From nobody Sun Nov 28 10:13:25 2021 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 212D218A3CA1 for ; Sun, 28 Nov 2021 10:14:04 +0000 (UTC) (envelope-from m.e.sanliturk@gmail.com) Received: from mail-ua1-x92e.google.com (mail-ua1-x92e.google.com [IPv6:2607:f8b0:4864:20::92e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4J248D09S4z3kNJ; Sun, 28 Nov 2021 10:14:04 +0000 (UTC) (envelope-from m.e.sanliturk@gmail.com) Received: by mail-ua1-x92e.google.com with SMTP id az37so27728009uab.13; Sun, 28 Nov 2021 02:14:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JAt13WBkO/GBDVVoeQpSIfK2uSI/AIPHIoabqSnEGHQ=; b=M7Wjle0+Ke3aSEj/B6OWcj11fuubIbT2CR8FFxqBab1ysyaUQzPjdJAr/UqQO62hCn 4bnEVoB3N/LmcYiAk09fVhXtv7a+bbjZ5oIzChLUbXbdvJtxFier8+tkMAWV2639UF9B mvjOJs9EePdDbQab+gx8kliS9c8Ajh75ScKKg20V3ZR+gbyAxZpWK8nCLqOygaYxCkSo yt1NcdWphEVdSdMN6k3tAFsdzWH4NxBrnB8cwxq0HiiKenfieo8hfaHv1mBbNtbj0wgf DTyTzXRGgyJ6hkASQtRw48UF/LHLHpbfdV7gD5HbIwNhc7Bky4EJV6KwdyCv3WE2xYJ8 /2kA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JAt13WBkO/GBDVVoeQpSIfK2uSI/AIPHIoabqSnEGHQ=; b=3LVvsJyJexWYQcYRPHwAR1YSGtNNvtSxdMdF3EzoRVvOGcQC0pEQyBavVA9yHrxfVZ SgF5yJ9u6UsUIams/va8azHEclfXUtaHWsLgHbokR4mk3z49bPSVA/nfCYLAiyDTVZ0F ZRTJVwRiOAjpgZrto1CPn0rpGFPVtn1uXyS+5xCk8+fLl0r91igveJRlQ3168uJKcE/K rANrd5jBN7hVSfyZ48jx+7/QR9/iauZSvfOWAY3uDBLEYxB2SKl/qZrF6paUHOXp3Qqh Cd7UjCXfx17WJGzp7DKx5pWcfK7ypWk+VhZnEdos0LVd95yco2u2BRVWwpvH8EfGIChh VVNA== X-Gm-Message-State: AOAM530RP65uKNpfHKTZ7A0lliZNmX8hcfTBCfU249Elhylt5NEjat1M TCb+d7T/zIgD+FXslzjjHQzWVnl2vkvbZ0wBvc46BxZU+78= X-Google-Smtp-Source: ABdhPJzjK+dxPdtwvBeJWAdOY6wiRkfjRdkrITOVSD/06c1ww48n82GqCqID86vECs2mN5rANxVDvmaqL+hwcVo1rJc= X-Received: by 2002:a67:c79a:: with SMTP id t26mr26994344vsk.37.1638094443362; Sun, 28 Nov 2021 02:14:03 -0800 (PST) List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 References: <05580cd8-1bbf-8783-b190-40d9cdacade6@m5p.com> In-Reply-To: From: Mehmet Erol Sanliturk Date: Sun, 28 Nov 2021 13:13:25 +0300 Message-ID: Subject: Re: Does not appear to be (too) malicious ... To: Stefan Esser Cc: freebsd-hackers Content-Type: multipart/alternative; boundary="00000000000067be0605d1d695b4" X-Rspamd-Queue-Id: 4J248D09S4z3kNJ X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; TAGGED_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: Y --00000000000067be0605d1d695b4 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sun, Nov 28, 2021 at 12:17 PM Stefan Esser wrote: > Am 28.11.21 um 02:06 schrieb Mario Lobo: > > On Sat, Nov 27, 2021, 20:27 George Mitchell > wrote: > > > >> On 11/27/21 17:40, Obsto Clades via freebsd-hackers wrote: > >>> I hacked on the FreeBSD source code to produce a version of the OS th= at > >>> cannot be remotely hacked. Before you tell me that is impossible, I > >>> have an answer to that response on my FAQ page. > >>> > >>> If you are interested in checking out my OS, you can find instruction= s > >>> on my site's home page: https://obstoclades.tech/ > >>> > >>> I invite you to check it out. > >>> > >> > >> Hmm, my mother told me never to click on links in strange emails ... > >> -- George > >> > > > > curl http://obstoclades.tech > [...] > >

Connection denied by Geolocation Setting.

> >

Reason: Blocked country: >

> >

The connection was denied because this country is blocked in > the > > Geolocation settings.

> >

Please contact your administrator for assistance.

> > > >
WatchGuard Technologies, Inc.
> > > > > > > > $ fetch --no-verify-peer -v -o /tmp/obstoclades.html > https://obstoclades.tech > resolving server address: obstoclades.tech:443 > SSL options: 82004854 > Verify hostname > TLSv1.3 connection established using TLS_AES_256_GCM_SHA384 > Certificate subject: /CN=3Dobstoclades.tech > Certificate issuer: /C=3DUS/O=3DLet's Encrypt/CN=3DR3 > requesting https://obstoclades.tech/ > fetch: https://obstoclades.tech: size of remote file is not known > local size / mtime: 34916 / 1638088913 > /tmp/obstoclades.html 34 kB 181 kBps 00s > > There is actual contents in this file, and it does not seem to contain an= y > malicious parts. It starts with: > > > > > > > Security is a Joke > content=3D"This demonstrates a modified BSD Operating System > designed > to prevent remote hacking of single-purpose computer systems."> > > > > > > > And besides the jquery.min.js dowloaded from ajax.googleapis.com only the > following short and apparently benign script is downloaded as > obstoclades.js: > > /* > * File: obstoclades.js > * Copyright (c) 2017 Obsto Clades, LLC > */ > > $(document).ready(function() > { > var $content =3D $(".content").hide(); > $(".img").on("click", function (e) > { > $(this).parent().parent().toggleClass("expanded"); > var ttt =3D $(this).parent().children(".tooltiptext"); > if ($(this).parent().parent().hasClass("expanded")) > { > ttt.replaceWith("Click to > close"); > } > else > { > ttt.replaceWith("Click to > open"); > } > $(this).parent().parent().next().slideToggle(); > }); > var textHeight =3D $("#left-side-header-text").height(); > $("#old_english_sheepdog").height(textHeight).width(textHeight); > $("#button").click(function() > { > $("#contactus-form").submit(); > }) > }); > > He invites to attack his server using a SSH login with provided > credentials, > and offers US$1000 for any successful modification of the test server. Se= e > the following video, which shows that root on the consonle and root via s= u > in the SSH session get quite different environments: > > https://obstoclades.tech/video/demo-video.mp4 > > This looks like a setup with lots of restrictions applied, probably noexe= c > mounts of temporary file systems and the like, possibly jails and/or MAC > restrictions. > > He thinks that an embedded system configured that way could not be > attacked, > but explains that his concept is limited to e.g. IoT use cases (what he > calls "single-purpose computer system"). > > Anyway, I could not find any malicious content on the web server. Accessi= ng > with a SSH session (obviously configured to not allow backwards tunneling= ) > should also not be too dangerous from a dumb terminal (but beware of esca= pe > sequence attacks possible with ANSI terminals, e.g. reprogramming of > function > keys with "ESC[code;string;...p"). > > It looks to me like kind of a honeypot setup gathering attack attempts to > see whether a throw-away system can withstand them. All attack attempts a= re > logged, either to learn how to perform them, or to actually improve the > security of his protection concept in case of a successful break-in. > > Regards, STefan > The message above is really a very good one because of its information content . As a response to my message in the following link https://lists.freebsd.org/archives/freebsd-hackers/2021-November/000515.htm= l Obsto Clades asked me with a private message , approximately , " I am connecting to the web site ... without any such message . Do you have more information ? " . I replied , "No ." When the following link ( please notice that it is http , not https ) http://obstoclades.tech/ the response of Firefox ( 57.0.1) is the following : -------------------------------------------------------- Connection denied by Geolocation Setting. * Reason: * Blocked country: The connection was denied because this country is blocked in the Geolocation settings. Please contact your administrator for assistance. WatchGuard Technologies, Inc. -------------------------------------------------------- When the following link ( please notice that it is https , not http ) https://obstoclades.tech/video/demo-video.mp4 the response of Firefox ( 57.0.1) is the following : -------------------------------------------------------- Your connection is not secure The owner of obstoclades.tech has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website. Learn more=E2=80=A6 Report errors like this to help Mozilla identify and block malicious sites -------------------------------------------------------- In "Learn more ..." the linked page is https://support.mozilla.org/en-US/kb/error-codes-secure-websites?as=3Du&utm= _source=3Dinproduct How to troubleshoot security error codes on secure websites There are 2 knobs not copyable : (1) Go back (2) Advanced When "Advanced" is clicked ( there is no linked page ) , the following message is displayed : -------------------------------------------------------- obstoclades.tech uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is not valid for the name obstoclades.tech. Error code: SEC_ERROR_UNKNOWN_ISSUER -------------------------------------------------------- With a knob ( without any linked page ) as follows : "Add Exception ..." with an dialog pane display to add an exception for that page ( which I did not added because website owner may correct her/his certificate or configuration of the website ) . With my best wishes for all , Mehmet Erol Sanliturk --00000000000067be0605d1d695b4--