdown. Never did that before. Also did not do it again
I have a break for about 20min, during which the router's power cable is plugged out for 5-10 min.
After restart and plugging the cable in, for the first time I see a number of ARP requests "Who has 192.168.178.30", the IP usually assigned to the PC. Again it looks like it lost something. Didn't do that before. The requests come with approximately a bit more than 1 per second and continue till I do ifup.
I do the ifup, and instantly receive two packages, tagged ACK, from servers in the i-net. Source port 9000 and 9001. Sure no rest of an old connection.
Then some bad tcp.
After a while the computer sends a SYN to 217.79.179.177:9001, a connection is made.
After a while some more bad tcp and now it sends a SYN to one of the IPs the first two packets came from and connects with it.
I eventually do an ifdown, but keep Wireshark open and wait. And promptly I see a new DHCP negotiation and the connection starts again. Without me doing anything to it.
Well, another restart, cable in and waiting some time before starting Wireshark. And of course there is a connection already and my computer merrily exchanging packets.
Since the last package I installed was tor, I can of course not safely say, that this isn't just tor. But I think it isn't supposed to connect on its own like that?
Made another try with a freshly installed system. Installed Wireshark from the packages that were in /var/cache/apt/archives after the last install.
Wireshark on, cable in, ifup, apt-get update - lots of bad tcp.
Restart computer, Wireshark on, cable in, waiting and it does the DHCP stuff. No ifup from my side. Ifdown fails - interface not configured. At least no actual connections as it seems. But I think it isn't supposed to do that?
I test the connection with apt-get upgrade - works fine. Just a lot of bad tcp again.
I guess it's vain to write more. I believe my router might be compromised. And it seems like it compromises the Debian PC.
I can't say if it gives me a compromised package (would have to be Wireshark I guess), or if it's the bad tcp stuff, that let's it get in. But unless the CD I install from is compromised already, I guess it exploits a bug.
I can't test if the phenomena occur only for http connections. The CD doesn't contain a browser and apt-transport-https failed to work. Certificate doesn't match host. No idea if this is a problem with the certificates of mirrors or if my router screwed it up.
Sorry for packing so much in one mail. I'm not used to make bug reports.
I hope if you can't help me, you can at least tell me what is going on on my computer and with my router.
Thanks in advance for your efforts
Kind regards
Frank Papst
Appendix:
Imho suspicious connections to and from:
104.131.11.214:8080
51.254.35.151:9000
89.163.247.115:9001
95.169.188.103:443
217.79.179.177:9001
91.250.84.156:9001
85.229.84.141:443
46.101.104.245:
128.31.0.39:9101 (the one after the nine is not a typo)
FreeMail powered by mail.de - mehr Sicherheit, Seriosität und Komfort
--- End Message ---