Results 1 to 7 of 7

Thread: Why OpenSUSE did it?

  1. #1

    Angry Why OpenSUSE did it?

    Hello.
    I installed the last version of OpenSUSE and installed Elasticsearch and Kibana on it and nothing else. This Linux server is not ready yet and we never work with it but OpenSUSE uploaded many files and...Something like S-P-Y or...
    Some data of captured file are:
    Code:
    17:02:00.298515 IP (tos 0x0, ttl 64, id 46168, offset 0, flags [DF], proto TCP (6), length 64)
        elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0xbd0a), seq 300, ack 337, win 229, options [nop,nop,TS val 3546870 ecr 14067419,nop,nop,sack 1 {336:
    337}], length 0
    17:02:04.934564 ARP, Ethernet (len 6), IPv4 (len 4), Reply elastic.suse is-at 00:0c:29:85:5b:a3 (oui Unknown), length 28
    17:02:10.578500 IP (tos 0x0, ttl 64, id 46169, offset 0, flags [DF], proto TCP (6), length 64)
        elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0xb300), seq 300, ack 337, win 229, options [nop,nop,TS val 3549440 ecr 14067419,nop,nop,sack 1 {336:
    337}], length 0
    17:02:20.858681 IP (tos 0x0, ttl 64, id 46170, offset 0, flags [DF], proto TCP (6), length 64)
        elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0xa8f6), seq 300, ack 337, win 229, options [nop,nop,TS val 3552010 ecr 14067419,nop,nop,sack 1 {336:
    337}], length 0
    17:02:23.710156 IP (tos 0x0, ttl 64, id 46171, offset 0, flags [DF], proto TCP (6), length 52)
        elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4529 (incorrect -> 0x431a), seq 300, ack 365, win 229, options [nop,nop,TS val 3552723 ecr 14067960], length 0
    17:02:33.986522 IP (tos 0x0, ttl 64, id 46172, offset 0, flags [DF], proto TCP (6), length 64)
        elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0x99b3), seq 300, ack 365, win 229, options [nop,nop,TS val 3555292 ecr 14067960,nop,nop,sack 1 {364:
    365}], length 0
    17:02:44.267499 IP (tos 0x0, ttl 64, id 46173, offset 0, flags [DF], proto TCP (6), length 64)
        elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0x8fa8), seq 300, ack 365, win 229, options [nop,nop,TS val 3557863 ecr 14067960,nop,nop,sack 1 {364:
    365}], length 0
    17:02:54.437289 IP (tos 0x0, ttl 64, id 46174, offset 0, flags [DF], proto TCP (6), length 64)
        elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0x85ba), seq 300, ack 365, win 229, options [nop,nop,TS val 3560405 ecr 14067960,nop,nop,sack 1 {364:
    365}], length 0
    17:02:58.079426 ARP, Ethernet (len 6), IPv4 (len 4), Reply elastic.suse is-at 00:0c:29:85:5b:a3 (oui Unknown), length 28
    17:02:58.884638 IP (tos 0x0, ttl 64, id 46175, offset 0, flags [DF], proto TCP (6), length 52)
        elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4529 (incorrect -> 0x1f45), seq 300, ack 393, win 229, options [nop,nop,TS val 3561517 ecr 14068311], length 0
    17:03:09.094450 IP (tos 0x0, ttl 64, id 46176, offset 0, flags [DF], proto TCP (6), length 64)
        elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0x75b7), seq 300, ack 393, win 229, options [nop,nop,TS val 3564069 ecr 14068311,nop,nop,sack 1 {392:
    393}], length 0
    17:03:19.375119 IP (tos 0x0, ttl 64, id 46177, offset 0, flags [DF], proto TCP (6), length 64)
        elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0x6bad), seq 300, ack 393, win 229, options [nop,nop,TS val 3566639 ecr 14068311,nop,nop,sack 1 {392:
    393}], length 0
    17:03:27.573571 IP (tos 0x0, ttl 64, id 24861, offset 0, flags [DF], proto UDP (17), length 61)
        elastic.suse.55662 > google-public-dns-a.google.com.domain: [bad udp cksum 0x209f -> 0x0ed5!] 10109+ A? www.s9xk32c.com. (33)
    17:03:27.669410 IP (tos 0x0, ttl 64, id 1635, offset 0, flags [DF], proto TCP (6), length 60)
        elastic.suse.40044 > 91.195.240.82.http: Flags [S], cksum 0x5c99 (incorrect -> 0xd61f), seq 536834602, win 29200, options [mss 1460,sackOK,TS val 3568713 ecr 0,nop,wscale 7], length 0
    17:03:27.758488 IP (tos 0x0, ttl 64, id 1636, offset 0, flags [DF], proto TCP (6), length 52)
        elastic.suse.40044 > 91.195.240.82.http: Flags [.], cksum 0x5c91 (incorrect -> 0xa58e), seq 536834603, ack 21361276, win 229, options [nop,nop,TS val 3568735 ecr 949003280], length 0
    17:03:27.758610 IP (tos 0x0, ttl 64, id 1637, offset 0, flags [DF], proto TCP (6), length 270)
        elastic.suse.40044 > 91.195.240.82.http: Flags [P.], cksum 0x5d6b (incorrect -> 0xffba), seq 0:218, ack 1, win 229, options [nop,nop,TS val 3568735 ecr 949003280], length 218: HTTP, length: 2
    18
            GET /config.rar HTTP/1.1
            Accept: */*
            Accept-Language: zh-cn
            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
            Host: www.s9xk32c.com
            Connection: Keep-Alive
    
    17:03:27.852276 IP (tos 0x0, ttl 64, id 1638, offset 0, flags [DF], proto TCP (6), length 52)
        elastic.suse.40044 > 91.195.240.82.http: Flags [.], cksum 0x5c91 (incorrect -> 0xa168), seq 218, ack 716, win 240, options [nop,nop,TS val 3568759 ecr 949003374], length 0
    17:03:29.656511 IP (tos 0x0, ttl 64, id 46178, offset 0, flags [DF], proto TCP (6), length 64)
        elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0x61a2), seq 300, ack 393, win 229, options [nop,nop,TS val 3569210 ecr 14068311,nop,nop,sack 1 {392:
    393}], length 0
    As you see, its like virus or...but why?

    Other information are:
    Code:
    tcpdump -r capture.cap -vvv | grep "Host:"
    reading from file capture.cap, link-type EN10MB (Ethernet)
            Host: www.s9xk32c.com
            Host: www.s9xk32c.com
            Host: www.s9xk32c.com
            Host: www.s9xk32c.com
            Host: www.s9xk32c.com
            Host: www.s9xk32c.com
            Host: www.s9xk32c.com
    Code:
    # systemctl status SuSEfirewall2
    SuSEfirewall2.service - SuSEfirewall2 phase 2
       Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; enabled)
       Active: active (exited) since Sat 2018-12-29 13:03:44 +0330; 22h ago
     Main PID: 2070 (code=exited, status=0/SUCCESS)
       CGroup: /system.slice/SuSEfirewall2.service
    
    Dec 29 13:03:31 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
    Dec 29 13:03:31 elastic SuSEfirewall2[2070]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
    Dec 29 13:03:44 elastic SuSEfirewall2[2070]: Firewall rules successfully set
    Dec 29 13:03:44 elastic systemd[1]: Started SuSEfirewall2 phase 2.
    Code:
    # journalctl | grep SuSE*
    Dec 11 10:25:33 linux-a725 SuSEfirewall2[1257]: Firewall rules set to CLOSE.
    Dec 11 10:25:48 linux-a725 SuSEfirewall2[1726]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
    Dec 11 10:25:48 linux-a725 SuSEfirewall2[1732]: using default zone 'ext' for interface eth0
    Dec 11 10:25:49 linux-a725 SuSEfirewall2[1849]: Firewall rules successfully set
    Dec 11 10:28:11 linux-a725 SuSEfirewall2[2293]: Not unloading firewall rules at system shutdown
    Dec 15 10:13:36 linux-a725 SuSEfirewall2[1312]: Firewall rules set to CLOSE.
    Dec 15 10:13:51 linux-a725 SuSEfirewall2[1770]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
    Dec 15 10:13:51 linux-a725 SuSEfirewall2[1776]: using default zone 'ext' for interface eth0
    Dec 15 10:13:51 linux-a725 SuSEfirewall2[1888]: Firewall rules successfully set
    Dec 15 11:30:35 linux-a725 SuSEfirewall2[9698]: Not unloading firewall rules at system shutdown
    Dec 15 11:30:53 linux-a725 SuSEfirewall2[1299]: Firewall rules set to CLOSE.
    Dec 15 11:31:04 linux-a725 SuSEfirewall2[1808]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
    Dec 15 11:31:04 linux-a725 SuSEfirewall2[1820]: using default zone 'ext' for interface eth0
    Dec 15 11:31:05 linux-a725 SuSEfirewall2[1938]: Firewall rules successfully set
    Dec 15 11:49:21 linux-a725 SuSEfirewall2[2933]: Firewall rules unloaded.
    Dec 15 11:49:21 linux-a725 SuSEfirewall2[2955]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
    Dec 15 11:49:21 linux-a725 SuSEfirewall2[2961]: using default zone 'ext' for interface eth0
    Dec 15 11:49:22 linux-a725 SuSEfirewall2[3029]: Firewall rules successfully set
    Dec 15 12:38:15 linux-a725 systemd[1]: Stopping SuSEfirewall2 phase 2...
    Dec 15 12:38:15 linux-a725 SuSEfirewall2[21675]: Firewall rules unloaded.
    Dec 15 12:38:15 linux-a725 SuSEfirewall2[21684]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
    Dec 15 12:38:15 linux-a725 SuSEfirewall2[21690]: using default zone 'ext' for interface eth0
    Dec 15 12:38:16 linux-a725 SuSEfirewall2[22042]: Firewall rules successfully set
    Dec 15 12:47:25 linux-a725 systemd[1]: Stopping SuSEfirewall2 phase 2...
    Dec 15 12:47:25 linux-a725 systemd[1]: Stopped SuSEfirewall2 phase 2.
    Dec 15 12:47:25 linux-a725 SuSEfirewall2[9728]: Not unloading firewall rules at system shutdown
    Dec 15 12:47:26 linux-a725 systemd[1]: Stopping SuSEfirewall2 phase 1...
    Dec 15 12:47:26 linux-a725 systemd[1]: Stopped SuSEfirewall2 phase 1.
    Dec 15 12:47:39 linux-a725 SuSEfirewall2[1037]: Firewall rules set to CLOSE.
    Dec 15 12:47:39 linux-a725 systemd[1]: Started SuSEfirewall2 phase 1.
    Dec 15 12:47:41 linux-a725 systemd[1]: Starting SuSEfirewall2 phase 2...
    Dec 15 12:47:41 linux-a725 SuSEfirewall2[1500]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
    Dec 15 12:47:41 linux-a725 SuSEfirewall2[1508]: using default zone 'ext' for interface eth0
    Dec 15 12:47:42 linux-a725 SuSEfirewall2[1981]: Firewall rules successfully set
    Dec 15 12:47:42 linux-a725 systemd[1]: Started SuSEfirewall2 phase 2.
    Dec 15 14:20:12 linux-a725 systemd[1]: Stopping SuSEfirewall2 phase 2...
    Dec 15 14:20:12 linux-a725 SuSEfirewall2[3031]: Not unloading firewall rules at system shutdown
    Dec 15 14:20:12 linux-a725 systemd[1]: Stopped SuSEfirewall2 phase 2.
    Dec 15 14:20:13 linux-a725 systemd[1]: Stopping SuSEfirewall2 phase 1...
    Dec 15 14:20:13 linux-a725 systemd[1]: Stopped SuSEfirewall2 phase 1.
    Dec 15 14:20:27 linux-a725 SuSEfirewall2[1058]: Firewall rules set to CLOSE.
    Dec 15 14:20:27 linux-a725 systemd[1]: Started SuSEfirewall2 phase 1.
    Dec 15 14:20:29 linux-a725 systemd[1]: Starting SuSEfirewall2 phase 2...
    Dec 15 14:20:29 linux-a725 SuSEfirewall2[1533]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
    Dec 15 14:20:29 linux-a725 SuSEfirewall2[1539]: using default zone 'ext' for interface eth0
    Dec 15 14:20:29 linux-a725 SuSEfirewall2[1992]: Firewall rules successfully set
    Dec 15 14:20:29 linux-a725 systemd[1]: Started SuSEfirewall2 phase 2.
    Dec 15 14:34:21 linux-a725 systemd[1]: Stopping SuSEfirewall2 phase 2...
    Dec 15 14:34:21 linux-a725 SuSEfirewall2[8028]: Not unloading firewall rules at system shutdown
    Dec 15 14:34:21 linux-a725 systemd[1]: Stopped SuSEfirewall2 phase 2.
    Dec 15 14:34:22 linux-a725 systemd[1]: Stopping SuSEfirewall2 phase 1...
    Dec 15 14:34:22 linux-a725 systemd[1]: Stopped SuSEfirewall2 phase 1.
    Dec 15 14:34:35 elastic SuSEfirewall2[1149]: Firewall rules set to CLOSE.
    Dec 15 14:34:35 elastic systemd[1]: Started SuSEfirewall2 phase 1.
    Dec 15 14:34:37 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
    Dec 15 14:34:37 elastic SuSEfirewall2[1611]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
    Dec 15 14:34:37 elastic SuSEfirewall2[1617]: using default zone 'ext' for interface eth0
    Dec 15 14:34:38 elastic SuSEfirewall2[2073]: Firewall rules successfully set
    Dec 15 14:34:38 elastic systemd[1]: Started SuSEfirewall2 phase 2.
    Dec 15 15:37:26 elastic systemd[1]: Stopping SuSEfirewall2 phase 2...
    Dec 15 15:37:26 elastic SuSEfirewall2[26607]: Firewall rules unloaded.
    Dec 15 15:37:26 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
    Dec 15 15:37:26 elastic SuSEfirewall2[26652]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
    Dec 15 15:37:26 elastic SuSEfirewall2[26652]: using default zone 'ext' for interface eth0
    Dec 15 15:37:27 elastic SuSEfirewall2[26652]: Firewall rules successfully set
    Dec 15 15:37:27 elastic systemd[1]: Started SuSEfirewall2 phase 2.
    Dec 15 15:40:11 elastic systemd[1]: Stopped SuSEfirewall2 phase 2.
    Dec 15 15:40:11 elastic SuSEfirewall2[21128]: Not unloading firewall rules at system shutdown
    Dec 15 15:40:11 elastic systemd[1]: Stopping SuSEfirewall2 phase 1...
    Dec 15 15:40:11 elastic systemd[1]: Stopped SuSEfirewall2 phase 1.
    Dec 15 15:40:35 elastic systemd[1]: Starting SuSEfirewall2 phase 1...
    Dec 15 15:40:36 elastic SuSEfirewall2[1278]: Firewall rules set to CLOSE.
    Dec 15 15:40:36 elastic systemd[1]: Started SuSEfirewall2 phase 1.
    Dec 15 15:40:42 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
    Dec 15 15:40:42 elastic SuSEfirewall2[1876]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
    Dec 15 15:40:42 elastic SuSEfirewall2[1876]: using default zone 'ext' for interface eth0
    Dec 15 15:40:43 elastic SuSEfirewall2[1876]: Firewall rules successfully set
    Dec 15 15:40:43 elastic systemd[1]: Started SuSEfirewall2 phase 2.
    Dec 15 16:13:24 elastic SuSEfirewall2[14822]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
    Dec 15 16:13:24 elastic SuSEfirewall2[14822]: using default zone 'ext' for interface eth0
    Dec 15 16:13:25 elastic SuSEfirewall2[14822]: Firewall rules successfully set
    Dec 15 16:19:09 elastic SuSEfirewall2[16751]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
    Dec 15 16:19:09 elastic SuSEfirewall2[16751]: using default zone 'ext' for interface eth0
    Dec 15 16:19:10 elastic SuSEfirewall2[16751]: Firewall rules successfully set
    Dec 16 11:16:28 elastic SuSEfirewall2[7656]: Not unloading firewall rules at system shutdown
    Dec 16 11:16:28 elastic systemd[1]: Stopped SuSEfirewall2 phase 2.
    Dec 16 11:16:30 elastic systemd[1]: Stopping SuSEfirewall2 phase 1...
    Dec 16 11:16:30 elastic systemd[1]: Stopped SuSEfirewall2 phase 1.
    Dec 16 11:16:53 elastic SuSEfirewall2[1318]: Firewall rules set to CLOSE.
    Dec 16 11:16:53 elastic systemd[1]: Started SuSEfirewall2 phase 1.
    Dec 16 11:16:59 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
    Dec 16 11:16:59 elastic SuSEfirewall2[1891]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
    Dec 16 11:16:59 elastic SuSEfirewall2[1891]: using default zone 'ext' for interface eth0
    Dec 16 11:17:00 elastic SuSEfirewall2[1891]: Firewall rules successfully set
    Dec 16 11:17:00 elastic systemd[1]: Started SuSEfirewall2 phase 2.
    Dec 16 12:12:04 elastic systemd[1]: Stopping SuSEfirewall2 phase 2...
    Dec 16 12:12:04 elastic SuSEfirewall2[13838]: Firewall rules unloaded.
    Dec 16 12:12:04 elastic systemd[1]: Stopped SuSEfirewall2 phase 2.
    Dec 16 12:12:04 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
    Dec 16 12:12:04 elastic SuSEfirewall2[13896]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
    Dec 16 12:12:05 elastic SuSEfirewall2[13896]: Firewall rules successfully set
    Dec 16 12:12:05 elastic systemd[1]: Started SuSEfirewall2 phase 2.
    .
    .
    .
    Any idea?

    Thank you.

  2. #2
    Join Date
    Mar 2011
    Location
    Sauerland
    Posts
    3,729

  3. #3

    Default Re: AW: Why OpenSUSE did it?

    Yes. Is it an attack?

  4. #4
    Join Date
    Mar 2011
    Location
    Sauerland
    Posts
    3,729

    Default AW: Why OpenSUSE did it?

    See the answers in the other thread......

  5. #5
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,640
    Blog Entries
    1

    Default Re: Why OpenSUSE did it?

    OK,
    I'll take a stab here with some observation and opinion probably a bit more enlightened than what you've gotten so far only because I know Elastic and Kibana, have set it up a few times before and know what it is. The comments you've gotten so far are partially justified because it does look like you've just dumped a bunch of data without any attempt to analyze on your part. So, for example... I think your first post comes from a tcpdump. It shows nothing but a lot of traffic. The other postings about your firewall and host info aren't particularly useful.

    Criticism of your posting has been mainly based on single machine deployment solutions,which does not apply to your situation, does not take into account that Elastic and Kibana are not intended to be deployed on a single machine, it's a distributed architecture which is best deployed on multiple physical nodes (and even virtual nodes). Elastic is very automatically self-configuring across as many nodes as you set up in the cluster, if you want to expand, you simply add another machine with elastic installed and using the same group name... Your existing Elastic cluster will automatically discover the new member and the role it's meant to assume, and starts to set up the new member, complete with migrating or duplicating data from other nodes. Because this is all done automatically, all these complex tasks require a tremendous amount of chatty network communications.

    If you understand all of the above, then you will know that the nodes in your Elastic cluster (even if it's a single machine) would be normally very busy all the time, probing for possible new members on the physical network.

    The comments you were given about default security are partially true. Unlike what you postulated and how others responded, I don't believe you're likely hacked although under the right circumstances might have happened (In other words, if you're exposed, fix it ASAP).
    Like any other application and deployment, installing with defaults and leaving it exposed to insecure networks like the Internet is a recipe for being hacked . But, it's also very easy to customize your security parameters (primarily your Elastic cluster name), do that and although I still wouldn't advise exposing directly to the Internet, you can do so with a reasonable expectation you won't be hacked.

    If this is your first look at Elastic and Kibana (and many other useful 3rd party apps you'll eventually want to install), I highly recommend you install on multiple machines from the beginning, a minimum of 3 nodes. If you don't have a bunch of unused hardware lying around, you should set up using virtualization (I've set up in VMware, Virtualbox and Docker but of course other virtualization like KVM and Xen should be fine, too) which enables running multiple virtual machines on a single or few physical machines. Only by installing on multiple nodes can you get a grasp of what you're working with, and the idea you only need to add another generic machine to expand your cluster... Using virtualization, this would be as simple as cloning a vm, installing Elastic and configuring to run in the same network.

    HTH,
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  6. #6
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,640
    Blog Entries
    1

    Default Re: Why OpenSUSE did it?

    Also,
    If you're wondering about the Host name in your tcpdump, you can do a WHOIS lookup,

    https://www.name.com/whois-lookup/s9xk32c.com

    The owners are using an Agent to hide their identity, so if you want to know anything more would require more effort.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  7. #7
    Join Date
    Nov 2013
    Location
    Kamloops, BC, Canada
    Posts
    3,976

    Default Re: Why OpenSUSE did it?

    Why OpenSUSE did it?
    It didn't.

    You did.
    -Gerry Makaro
    Fraser-Bell Info Tech
    Solving Tech Mysteries since the Olden Days!
    ~~
    If I helped you, consider clicking the Star at the bottom left of my post.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •