More apparent hack attempts on new installs of client

Message boards : Questions and problems : More apparent hack attempts on new installs of client
Message board moderation

To post messages, you must log in.

AuthorMessage
Profile Joseph Stateson
Volunteer tester
Avatar

Send message
Joined: 27 Jun 08
Posts: 641
United States
Message 92225 - Posted: 19 Jul 2019, 8:10:48 UTC
Last modified: 19 Jul 2019, 8:31:37 UTC

Was first noticed and discussed here

I recently converted two windows system to Linux and immediately after
sudo apt-get install boinc-client

I went to \var\log\syslog and looked for attempts to RPC in and sure enough both systems showed GUI RPC request that were denied. The attempts, like the ones I posted over a year ago, came from 2.x which is controlled by RIPE. I am in USA and using whois I see that 2.0.215.127 is in France. Same as before.

Here is part of the log from most recent new install
syslog:Jul 19 02:15:55 jysdualxeon boinc[7033]: 19-Jul-2019 02:15:55 [---] GUI RPC request from non-allowed address 2.0.214.214
syslog:Jul 19 02:21:00 jysdualxeon boinc[20493]: 19-Jul-2019 02:21:00 [---] Config: GUI RPCs allowed from:
syslog:Jul 19 02:21:56 jysdualxeon boinc[20493]: 19-Jul-2019 02:21:56 [---] GUI RPC request from non-allowed address 2.0.215.127
syslog:Jul 19 02:27:31 jysdualxeon kernel: [    0.304000] NetLabel:  unlabeled traffic allowed by default
syslog:Jul 19 02:27:36 jysdualxeon /usr/lib/gdm3/gdm-x-session[1096]: (==) Max clients allowed: 256, resource mask: 0x1fffff
syslog:Jul 19 02:27:39 jysdualxeon boinc[1211]: 19-Jul-2019 02:27:39 [---] Config: GUI RPCs allowed from:
syslog:Jul 19 02:27:58 jysdualxeon boinc[1211]: 19-Jul-2019 02:27:58 [---] GUI RPC request from non-allowed address 2.0.216.44


I failed to copy the log from the new install of ubuntu I did 2 days ago. The first reboot erased the log but I remember the ip addresses also started with 2 but I failed to make note of the exact number.

I have never seen any attempts to RPC in after any initial install and as the log is erased one would never know unless the log was examined immediately after the install.

I got Ubuntu 18.04 from ubuntu.com
I have no idea where "sudo apt-get install boinc-client" came from. If it came from a French repository then I suspect something nefarious.

Maybe there is a valid explanation for this.

[EDIT] Getting more from 2.x
syslog:Jul 19 02:27:58 jysdualxeon boinc[1211]: 19-Jul-2019 02:27:58 [---] GUI RPC request from non-allowed address 2.0.216.44
syslog:Jul 19 02:36:11 jysdualxeon boinc[1211]: dir_open: Could not open directory '/dev/input/mice' from '/var/lib/boinc-client'.
syslog:Jul 19 02:38:43 jysdualxeon boinc[1211]: 19-Jul-2019 02:38:43 [---] GUI RPC request from non-allowed address 2.0.218.45
syslog:Jul 19 02:38:43 jysdualxeon boinc[1211]: 19-Jul-2019 02:38:43 [---] 6 connections rejected in last 10 minutes
syslog:Jul 19 02:50:42 jysdualxeon boinc[1211]: 19-Jul-2019 02:50:42 [---] GUI RPC request from non-allowed address 2.0.220.82
syslog:Jul 19 02:50:42 jysdualxeon boinc[1211]: 19-Jul-2019 02:50:42 [---] 5 connections rejected in last 10 minutes
syslog:Jul 19 03:00:42 jysdualxeon boinc[1211]: 19-Jul-2019 03:00:42 [---] GUI RPC request from non-allowed address 2.0.221.67
syslog:Jul 19 03:00:42 jysdualxeon boinc[1211]: 19-Jul-2019 03:00:42 [---] 4 connections rejected in last 10 minutes
syslog:Jul 19 03:12:42 jysdualxeon boinc[1211]: 19-Jul-2019 03:12:42 [---] GUI RPC request from non-allowed address 2.0.222.179
syslog:Jul 19 03:12:42 jysdualxeon boinc[1211]: 19-Jul-2019 03:12:42 [---] 5 connections rejected in last 10 minutes


[edit again]
Just checked my other Linux box and there are no attempts to log in. Only this new one that I got working just an hour ago and have not rebooted since putting in boinc client.
ID: 92225 · Report as offensive
Profile Dave
Help desk expert

Send message
Joined: 28 Jun 10
Posts: 2518
United Kingdom
Message 92227 - Posted: 19 Jul 2019, 9:39:05 UTC

Just been reading through the previous thread.
Out of interest did you get a better router in the end? I have an Asus DSL-AC56U and get at least a couple of requests a week blocked.
ID: 92227 · Report as offensive
Profile Joseph Stateson
Volunteer tester
Avatar

Send message
Joined: 27 Jun 08
Posts: 641
United States
Message 92232 - Posted: 19 Jul 2019, 16:28:43 UTC - in response to Message 92227.  
Last modified: 19 Jul 2019, 16:43:29 UTC

Just been reading through the previous thread.
Out of interest did you get a better router in the end? I have an Asus DSL-AC56U and get at least a couple of requests a week blocked.


No, same router, and same very poor syslog support. I cannot filter messages to remove "info' messages at the modem and would have to buy a real syslog monitor program in addition to a better modem.

I did buy an edge router and put all of the Chinese made cameras on its subnet. I suspect they could still "phone home" but any hacking in would have to go thru the blue-iris system that is locked down on that subnet. if they somehow "phone home" all anyone would see are the feral hogs, coyotes, foxes, hawks, skunks and racoons in the area around my home. If they "phone home" and provide a tunnel back into my subnet they will be stuck at the blue-iris system and not have access to anything else.

I just checked all 3 of my Linux boxes and the only one showing any GUI RPC attempts is the new one. In below picture rx560 has been running for a month. tb85-nvidia for 3 days now and the one on the left with the non-allowed requests only 12 or so hours. I did reboot so those messages occurred in the last hour.

One thing that puzzles me is why the windows installs generate a key for gpu_rpc_auth.cfg but the same is not done on Linux.
I do not run boinc manager on these systems and use boinctasks exclusively from my windows desktop.
Boinctasks connects as soon as I add kits ip address to the remote_hosts.cfg in \etc\boinc_client.

[EDIT] I just brought up syslog on that Linux system using vi editor (not grep) and even though I rebooted all the old entries are there. IANE on Linux and assumed they were deleted after every reboot but no, there must be some aging mechanism before they are deleted. in any event, the other ubuntu 18.04 systems show no unauthorized access and I know for a fact that the tb85-nvidia showed non-allowed attempts from 2.x shortly after I set it up.

ID: 92232 · Report as offensive

Message boards : Questions and problems : More apparent hack attempts on new installs of client

Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.