Message boards : Questions and problems : security hack? unauthorized gui_rpc attempt seconds after a new installation
Message board moderation
Author | Message |
---|---|
Send message Joined: 27 Jun 08 Posts: 641 |
This seems strange and I was wondering how the person at 2.0.198.94 (French site) could possibly have known I had just installed boinc on a new ubuntu system here in USA. I did a sudo apt-get install boinc-client on a new ubuntu 17 server system I just put together. after that install completed I immediately rebooted and then went and checked the boinc.log, maybe 30 seconds elapsed including the normal reboot. In the log I spotted an attempt to make a gui_rpc connection to my client that was denied by boinc. The only think I can think of is that the archive is being monitored by someone and they know if an install takes place. Maybe there is a simple explanation for this, maybe not??? |
Send message Joined: 29 Aug 05 Posts: 15541 |
Could you post the corresponding (part of) the log, please? It's difficult to follow what you say, because as far as I know the gui_rpc don't use IP addresses, but port numbers. |
Send message Joined: 5 Oct 06 Posts: 5121 |
You should also describe how this new computer is connected to the internet. Yes, IP addresses are used for GUI RPCs, just as they are used for RPCs to project servers. But an incoming call from France? That should be caught and blocked at least twice: once by the NAT translation in your router, and again by the firewall in your operating system. |
Send message Joined: 27 Jun 08 Posts: 641 |
You should also describe how this new computer is connected to the internet. Yes, IP addresses are used for GUI RPCs, just as they are used for RPCs to project servers. Yes, you are correct - Firewall at router should have stopped any probing. I have had a discussion with at&t about brute force hacks. Those stop at the router. Here is a log from my offending "minimal ssh server, ubuntu 17" It shows two more attempts both from a "2" country which is registered with RIPE as I remember. boinc.log:24-Jan-2018 19:47:52 [---] GUI RPC request from non-allowed address 2.0.199.23 boinc.log:24-Jan-2018 21:30:43 [---] GUI RPC request from non-allowed address 2.0.199.157
|
Send message Joined: 29 Aug 05 Posts: 15541 |
Did you add grcpool to that BOINC? Or are remote hosts on your local network allowed to check this host, and do those remote hosts use grcpool? |
Send message Joined: 27 Jun 08 Posts: 641 |
All systems are in my home and are controlled by boinctasks from either my tablet or a desktop. All systems running boinc use grcpool instead of BAM! That is required in order to mine using the pool. I have a magnitude of 257 but it appears that I have a couple of weeks to go before I get their "decent balance" and can return to BAM! as my project manager. I look forward to that as I will then have full control of the project. With grcpool I cannot specify which sub-projects to run among other problems. The desktop runs the grcresearchclient or "wallet" 24x7 and also mines. I read where GridCoin is wanting to hire consultants. I assume they are paying in more than gridcoins. It is obvious they have problems with their manager and could use some help. [EDIT] I just added a syslog server so I can observe traffic at my router. The log at the router showed only a few hours of activity, it should have showed days. The syslog server will record traffic I am interested to check for security problems. |
Send message Joined: 29 Aug 05 Posts: 15541 |
I have the feeling it is to do with the grcpool AM. Can you enable the gui_rpc_debug flag in cc_config.xml options, please? |
Send message Joined: 5 Mar 08 Posts: 272 |
I have also seen similar logging of gui_rpc_auth attempts. I never run an account manager. I do however use an iptables firewall on all the Linux machines. I don’t assume the router is going to stop any serious attempt. MarkJ |
Send message Joined: 26 Jan 18 Posts: 1 |
I have the feeling it is to do with the grcpool AM. I am the pool admin. If there are any questions or problems, I would be more than happy to assist. Brian... |
Send message Joined: 2 Jan 14 Posts: 276 |
I have the feeling it is to do with the grcpool AM. Every now and then, I'll see them in my log as well, and I've never had anything to do with the crypto mining stuff. My Detailed BOINC Stats |
Send message Joined: 29 Aug 05 Posts: 15541 |
Well, at least that shows I am wrong. on that, but still would like to see a (complete) log with gui_rpc_debug from machine/BOINC startup. |
Send message Joined: 27 Jun 08 Posts: 641 |
I have the feeling it is to do with the grcpool AM. No need to enable the gui_rpc_debug: If the remote_hosts.cfg file is created and one attempts to log into that system using BM's "Select Computer" then the warning message shows up: jstatesonxps730 1101 1/26/2018 12:03:29 AM GUI RPC request from non-allowed address 192.168.1.220
|
Send message Joined: 27 Jun 08 Posts: 641 |
This is a followup. Out of curiosity I did a re-install of Ubuntu & Boinc and did not see any unauthorized grc connection. This sort of rules out anyone at the ubuntu repository monitoring downloads of boinc and attempting to connect. Just a stupid thought or guess on my part. However, quite by chance I noticed that other users have spotted the same problem over at gpugrid and posted about it about middle of january. In trying to lock down my systems, I started looking at the syslogs from my AT&T Arris BGW210-700 router. That router is practically worthless as far as examining threats. I requested help with the AT&T community but it is obvious I will have to buy a real router if I want to see what the H is going on. If someone here uses AT&T maybe they can recommend a better router, at least one that actually has a manual. |
Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License,
Version 1.2 or any later version published by the Free Software Foundation.