bug-parallel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GNU Parallel Bug Reports Issue after GNU parallel **IMP**

From: Ole Tange
Subject: Re: GNU Parallel Bug Reports Issue after GNU parallel **IMP**
Date: Mon, 6 Feb 2017 20:03:48 +0100 
On Mon, Feb 6, 2017 at 2:40 PM,  <address@hidden> wrote:
> HI Team
>
> We are stuck in middle of a hacking issue, which have been raised after I
> installed GNU parallel on one of our servers using below command.
>
> (wget -O - pi.dk/3 || curl pi.dk/3/ || fetch -o - http://pi.dk/3) | bash
>
> I was using below link for personal learning as well.
>
> https://www.gnu.org/software/parallel/parallel_tutorial.html
>
> Now I want to know can something like this happen?

It is most likely a coincidence. GNU Parallel does nothing on the
network, so the timing of the attack is purely coincidental.

But let us put on our tinfoil hats and theorize on what Evil Corp
_could_ have done:

In theory you could have DNS poisoning at your site, so pi.dk does not
point to 188.138.2.24:

$ host pi.dk
pi.dk has address 188.138.2.24
pi.dk mail is handled by 0 pi.dk.
pi.dk mail is handled by 11 ns.pi.dk.

If you get any different result, you should not trust your name server
and only install packages with your package manager.

In theory the http-request could have been redirected if Evil Corp has
full control with one of the routers from you to pi.dk. In this case
they can redirect you to a different page which will download their
tool instead (which could contain GNU Parallel plus a tool they can
use to remote control your machine).

This is also very unlikely: It is a fairly labour intensive attack and
GNU Parallel is hardly a high profile target, so there will not be a
lot of benefit.

You can test this with:

$ (wget -O - pi.dk/3 || curl pi.dk/3/ || fetch -o - http://pi.dk/3) | md5sum
371a67616e3bf517afb2ec868254f418

If you get another value, someone is changing data on the connection,
and you should stop using http (if Evil Corp are really skilled, they
will also be changing the content of this email! Again I find that
highly unlikely).

In both cases you could in theory be tricked into installing a
different program than GNU Parallel. If you did not install it as
root, then you should be able to find the evil program by examining
your computer as root.

> We are getting emails where an attempt has been made on a server location in
> brazil using our server details.
>
> We are planning to uninstall or rollback to last snapshot but I would like
> to know your views on the issue!!

I will find it very unlikely that GNU Parallel has anything to do with
this. I find it much more likely that something else just happened to
take place around the time you installed GNU Parallel.

But if you have an old snapshot a diff might reveal what has happened.


/Ole
reply via email to
[Prev in Thread] Current Thread [Next in Thread]