security hack? unauthorized gui_rpc attempt seconds after a new installation

Message boards : Questions and problems : security hack? unauthorized gui_rpc attempt seconds after a new installation
Message board moderation

To post messages, you must log in.

AuthorMessage
Profile BeemerBiker
Avatar

Send message
Joined: 27 Jun 08
Posts: 257
United States
Message 84537 - Posted: 24 Jan 2018, 23:54:40 UTC

This seems strange and I was wondering how the person at 2.0.198.94 (French site) could possibly have known I had just installed boinc on a new ubuntu system here in USA.

I did a sudo apt-get install boinc-client on a new ubuntu 17 server system I just put together.
after that install completed I immediately rebooted and then went and checked the boinc.log, maybe 30 seconds elapsed including the normal reboot.

In the log I spotted an attempt to make a gui_rpc connection to my client that was denied by boinc.

The only think I can think of is that the archive is being monitored by someone and they know if an install takes place.

Maybe there is a simple explanation for this, maybe not???
ID: 84537 · Report as offensive     Reply Quote
Profile Ageless
Volunteer moderator
Project administrator
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 12530
Netherlands
Message 84539 - Posted: 25 Jan 2018, 7:15:27 UTC - in response to Message 84537.  

Could you post the corresponding (part of) the log, please? It's difficult to follow what you say, because as far as I know the gui_rpc don't use IP addresses, but port numbers.
Jord
Please do not private message me for tech support. Use the forums for that. Tech PMs will be ignored.

quote: "Isn't the best defense always a good attack?"
ID: 84539 · Report as offensive     Reply Quote
Richard Haselgrove
Volunteer moderator
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 2753
United Kingdom
Message 84541 - Posted: 25 Jan 2018, 9:15:37 UTC

You should also describe how this new computer is connected to the internet. Yes, IP addresses are used for GUI RPCs, just as they are used for RPCs to project servers.

But an incoming call from France? That should be caught and blocked at least twice: once by the NAT translation in your router, and again by the firewall in your operating system.
ID: 84541 · Report as offensive     Reply Quote
Profile BeemerBiker
Avatar

Send message
Joined: 27 Jun 08
Posts: 257
United States
Message 84544 - Posted: 25 Jan 2018, 15:39:28 UTC - in response to Message 84541.  
Last modified: 25 Jan 2018, 15:57:09 UTC

You should also describe how this new computer is connected to the internet. Yes, IP addresses are used for GUI RPCs, just as they are used for RPCs to project servers.

But an incoming call from France? That should be caught and blocked at least twice: once by the NAT translation in your router, and again by the firewall in your operating system.


Yes, you are correct - Firewall at router should have stopped any probing. I have had a discussion with at&t about brute force hacks. Those stop at the router.

Here is a log from my offending "minimal ssh server, ubuntu 17" It shows two more attempts both from a "2" country which is registered with RIPE as I remember.


    boinc.log:24-Jan-2018 19:47:52 [---] GUI RPC request from non-allowed address 2.0.199.23
    boinc.log:24-Jan-2018 21:30:43 [---] GUI RPC request from non-allowed address 2.0.199.157



Note the IP addresses are different from the one I listed. The logs get replaced after a restart of boinc. My other 2 linux systems do not show any RPC requests.
What concerns me is that the "2" address may be from a proxy or some access through an existing system in my home. My other systems in house run win10 with standard windows defender and are call up to date as I am retired and have plenty of time, and interest, in keeping them that way. One of my kids has all MAC and is not into boinc. The other has win7 with security essentials and also does gridcoin and has a wallet like I do.

This is the sequence of events that happened:
1. I installed minimal ssh server naming system "jyslinux3"
2. I went to my tablet that is running win10x64 and boinctasks and added "jyslinux3" to boinctasks
3. I went back to the ubuntu system and did that apt-get install. When it completed I
edited init.d/default/boinc-client and removed the # sign from "# allow_remote_gui_rpc"
and then did a stop and start of boinc
4. I checked the boinc.log at /var/logs and spotted that "2" address. I expected to see only
192.168.whatever from the tablet but even that is a maybe as I usually have to stop and
start boinctasks to fix a connection problem when a system comes back on line.

===========what I have done since then============
1. I added password to gui_rpc_auth.cfg on all 14 systems.
2. On the 3 ubuntu systems I had to add remote_host.cfg. There must be a difference in how boinc handles RPC calls as this table was not need for windows.
3. I am switching to two step authentication for google as well as other services that keep track of my passwords. I ordered a yubico neo security key to simplify the two step.
4. I attempted to change the passwords on my 3 Chinese made Zmodo cameras that are on the internet. They are behind my router but can be accessed by logging into a server that I assume is in China. I was unable to change the password. Any attempt using their Zviewer software resulted in a "blank" field for the new password and the default remained (something illegible, probably Chinese characters). I have not received authorization from them to join their forum nor have I received a response from my request for how to get rid of the default user/password. I have 3 other cameras, Amcrest, but the default user/password was changed long ago.
5. I scanned my win10 tablet but after I while I stopped it and instead will buy or use a 3rd party program in addition to, or maybe replace, defender.

On one occasional I added a port scan program to observer traffic on one of my windows systems. I do not know how to do that on ubuntu. Is there a debug feature I can turn on so my windows system report unauthorized rpc access? I have never seen a message like that from windows so I assume it is disabled.

ID: 84544 · Report as offensive     Reply Quote
Profile Ageless
Volunteer moderator
Project administrator
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 12530
Netherlands
Message 84545 - Posted: 25 Jan 2018, 17:13:39 UTC - in response to Message 84544.  
Last modified: 25 Jan 2018, 17:14:57 UTC

Did you add grcpool to that BOINC?
Or are remote hosts on your local network allowed to check this host, and do those remote hosts use grcpool?
Jord
Please do not private message me for tech support. Use the forums for that. Tech PMs will be ignored.

quote: "Isn't the best defense always a good attack?"
ID: 84545 · Report as offensive     Reply Quote
Profile BeemerBiker
Avatar

Send message
Joined: 27 Jun 08
Posts: 257
United States
Message 84547 - Posted: 25 Jan 2018, 17:33:29 UTC - in response to Message 84545.  
Last modified: 25 Jan 2018, 17:41:04 UTC

All systems are in my home and are controlled by boinctasks from either my tablet or a desktop.
All systems running boinc use grcpool instead of BAM! That is required in order to mine using the pool.
I have a magnitude of 257 but it appears that I have a couple of weeks to go before I get their "decent balance" and can return to BAM! as my project manager. I look forward to that as I will then have full control of the project. With grcpool I cannot specify which sub-projects to run among other problems.

The desktop runs the grcresearchclient or "wallet" 24x7 and also mines.

I read where GridCoin is wanting to hire consultants. I assume they are paying in more than gridcoins. It is obvious they have problems with their manager and could use some help.

[EDIT] I just added a syslog server so I can observe traffic at my router. The log at the router showed only a few hours of activity, it should have showed days. The syslog server will record traffic I am interested to check for security problems.
ID: 84547 · Report as offensive     Reply Quote
Profile Ageless
Volunteer moderator
Project administrator
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 12530
Netherlands
Message 84549 - Posted: 25 Jan 2018, 18:56:31 UTC - in response to Message 84547.  

I have the feeling it is to do with the grcpool AM.
Can you enable the gui_rpc_debug flag in cc_config.xml options, please?
Jord
Please do not private message me for tech support. Use the forums for that. Tech PMs will be ignored.

quote: "Isn't the best defense always a good attack?"
ID: 84549 · Report as offensive     Reply Quote
MarkJ
Help desk expert

Send message
Joined: 5 Mar 08
Posts: 191
Australia
Message 84550 - Posted: 25 Jan 2018, 22:49:25 UTC

I have also seen similar logging of gui_rpc_auth attempts. I never run an account manager. I do however use an iptables firewall on all the Linux machines. I don’t assume the router is going to stop any serious attempt.
MarkJ
ID: 84550 · Report as offensive     Reply Quote
bgb

Send message
Joined: 26 Jan 18
Posts: 1
United States
Message 84551 - Posted: 26 Jan 2018, 0:07:46 UTC - in response to Message 84549.  

I have the feeling it is to do with the grcpool AM.
Can you enable the gui_rpc_debug flag in cc_config.xml options, please?


I am the pool admin. If there are any questions or problems, I would be more than happy to assist.

Brian...
ID: 84551 · Report as offensive     Reply Quote
noderaser
Avatar

Send message
Joined: 2 Jan 14
Posts: 276
United States
Message 84553 - Posted: 26 Jan 2018, 3:57:34 UTC - in response to Message 84549.  

I have the feeling it is to do with the grcpool AM.

Every now and then, I'll see them in my log as well, and I've never had anything to do with the crypto mining stuff.
My Detailed BOINC Stats
ID: 84553 · Report as offensive     Reply Quote
Profile Ageless
Volunteer moderator
Project administrator
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 12530
Netherlands
Message 84554 - Posted: 26 Jan 2018, 6:10:53 UTC

Well, at least that shows I am wrong. on that, but still would like to see a (complete) log with gui_rpc_debug from machine/BOINC startup.
Jord
Please do not private message me for tech support. Use the forums for that. Tech PMs will be ignored.

quote: "Isn't the best defense always a good attack?"
ID: 84554 · Report as offensive     Reply Quote
Profile BeemerBiker
Avatar

Send message
Joined: 27 Jun 08
Posts: 257
United States
Message 84555 - Posted: 26 Jan 2018, 6:20:27 UTC - in response to Message 84549.  
Last modified: 26 Jan 2018, 6:24:42 UTC

I have the feeling it is to do with the grcpool AM.
Can you enable the gui_rpc_debug flag in cc_config.xml options, please?


No need to enable the gui_rpc_debug:

If the remote_hosts.cfg file is created and one attempts to log into that system using BM's "Select Computer" then the warning message shows up:

    jstatesonxps730 1101 1/26/2018 12:03:29 AM GUI RPC request from non-allowed address 192.168.1.220



However, I did go ahead and put that debug flag in to see what happens, but I took it out as fast as I could on account of all the normal traffic showing up in the event file.

===================================BUG REPORT=================
I found a bug when I did the above test: The computer I used when I ran the "Select Computer" BM function popped up a dialog box once ever about 0.5 second when attempting to connect. I had trouble reading it as it lasted only about 0.25 seconds but is was an info message to the effect it was trying to connect to the boinc manager. It appeared and disappeared so fast that I was unable to click on either of the two button widgets in its dialog box. I ended up closing [X} the boinc manager to stop this.

ID: 84555 · Report as offensive     Reply Quote
Profile BeemerBiker
Avatar

Send message
Joined: 27 Jun 08
Posts: 257
United States
Message 84641 - Posted: 3 Feb 2018, 15:51:16 UTC

This is a followup.

Out of curiosity I did a re-install of Ubuntu & Boinc and did not see any unauthorized grc connection. This sort of rules out anyone at the ubuntu repository monitoring downloads of boinc and attempting to connect. Just a stupid thought or guess on my part.

However, quite by chance I noticed that other users have spotted the same problem over at gpugrid and posted about it about middle of january.

In trying to lock down my systems, I started looking at the syslogs from my AT&T Arris BGW210-700 router. That router is practically worthless as far as examining threats. I requested help with the AT&T community but it is obvious I will have to buy a real router if I want to see what the H is going on. If someone here uses AT&T maybe they can recommend a better router, at least one that actually has a manual.
ID: 84641 · Report as offensive     Reply Quote

Message boards : Questions and problems : security hack? unauthorized gui_rpc attempt seconds after a new installation

Copyright © 2018 University of California. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.