[TC] Hackers dropped a secret backdoor in Asus’ update software - Page 3 - Overclock.net - An Overclocking Community
Forum Jump: 

[TC] Hackers dropped a secret backdoor in Asus’ update software

Reply
 
Thread Tools
post #21 of 37 (permalink) Old 03-27-2019, 07:53 AM
Otherworlder
 
epic1337's Avatar
 
Join Date: Feb 2011
Posts: 7,448
Rep: 224 (Unique: 129)
Quote: Originally Posted by 8051 View Post
But you can block SSH traffic from external IP's, in which case how would you login to the servers that host the files?
never heard of island hopping?

trolling an adult is very dangerous, don't try it at home nor at work. you don't want to play tag with a rabid man.
epic1337 is offline  
Sponsored Links
Advertisement
 
post #22 of 37 (permalink) Old 03-27-2019, 08:18 AM
Top kek
 
Join Date: Oct 2013
Location: Bulgaria , Sofia
Posts: 3,505
Rep: 116 (Unique: 69)
Quote: Originally Posted by 8051 View Post
But you can block SSH traffic from external IP's, in which case how would you login to the servers that host the files?
The stupid thing is, they probably not only left big amounts of IPs allowed, due to home office days and vacations with urgent sudden work, but also probably allowed password authentication, instead of only key pairs.

Previous Hardware:
Spoiler!
Main rig
(16 items)
Parents (2nd) PC
(13 items)
CPU
AMD R7 1700
Motherboard
ASRock X570 Fatal1ty Gaming K4
GPU
Sapphire RX480 4GB Nitro+
RAM
Corsair Vengeance LPX 2x8GB 3200Mhz
Hard Drive
Corsair ForceLS SSD
Hard Drive
250GB Maxtor SATA 7200RPM 8MB
Hard Drive
250GB Seagate Baracuda SATA 7200RPM 8MB
Hard Drive
500GB WesternDigital Blue 7200RPM 16MB
Power Supply
Corsair TX850M
Cooling
Cooler Master 212 EVO
Case
Thermaltake View 27
Operating System
Windows 10 x64 1607
Monitor
AOC i2267FWH 21.5" 1080p IPS
Keyboard
Logitech K120
Mouse
A4 Tech Bloody v5
Audio
Corsair HS30 Raptor
CPU
AMD FX-8320
Motherboard
ASRock Fatal1ty 990FX Killer
GPU
XFX RX470 4GB SingleFan
RAM
Mushkin Redline 996996 2x4GB 2133Mhz
Hard Drive
Western Digital Green 500GB 7200RPM 8MB
Hard Drive
120GB Kingston SSD
Optical Drive
ASUS DVD+RW x52
Power Supply
Corsair VS650
Cooling
ThermalTake Frio Silent 14
Case
DeepCool Tesseract
Operating System
Windows 10 Enterprise 1607
Monitor
ASUS VS228H 21.5"
Keyboard
Logitech K120
▲ hide details ▲
ku4eto is offline  
post #23 of 37 (permalink) Old 03-27-2019, 08:38 AM
Otherworlder
 
epic1337's Avatar
 
Join Date: Feb 2011
Posts: 7,448
Rep: 224 (Unique: 129)
Quote: Originally Posted by ku4eto View Post
The stupid thing is, they probably not only left big amounts of IPs allowed, due to home office days and vacations with urgent sudden work, but also probably allowed password authentication, instead of only key pairs.
yeah, target a remote PC thats allowed to connect, then use it to relay the attacks.

trolling an adult is very dangerous, don't try it at home nor at work. you don't want to play tag with a rabid man.
epic1337 is offline  
Sponsored Links
Advertisement
 
post #24 of 37 (permalink) Old 03-27-2019, 02:47 PM
New to Overclock.net
 
8051's Avatar
 
Join Date: Apr 2014
Posts: 3,320
Rep: 30 (Unique: 21)
Quote: Originally Posted by epic1337 View Post
yeah, target a remote PC thats allowed to connect, then use it to relay the attacks.
To use SSH on my corporate network requires a SecureID token, but I suppose a hacker could just wait around until a compromised remote PC logs in.

That would get you into the network but not onto the servers or NAS's that host the files and the external IP address for the web server hosting the files would probably not be the same as the internal IP address of that given NAS or server so how would you find out what IP address or server you needed on the corporate network? It could even be that the internal IP address of the NAS or server hosting the file isn't even accessible from an external IP (i.e. on a private network).
8051 is offline  
post #25 of 37 (permalink) Old 03-27-2019, 04:06 PM
Otherworlder
 
epic1337's Avatar
 
Join Date: Feb 2011
Posts: 7,448
Rep: 224 (Unique: 129)
Quote: Originally Posted by 8051 View Post
To use SSH on my corporate network requires a SecureID token, but I suppose a hacker could just wait around until a compromised remote PC logs in.

That would get you into the network but not onto the servers or NAS's that host the files and the external IP address for the web server hosting the files would probably not be the same as the internal IP address of that given NAS or server so how would you find out what IP address or server you needed on the corporate network? It could even be that the internal IP address of the NAS or server hosting the file isn't even accessible from an external IP (i.e. on a private network).
in this case its a patch/update server so its obviously connected to the main network, which means to say anyone with administration rights can connect to it.

plus finding out the addresses is just a matter of snooping it.

trolling an adult is very dangerous, don't try it at home nor at work. you don't want to play tag with a rabid man.
epic1337 is offline  
post #26 of 37 (permalink) Old 03-27-2019, 09:00 PM
professional curmudgeon
 
looniam's Avatar
 
Join Date: Apr 2009
Posts: 9,966
Rep: 814 (Unique: 459)
we have a statement!

Click image for larger version

Name:	Capture.PNG
Views:	11
Size:	204.2 KB
ID:	261796

yes! they posted that on facebook!


Remember the golden rule of statistics: A personal sample size of one is a sufficient basis upon which to draw universal conclusions.
Upload the computer to Dropbox and provide a link to it so others may download it to examine and give advice for repairs.
loon 3.2
(18 items)
CPU
i7-3770K
Motherboard
Asus P8Z77-V Pro
GPU
EVGA 980TI SC+
RAM
16Gb PNY ddr3 1866
Hard Drive
PNY 1311 240Gb
Hard Drive
1 TB Seagate
Hard Drive
3 TB WD Blue
Optical Drive
DVD DVDRW+/-
Power Supply
EVGA SuperNova 750 G2
Cooling
EKWB P280 kit
Cooling
EK-VGA supremacy
Case
Stryker M [hammered and drilled]
Operating System
Win X
Monitor
LG 24MC57HQ-P
Keyboard
Ducky Zero [blues]
Mouse
corsair M65
Audio
SB Recon3D
Audio
Klipsch ProMedia 2.1
▲ hide details ▲


looniam is offline  
post #27 of 37 (permalink) Old 03-28-2019, 09:19 AM
In VB's Basement
 
ENTERPRISE's Avatar
 
Join Date: Oct 2004
Location: England,UK
Posts: 64,093
Quote: Originally Posted by looniam View Post
we have a statement!

Attachment 261796

yes! they posted that on facebook!

Probably more malware lol


Need help with your account or something forum related ? Please use our Contact Us form



ENTERPRISE is offline  
post #28 of 37 (permalink) Old 03-28-2019, 10:51 AM
New to Overclock.net
 
8051's Avatar
 
Join Date: Apr 2014
Posts: 3,320
Rep: 30 (Unique: 21)
Quote: Originally Posted by epic1337 View Post
in this case its a patch/update server so its obviously connected to the main network, which means to say anyone with administration rights can connect to it.

plus finding out the addresses is just a matter of snooping it.
Not necessarily. You can have a dual-homed host where the external IP address is not the same as the internal IP address and the internal IP address can be on a (virtual or not) private network that blocks external SSH access. What if the host name for the internal IP address is NOT the same as the host name for the external IP address? Have you ever seen a large corporate network topology?
8051 is offline  
post #29 of 37 (permalink) Old 03-28-2019, 11:34 AM
Otherworlder
 
epic1337's Avatar
 
Join Date: Feb 2011
Posts: 7,448
Rep: 224 (Unique: 129)
Quote: Originally Posted by 8051 View Post
Not necessarily. You can have a dual-homed host where the external IP address is not the same as the internal IP address and the internal IP address can be on a (virtual or not) private network that blocks external SSH access. What if the host name for the internal IP address is NOT the same as the host name for the external IP address? Have you ever seen a large corporate network topology?
that would've been the case if this wasn't a public patch/update server, its connected to the main network otherwise those public clients wouldn't be able to get their patches.

trolling an adult is very dangerous, don't try it at home nor at work. you don't want to play tag with a rabid man.
epic1337 is offline  
post #30 of 37 (permalink) Old 03-28-2019, 12:05 PM
New to Overclock.net
 
Raghar's Avatar
 
Join Date: Jun 2012
Posts: 1,900
Rep: 38 (Unique: 32)
Quote: Originally Posted by looniam View Post
we have a statement!

Attachment 261796

yes! they posted that on facebook!

I wonder if they replace it by another hacking tool. Security that's only dependent on certificate, or user remote access privileges is bad idea.
Raghar is offline  
Reply

Quick Reply
Message:
Options

Register Now

In order to be able to post messages on the Overclock.net - An Overclocking Community forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.
User Name:
If you do not want to register, fill this field only and the name will be used as user name for your post.
Password
Please enter a password for your user account. Note that passwords are case-sensitive.
Password:
Confirm Password:
Email Address
Please enter a valid email address for yourself.
Email Address:

Log-in



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page


Forum Jump: 

Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off