Smalltalk
› Squeak
› Croquet
›
Croquet - Dev
fyi: CroquetCollaborative hacked
Locked
fyi: CroquetCollaborative hacked
 
|
For what it's worth:
Someone broke into the Croquet Collaborative box and created a user (f00bar) for running ircd (Internet Relay Chat). I'm not aware of any consequences for folks connected to www.croquetcollaborative.org or xrfb.croquetcollaborative.org, but what do I know? I've seen Croquet be intermittently unresponsive for no apparent reason, and I suspect it might have been due to either this or to attempts at entry such as the one that led to this. For example, either IRC or hammering on a port to break in could have used up all the available bandwidth. -H |
Re: fyi: CroquetCollaborative hacked
|
|
What OS and patch level was it running? I am genuinely concerned to
know how this might have happened. Howard Stearns wrote: > For what it's worth: > > Someone broke into the Croquet Collaborative box and created a user > (f00bar) for running ircd (Internet Relay Chat). > > I'm not aware of any consequences for folks connected to > www.croquetcollaborative.org or xrfb.croquetcollaborative.org, but > what do I know? > > I've seen Croquet be intermittently unresponsive for no apparent > reason, and I suspect it might have been due to either this or to > attempts at entry such as the one that led to this. For example, > either IRC or hammering on a port to break in could have used up all > the available bandwidth. > > -H > > > |
Re: fyi: CroquetCollaborative hacked
|
|
At the time, uname -a produced:
FreeBSD www.croquetcollaborative.org 6.1-RELEASE FreeBSD 6.1- RELEASE #0: Sun May 7 04:42:56 UTC 2006 Call me naive. I've since run freebsd-update and portsnap. Now uname produces: FreeBSD www.croquetcollaborative.org 6.1-SECURITY FreeBSD 6.1- SECURITY #0: Wed Feb 14 15:48:51 UTC 2007 As a precaution, I'm also now logging connections to the Croquet dispatcher, even (or especially) if they don't result in a Croquet session. (#futureAcceptConnectionFrom:) On Mar 10, 2007, at 5:08 PM, David P. Reed wrote: > What OS and patch level was it running? I am genuinely concerned > to know how this might have happened. > > Howard Stearns wrote: >> For what it's worth: >> >> Someone broke into the Croquet Collaborative box and created a >> user (f00bar) for running ircd (Internet Relay Chat). >> >> I'm not aware of any consequences for folks connected to >> www.croquetcollaborative.org or xrfb.croquetcollaborative.org, but >> what do I know? >> >> I've seen Croquet be intermittently unresponsive for no apparent >> reason, and I suspect it might have been due to either this or to >> attempts at entry such as the one that led to this. For example, >> either IRC or hammering on a port to break in could have used up >> all the available bandwidth. >> >> -H >> >> >> |
Re: fyi: CroquetCollaborative hacked
|
|
Any relation to this: http://lwn.net/Articles/225947/ ? I know
OpenBSD is different from FreeBSD, but... Howard Stearns wrote: > At the time, uname -a produced: > FreeBSD www.croquetcollaborative.org 6.1-RELEASE FreeBSD 6.1-RELEASE > #0: Sun May 7 04:42:56 UTC 2006 > > Call me naive. > > I've since run freebsd-update and portsnap. Now uname produces: > FreeBSD www.croquetcollaborative.org 6.1-SECURITY FreeBSD > 6.1-SECURITY #0: Wed Feb 14 15:48:51 UTC 2007 > > As a precaution, I'm also now logging connections to the Croquet > dispatcher, even (or especially) if they don't result in a Croquet > session. (#futureAcceptConnectionFrom:) > > On Mar 10, 2007, at 5:08 PM, David P. Reed wrote: > >> What OS and patch level was it running? I am genuinely concerned to >> know how this might have happened. >> >> Howard Stearns wrote: >>> For what it's worth: >>> >>> Someone broke into the Croquet Collaborative box and created a user >>> (f00bar) for running ircd (Internet Relay Chat). >>> >>> I'm not aware of any consequences for folks connected to >>> www.croquetcollaborative.org or xrfb.croquetcollaborative.org, but >>> what do I know? >>> >>> I've seen Croquet be intermittently unresponsive for no apparent >>> reason, and I suspect it might have been due to either this or to >>> attempts at entry such as the one that led to this. For example, >>> either IRC or hammering on a port to break in could have used up all >>> the available bandwidth. >>> >>> -H >>> >>> >>> > > |
Re: fyi: CroquetCollaborative hacked
|
|
I don't think so. "[I]n order to exploit a vulnerable system an attacker needs
to be able to inject fragmented IPv6 packets on the target system's local network. This requires direct physical/logical access to the target's local network." Also, it looks like that vulnerability is a little older than my initial installation. By the way, I want to be clear that this box is running a lot of stuff besides Croquet: apache/php/mySql/wordpress, vnc, ssh, sftp, etc. I don't feel there is any reason to think the penetration had anything to do with Croquet itself. But I think it's fair to share experiences as-is and timely-like with folks who may be using that box via Croquet or xrfb. Since updating the OS kernel and applications as described, I haven't seen any further entry. And through my monitoring of dispatcher connections, I have seen only one connection that failed to result in a Croquet session. (I have router auto-create turned off, so the dispatcher correctly signaled an error that it could not create a router for the requested island id. The dispatcher then correctly terminated the connection. The "attacker" then gave up. This one failed Croquet connection may well have been a Croquet user doing a perfectly reasonable experiment.) However, I continue to see examples of odd IP addresses banging away (unsuccessfully) on non-Croquet ports. (mail, vnc, ssh, ...) David P. Reed wrote: > Any relation to this: http://lwn.net/Articles/225947/ ? I know > OpenBSD is different from FreeBSD, but... > > Howard Stearns wrote: >> At the time, uname -a produced: >> FreeBSD www.croquetcollaborative.org 6.1-RELEASE FreeBSD 6.1-RELEASE >> #0: Sun May 7 04:42:56 UTC 2006 >> >> Call me naive. >> >> I've since run freebsd-update and portsnap. Now uname produces: >> FreeBSD www.croquetcollaborative.org 6.1-SECURITY FreeBSD >> 6.1-SECURITY #0: Wed Feb 14 15:48:51 UTC 2007 >> >> As a precaution, I'm also now logging connections to the Croquet >> dispatcher, even (or especially) if they don't result in a Croquet >> session. (#futureAcceptConnectionFrom:) >> >> On Mar 10, 2007, at 5:08 PM, David P. Reed wrote: >> >>> What OS and patch level was it running? I am genuinely concerned to >>> know how this might have happened. >>> >>> Howard Stearns wrote: >>>> For what it's worth: >>>> >>>> Someone broke into the Croquet Collaborative box and created a user >>>> (f00bar) for running ircd (Internet Relay Chat). >>>> >>>> I'm not aware of any consequences for folks connected to >>>> www.croquetcollaborative.org or xrfb.croquetcollaborative.org, but >>>> what do I know? >>>> >>>> I've seen Croquet be intermittently unresponsive for no apparent >>>> reason, and I suspect it might have been due to either this or to >>>> attempts at entry such as the one that led to this. For example, >>>> either IRC or hammering on a port to break in could have used up all >>>> the available bandwidth. >>>> >>>> -H >>>> >>>> >>>> >> >> -- Howard Stearns University of Wisconsin - Madison Division of Information Technology mailto:[hidden email] jabber:[hidden email] voice:+1-608-262-3724 |
«
Return to Croquet - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |