# Huge intel Black Hole if exist any fingerpriting whos compromise attacker?



## Handy92 (May 3, 2017)

Is read some article about Intel Black Hole:

https://hardenedlinux.github.io/fir...ME_firmware_on_sandybridge_and_ivybridge.html

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

I have here that situation. Someone get in, and played AC line, plug and unplug power, they probably can see What I am doing on the computer probably delete  some important private file, probably broked root passwd. I thinked if it a my mistake and attack on the browser. Is exist ANY way to check ANY information about attacker? IP adress, mac address anything?? Someone?

Something else. auth.log show login into ROOT but for 100 percent is not me. Root login is disable (I do not adding user into wheel group)Firewall is highly restrictive turned(setting up?) on before connecting to the internet at installation time. I use internet in Dormitory running on old PC with Windows and NAT pluged in when ewerything is set offline. Sometimes DHCP is down (Eaven when I want to using WIFI via smartphone!) without any reason, so I must i configure it manually.

My /etc/fstab


```
/dev/raid/r0p2  /               ufs     rw      1       1
/dev/raid/r0p3  /usr            ufs     rw      2       2
/dev/raid/r0p4  /var            ufs     rw,nosuid       2       2
/dev/raid/r0p5  /var/tmp        ufs     rw,nosuid,noexec        2       2
/dev/raid/r0p6  /var/log        ufs     rw,nosuid,noexec        2       2
/dev/raid/r0p7  /tmp            ufs     rw,nosuid,noexec        2       2
/dev/raid/r0p8  /home           ufs     rw,nosuid,noexec        2       2
```

IPFW rules.


```
ipfw -q -f flush

ipfw -q add 0010 deny all from any to any via lo0
ipfw -q add 0020 deny all from any to 127.0.0.0/8
ipfw -q add 0030 deny all from 127.0.0.0/8 to any
ipfw -q add 0040 deny all from any to any frag

ipfw -q add 0060 allow tcp from me to any 53 out setup keep-state
ipfw -q add 0070 allow udp from me to any 53 out keep-state
ipfw -q add 0080 allow tcp from me to any 80 out setup keep-state
ipfw -q add 0090 allow tcp from me to any 443 out setup keep-state
ipfw -q add 0091 allow udp from me to 153.19.250.123 dst-port 123 out keep-state

ipfw -q add 0998 deny P:2 from any to any
ipfw -q add 0999 deny all from any to any 137
ipfw -q add 1000 deny log all from any to any
```

auth.log


```
May  1 01:30:45 komputer polkitd[1154]: Loading rules from directory /usr/local/etc/polkit-1/rules.d
May  1 01:30:45 komputer polkitd[1154]: Loading rules from directory /usr/local/share/polkit-1/rules.d
May  1 01:30:45 komputer polkitd[1154]: Finished loading, compiling and executing 1 rules
May  1 01:30:45 komputer polkitd[1154]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
May  1 01:31:06 komputer login: login on ttyv0 as komputer
May  2 03:49:30 komputer login: login on ttyv0 as root
May  2 03:49:30 komputer login: ROOT LOGIN (root) ON ttyv0
May  2 03:57:19 komputer polkitd[1180]: Loading rules from directory /usr/local/etc/polkit-1/rules.d
May  2 03:57:19 komputer polkitd[1180]: Loading rules from directory /usr/local/share/polkit-1/rules.d
May  2 03:57:19 komputer polkitd[1180]: Finished loading, compiling and executing 1 rules
May  2 03:57:19 komputer polkitd[1180]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
May  2 03:57:27 komputer login: login on ttyv0 as root
May  2 03:57:27 komputer login: ROOT LOGIN (root) ON ttyv0
```

Now I checking 16992 and 16993 ports inter firewall log.


----------



## SirDice (May 3, 2017)

Handy92 said:


> Something else. auth.log show login into ROOT but for 100 percent is not me. Root login is disable (I do not adding user into wheel group)Firewall is highly restrictive turned(setting up?) on before connecting to the internet at installation time.


The logins were on the console (ttyv0). No amount of firewalls or SSH configuration is going to protect you there.


----------



## Handy92 (May 3, 2017)

https://software.intel.com/sites/default/files/m/2/1/f/f/a/43527-Intel_AMT8_Start_Here_Guide.pdf - holly shit, it is possible do Everything...

I know. Thanks for respond. So where search fingerpriting? Wireshark show it? Is it possible to find anything? Logs is clean. I looking in Xorg files but there is nothing... Few days ago DHCP was broking. First i thinked if it a router but when I wat to connect into phone then ttyv0 respons wired thinks. I do not remember what exacly been there cannot get up DHCP or cannot synchronize DHCP but looking like disabling from the inside...  I do not have any second machine for blocking and loging 16992 and 16993 port. I haved problem with booting from USB too. First everything worked, in one moment not. Just Hard reset and unpluged BIOS battery helped.

Any ideas, something. Some xorg authority file maybe?? Plz I cant do it itself. Probably is too hard eaven for me.

Suppose for moment if someone have acces for xorg. Xorg must be prepare for it. What file must be changed for drop screen? Magic cookie..


----------



## getopt (May 3, 2017)

If you suspect that your box has been physically compromised good practice is backing up data and setting up the system completely new in a hopefully better way.

If you have a box that you cannot physically protect, you can setup your system on top of Geli, bootable only with a dedicated USB-stick/media attached that you always carry with you. That protects against getting access to a powered off system. Note: You have to power off to  protect the system i.e. when you leave the room.


----------



## Handy92 (May 3, 2017)

I am do it 30.04. Now i tried using me_clean. Probably working with this hp but not for me. Any one can tell me something usefull things, something about I dont know nothing? Asking for something... Someone really want to help me? Really... Olways  is Unknown Image.... I tried to use me_cleaner.py on Rom.bin.... extract from original HP Bios package. Some people on github sey if working on OEM but there is no any information how they did it.

I really do not like this climat/atmosphere - I want to ask this people whay they do that? What is the reason, why I must be alone. Why everything is broking in my live... I was a child. Its sick, similar to pizzagate... I do not have words for commentig it. What wrong can doing forur years old child???? Verry Bad People. One person kill itself next is waiting... It easier making money, that is one of the reason therefore some people will be have broking live.

Ps its not deamon. Is Power line onboard laptop separate of Operating System. This hole have own OS is possible to bypass password when it is plugging into NAT Virtualized technology isnt helping infected is bouth of OS. Using firmware lover of the OS. Port using from this shit is 16992 and 16993. Signal is redirect for own Intel OS before package go to system firewall. And is possible do everythig for Computer... Localised people using fb for example and viola. It is possible to stalking few miliard people around the world. For what? Is really good way? I do not think so. I do not want take a part of this shit. This is huge offtopic. I do not have any proof for it, so this is words some randoms from the internet. Or maybe not.  Now Im really go away from here, for the real nobody want constructive help me and is easy way to Lock unix again. Is sad, i just like it. I have PW open if someone want public this shit. I end this spam. Thanks and bye.


----------



## ronaldlees (May 3, 2017)

The Intel related issue could be opaque to your OS, and is probably not the origin of your attack vector. Perhaps someone has had physical access to your console? You might need a padlock.  I do agree that the online environment now is full of mines and quicksand.  Not a walk I want to take really.

OTOH, it seems that IT departments around the world are not very worried.  I'm trying to get my head around the "ten years and nobody noticed" phenom.  Maybe nobody cares ... except some guy named Igor (who apparently reported this a year ago - if I believe what I read).  I think a lot of people will associate the intel advisory with attacks, just because it's in the news.

Anyway, you know the drill.  Try to save any non-script/non-binary/non-executable data if it's important, and reformat your system. If there's binary data that's important, I guess you can try to vet it for troubles.  Some people take no chances and dump everything ...

I "ghost" my systems every day, and usually run a read-only environment.  Anyway, good luck!


----------



## Handy92 (May 3, 2017)

Is new word rules, I cant win this shit alone. Some one from INSIDE need too tell (Not leasing just Tells is another process in the brain) something for start, and welkome into Hell. Where is the place for 200 years of freedom? Rich people on drugs they want control eweryone (I do not personalize it for the intel corporation). And me... I am disagree . End this shit.* 1* really *W*ant to *P*roof it. But I don't know how to do it. People around me is scered, my family to. I can't get any information obout it. I do not have any proof for it. At the fact there are only my words, someone can tell "you're crazy" and this will be end of fight, therefore I can't been compromised. In logs there is just nothing. I have only root loging, but it is look like loging from keyboard not remote via sshd rsh or somethig. And again... I do not know how to tok with my familly, that if they tell me everything at the begining for today. But is hard to say. I want to writing it black on white, and force the action even If they will published everything what they have about me, or will be want kill me. Has come to unjustified violence, fisically and physically, in the sence of impunity. Now is stalking on the web mobile phone probably too. Eaven I will be want it, EAW*3*N I have dyslection, dysgraphic, and dysortographing. I'am diffrent person and I just can't do it. I am TECHNICS not LINGWISTS. Its really sad.

Thanks PW is unlock. And she's so pretty. xD


----------



## ronaldlees (May 3, 2017)

Handy92 said:


> *1* really *W*ant to *P*roof it. But I don't know how to do it. People around me is scered, my family to. I can't get any information obout it. I do not have any proof for it. At the fact there are only my words, someone can tell "you're crazy" and this will be end of fight, therefore I can't been compromised. In logs there is just nothing. I have only root loging, but it is look like loging from keyboard not remote via sshd rsh or somethig. And again... I do not know how to tok with my familly, that if they tell me everything at the begining for today. But is hard to say. I want to writing it black on white, and force the action even If they will published everything what they have about me, or will be want kill me. Has come to unjustified violence, fisically and physically, in the sence of impunity. Now is stalking on the web mobile phone probably too. Eaven I will be want it, EAW*3*N I have dyslection, dysgraphic, and dysortographing. I'am diffrent person and I just can't do it. I am TECHNICS not LINGWISTS. Its really sad.



Is your habitat something you can legally install surreptitious cam surveillance on?  I think I saw the word "dormitory" - which might inhibit such activity.  Looks like you have the old shoe-leather type of case.  A video is something you could take to the law (especially in Europe).  But - you must'nt violate it yourself of course.


----------



## SirDice (May 3, 2017)

You're most likely not getting hacked through this Intel stuff. It's only available on server-grade hardware, not laptops, not consumer desktops. Servers. High-end servers even.


> This vulnerability does not exist on Intel-based consumer PCs.



As for the unaccounted root logins, change root's password. Use a proper password. Don't write it down. Then keep an eye on `tail -F /var/log/auth.log`. When you see somebody logging in (or attempting to login) walk to the computer. Hit whomever has his hands on the keyboard over the head with a large mallet.


----------



## Handy92 (May 3, 2017)

Why did You asking, and using hard for translate English? If I can't to know, before I write respons. I see everything. 2Do not do that again. Please.


----------



## Handy92 (May 3, 2017)

I do that thanks, when if happnd something I'll be write it here.

Edit: Sir... Somebody tells You not true (or just bullshit). This HP was support This shit technology at v11 because I check it. HP 8460p. Community Of Coreboot disabling on this laptop something using tool for broke this stuff. So if delete somethings, that means it will be ME is that simple...
If you use a hammer means you nail nails And I like to use BSD on laptop because is simple and got High Quality Code. 

There is no any passibility to get into this computer using convencionals method. I do not tell password laugh and I have good memory and I know if when someone get into root i paste stupidy picture on some forums. DHCP been disabling From the inside. Because I cant using cable, and WiFi Cant stand Up too. Power, DHCP, missing private files. Mouse, Memstick It fix.


----------



## Phishfry (May 3, 2017)

SirDice said:


> not laptops,


Are you sure about this. AMT is used on many laptops from my understanding. Perhaps on the business models.
http://www.thinkwiki.org/wiki/Intel_Active_Management_Technology_(AMT)
HP and Dell business models may also be affected.


----------



## SirDice (May 3, 2017)

Phishfry said:


> Are you sure about this. AMT is used on many laptops from my understanding. Perhaps on the business models.


You might be right. But then indeed only limited to the business models.


----------



## Handy92 (May 3, 2017)

8460p is bussiness model. Lenovo ThingPad have it to. For now is only into business, for moment will be everything.


----------



## Phishfry (May 3, 2017)

vPRO feature was what they called it in laptops.
Quite a few have it.
http://forum.notebookreview.com/threads/what-is-this-intel-vpro-option.369208/
Notice the date. Since at least 2009.


----------



## Handy92 (May 3, 2017)

Yes. And how to patch bios using this script?? I knowing it today. Because some russian guy find bypass with can connect to it from lan. I have lan...


----------



## Phishfry (May 3, 2017)

I have bricked a Kontron QM77 board with a wonky bios flash. It was ME upgrade that got me.

So your 'on-your-own' there. I wouldn't rush into it. This is serious surgery to remove a firmware blob.


----------



## rigoletto@ (May 3, 2017)

Maybe not related but:

Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege


----------



## Handy92 (May 3, 2017)

Here fresh article. Really sorry for source...  Any opinion? https://translate.googleusercontent...0.html&usg=ALkJrhiXotDXREL9uvSlneqJnT01iIm29w


----------



## Handy92 (May 3, 2017)

Or building firewall on ARMs... You find oryginal article.


----------



## Phishfry (May 3, 2017)

Have you tried Intel detection tool to ensure you need to worry.
https://downloadcenter.intel.com/download/26755

The Register seems to think all vPro is affected as well:
https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/


----------



## Phishfry (May 3, 2017)

There you go a plug for the Netgate SG-1000 dual ethernet Arm platform.


Handy92 said:


> Or building firewall on ARMs...



This issue proves why diversity is important.


----------



## Phishfry (May 3, 2017)

One mans management interface is another mans backdoor.


----------



## Handy92 (May 3, 2017)

But here is write somethig.



> This is a closed, proprietary black box operating below the operating system and even a hypervisor, which has full access to all hardware. Its centerpiece is a bizarre ARC processor, which is similar to the SuperFX chip from SuperNintendo, and all of this works with the Realtime ThreadX system. If you try to damage the firmware, the computer will shut down after 30 minutes.



Is clear look like a Backdor. If belive it nobody know what exactly this firmware do. You uderstood secure risk? Every security is bypassed now, I really do not trust closed firmware. Why I do not do data logs when someone plays AC line. Now I'll been writing article about it. What now? FreeBSD is securing systems. How to  block it? If exist any way for block this shit using kernel?? Intel will do nothing.


----------



## Handy92 (May 3, 2017)

Is abstract... And You must only die, everything else You just can.

How about usb ethernet card pluged into USB.


----------



## Phishfry (May 3, 2017)

From a managment interface perspective use an ethernet port that is not a managment port and you should be clear of the BS.
But if these interfaces are onboard the mainboard you have the EFI Ethernet stack to trust as well! I don't.


----------



## Handy92 (May 4, 2017)

This card is so cheap. I will be tried, before I do bios hard reset. FreeBSD will be working with usb ethernet adapter?

ASIX AX88772A - this chip is supported via BSD. But BIOS do not pick up this card, Write?? and will be not connection beetween "black hole" and this adapter write I think?

And one more thing. Freebsd is using via corpo therefore will newer been backor here xD.

How about encrypting disc? Eaven is computer into computer needed is mouting file system??

I bought it.


----------



## Handy92 (May 4, 2017)

How About TrueCrypt and GRUBE? Should be easer...


----------

