[TC] Hackers dropped a secret backdoor in Asus’ update software - Page 3 - Overclock.net - An Overclocking Community

Forum Jump: 

[TC] Hackers dropped a secret backdoor in Asus’ update software

Reply
 
Thread Tools
post #21 of 37 (permalink) Old 03-27-2019, 07:53 AM
Otherworlder
 
epic1337's Avatar
 
Join Date: Feb 2011
Posts: 7,195
Rep: 214 (Unique: 122)
Quote: Originally Posted by 8051 View Post
But you can block SSH traffic from external IP's, in which case how would you login to the servers that host the files?
never heard of island hopping?

trolling an adult is very dangerous, don't try it at home nor at work. you don't want to play tag with a rabid man.
epic1337 is offline  
Sponsored Links
Advertisement
 
post #22 of 37 (permalink) Old 03-27-2019, 08:18 AM
Top kek
 
Join Date: Oct 2013
Location: Bulgaria , Sofia
Posts: 3,325
Rep: 110 (Unique: 65)
Quote: Originally Posted by 8051 View Post
But you can block SSH traffic from external IP's, in which case how would you login to the servers that host the files?
The stupid thing is, they probably not only left big amounts of IPs allowed, due to home office days and vacations with urgent sudden work, but also probably allowed password authentication, instead of only key pairs.

Previous Hardware:
Spoiler!
Desktop PC
(19 items)
CPU
AMD FX-8320
Motherboard
ASRock Fatal1ty 990FX Killer
GPU
Sapphire Nitro+ RX480
GPU
XFX RX470 Singlefan
GPU
MSI RX580 GamingX 4GB
RAM
Mushkin Redline 996996 2x4GB 2133Mhz
Hard Drive
Western Digital 160GB 7200RPM 8MB
Hard Drive
Maxtor 250GB 7200RPM 8MB
Hard Drive
Corsair Force LS
Hard Drive
WesternDigital Blue 500GB 7200RPM 16MB
Power Supply
Corsair TX850M
Cooling
ThermalTake Frio Silent 14
Case
ThermalTake View 27
Operating System
Windows 10 Enterprise 1607
Operating System
Linux Mint 17.3 Rosa
Monitor
AOC i2267FWH
Keyboard
Logitech K120
Mouse
Bloody V5
Audio
Corsair HS30 Raptor
▲ hide details ▲
ku4eto is offline  
post #23 of 37 (permalink) Old 03-27-2019, 08:38 AM
Otherworlder
 
epic1337's Avatar
 
Join Date: Feb 2011
Posts: 7,195
Rep: 214 (Unique: 122)
Quote: Originally Posted by ku4eto View Post
The stupid thing is, they probably not only left big amounts of IPs allowed, due to home office days and vacations with urgent sudden work, but also probably allowed password authentication, instead of only key pairs.
yeah, target a remote PC thats allowed to connect, then use it to relay the attacks.

trolling an adult is very dangerous, don't try it at home nor at work. you don't want to play tag with a rabid man.
epic1337 is offline  
Sponsored Links
Advertisement
 
post #24 of 37 (permalink) Old 03-27-2019, 02:47 PM
New to Overclock.net
 
8051's Avatar
 
Join Date: Apr 2014
Posts: 2,673
Rep: 21 (Unique: 15)
Quote: Originally Posted by epic1337 View Post
yeah, target a remote PC thats allowed to connect, then use it to relay the attacks.
To use SSH on my corporate network requires a SecureID token, but I suppose a hacker could just wait around until a compromised remote PC logs in.

That would get you into the network but not onto the servers or NAS's that host the files and the external IP address for the web server hosting the files would probably not be the same as the internal IP address of that given NAS or server so how would you find out what IP address or server you needed on the corporate network? It could even be that the internal IP address of the NAS or server hosting the file isn't even accessible from an external IP (i.e. on a private network).
8051 is offline  
post #25 of 37 (permalink) Old 03-27-2019, 04:06 PM
Otherworlder
 
epic1337's Avatar
 
Join Date: Feb 2011
Posts: 7,195
Rep: 214 (Unique: 122)
Quote: Originally Posted by 8051 View Post
To use SSH on my corporate network requires a SecureID token, but I suppose a hacker could just wait around until a compromised remote PC logs in.

That would get you into the network but not onto the servers or NAS's that host the files and the external IP address for the web server hosting the files would probably not be the same as the internal IP address of that given NAS or server so how would you find out what IP address or server you needed on the corporate network? It could even be that the internal IP address of the NAS or server hosting the file isn't even accessible from an external IP (i.e. on a private network).
in this case its a patch/update server so its obviously connected to the main network, which means to say anyone with administration rights can connect to it.

plus finding out the addresses is just a matter of snooping it.

trolling an adult is very dangerous, don't try it at home nor at work. you don't want to play tag with a rabid man.
epic1337 is offline  
post #26 of 37 (permalink) Old 03-27-2019, 09:00 PM
professional curmudgeon
 
looniam's Avatar
 
Join Date: Apr 2009
Posts: 9,200
Rep: 767 (Unique: 444)
we have a statement!

Click image for larger version

Name:	Capture.PNG
Views:	8
Size:	204.2 KB
ID:	261796

yes! they posted that on facebook!


"Name as many uses for a brick as you can in one minute." - interview at graphics-chip maker Nvidia for a campaign-manager job
Fermi: it's better to burn out than fade away.
Remember the golden rule of statistics: A personal sample size of one is a sufficient basis upon which to draw universal conclusions.
"The more you buy, the more you save." - Jensen Huang GTC 2018
loon 3.2
(18 items)
CPU
i7-3770K
Motherboard
Asus P8Z77-V Pro
GPU
EVGA 980TI SC+
RAM
16Gb PNY ddr3 1866
Hard Drive
PNY 1311 240Gb
Hard Drive
1 TB Seagate
Hard Drive
3 TB WD Blue
Optical Drive
DVD DVDRW+/-
Power Supply
EVGA SuperNova 750 G2
Cooling
EKWB P280 kit
Cooling
EK-VGA supremacy
Case
Stryker M [hammered and drilled]
Operating System
Win X
Monitor
LG 24MC57HQ-P
Keyboard
Ducky Zero [blues]
Mouse
corsair M65
Audio
SB Recon3D
Audio
Klipsch ProMedia 2.1
▲ hide details ▲


looniam is offline  
post #27 of 37 (permalink) Old 03-28-2019, 09:19 AM
In VB's Basement
 
ENTERPRISE's Avatar
 
Join Date: Oct 2004
Location: England,UK
Posts: 63,902
Quote: Originally Posted by looniam View Post
we have a statement!

Attachment 261796

yes! they posted that on facebook!

Probably more malware lol


Need help with your account or something forum related ? Please use our Contact Us form



ENTERPRISE is offline  
post #28 of 37 (permalink) Old 03-28-2019, 10:51 AM
New to Overclock.net
 
8051's Avatar
 
Join Date: Apr 2014
Posts: 2,673
Rep: 21 (Unique: 15)
Quote: Originally Posted by epic1337 View Post
in this case its a patch/update server so its obviously connected to the main network, which means to say anyone with administration rights can connect to it.

plus finding out the addresses is just a matter of snooping it.
Not necessarily. You can have a dual-homed host where the external IP address is not the same as the internal IP address and the internal IP address can be on a (virtual or not) private network that blocks external SSH access. What if the host name for the internal IP address is NOT the same as the host name for the external IP address? Have you ever seen a large corporate network topology?
8051 is offline  
post #29 of 37 (permalink) Old 03-28-2019, 11:34 AM
Otherworlder
 
epic1337's Avatar
 
Join Date: Feb 2011
Posts: 7,195
Rep: 214 (Unique: 122)
Quote: Originally Posted by 8051 View Post
Not necessarily. You can have a dual-homed host where the external IP address is not the same as the internal IP address and the internal IP address can be on a (virtual or not) private network that blocks external SSH access. What if the host name for the internal IP address is NOT the same as the host name for the external IP address? Have you ever seen a large corporate network topology?
that would've been the case if this wasn't a public patch/update server, its connected to the main network otherwise those public clients wouldn't be able to get their patches.

trolling an adult is very dangerous, don't try it at home nor at work. you don't want to play tag with a rabid man.
epic1337 is offline  
post #30 of 37 (permalink) Old 03-28-2019, 12:05 PM
New to Overclock.net
 
Raghar's Avatar
 
Join Date: Jun 2012
Posts: 1,872
Rep: 37 (Unique: 31)
Quote: Originally Posted by looniam View Post
we have a statement!

Attachment 261796

yes! they posted that on facebook!

I wonder if they replace it by another hacking tool. Security that's only dependent on certificate, or user remote access privileges is bad idea.
Raghar is offline  
Reply

Quick Reply
Message:
Options

Register Now

In order to be able to post messages on the Overclock.net - An Overclocking Community forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.
User Name:
If you do not want to register, fill this field only and the name will be used as user name for your post.
Password
Please enter a password for your user account. Note that passwords are case-sensitive.
Password:
Confirm Password:
Email Address
Please enter a valid email address for yourself.
Email Address:

Log-in



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page


Forum Jump: 

Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off