Connecting to the Internet with OpenVPN, the connection fails. Rerunning openvpn works second time round but the install is hacked at that point (e.g., a rogue 'java-security' update tries to install itself on 'yum update', yum however spots this and rejects the download, other basic things start to fail).
If I however open only a https udp port prior to bringing the network interface up and starting openvpn then all is fine.
Anyone any idea what is going on here?
You really have not given us enough information to determine what is happening. However I would check for DNS spoofing and Man In the Middle attacks for starters.
What message is yum displaying when it rejects the download?
OK, I've just watched Moxie Marlinspike from 2009:
thoughtcrime.org/software/sslstrip
It was a clean offline install of SL6, as soon as ifup exited the connect script attempted to connect openvpn. I didn't copy the ...messages output unfortunately. Second attempt it connected. Immediately followed with yum update, yum didn't attempt to synchronize with the repos, just went straight to a download of a file named 'java-security...' which was 70% complete when it started (leaving me sitting their wondering what was happening). Yum finished the download and immediately reported something hadn't checked (in future I will religiously log all these errors!), it made a second attempt which started from 0%, didn't take as long as the first attempt, which yum again rejected, yum did this approx. 4 times in total. The second time I ran yum update it behaved normally, as you would expect.
I've had continuous instances of the hacks Moxie describes for over a year now, so I think more or less certainly this is a MITM type hack. I've also had a SSL certificate error from one site (a Verizon cert. I think, the site was the local Police authority crime report form), and that is with the current install. However though with this current install none of the usual hacks have repeated (i.e., since tightening up the connect script). I am at this point anyway not sure what to do! Should I go mobile wireless!?
The main question I have at the moment is where could the data possibly be intercepted? A clean install, in a room with the door bolted behind me. This is a normal household Internet connection, I'm not using wifi (ethernet to the router), though I have a wifi router (could this have been compromised, and if so would it result in this problem?), which is connected to the Internet through a cable provider (Virgin cable). I can inspect the telecoms cable OK to the point it is in the ground.
The website this brought down btw was libraryweb.info (Library Web (UK)), I'm not a Unix admin. so this is all new territory.
---------- Post updated 18-04-11 at 11:08 AM ---------- Previous update was 17-04-11 at 08:42 PM ----------
Regarding the Police website and the rejected certificate. I was testing Konqueror 4.4.3, the same webpage however works fine with Firefox 3.6.3 (the cert. is accepted as valid).
I am though in Konqueror able to open the secure login page on the verisign website validated with a VeriSign certificate. So Konqueror is rejecting the VeriSign cert. on the Police website, but not on the actual verisign website itself.
Note if I accept the rejected certificate, when the page loads it is very sluggish, I find myself typing a few words before they actually appear in the text box (i.e., the display of the text being typed takes a second or two to catch up - this does not happen on any other web page). Also when I submit the page, it briefly (for a half second) reloads and redisplays itself positioned at the top of the page (not at the bottom where the submit button is), before displaying the acknowledgment of receipt page.
Also, I accepted the rejected cert., and submitted a crime report, and I'm confirming this now, but at this point it doesn't look as though the Police actually received the crime report setnt through to them (i.e., it didn't arrive).
merseyside.police.uk/index.aspx?articleid=2812 (page reporting the rejected cert.)
merseyside.police.uk/index.aspx?articleid=1646 (the linking page)
Screenshots of the certificate and chain attached.
Slackware 13 VirtualBox VM (default network interface, not a bridge) with SL6 host (OpenVPN connection to the Internet).
Is it a case of MITM passing most traffic through but listening for crime reports sent using the Police website?
Quick update, the crime report I made on the webpage that Konqueror rejected the certificate did in fact arrive, the usual within 2 hours reply not being met in this case (I'm not sure exactly why!).
An additional thought returned to mind, konqueror didn't reject the certificate every time I went to the page for some odd reason, the cert. was initially rejected, but then I found I could access the page without the cert. error for a while, however the cert. error returned after maybe half a dozen accesses to the page. One other point, I'm using a more or less bare metal install (or the best a non-engineer can do at least - no more than twm etc.). (I also run home CCTV, though usually set my desktop up as a kiosk type login anyway.)
I've now changed VPN passwords using a mobile Internet connection, and servers while at it. Konqueror is still rejecting the page though. Checked one other site I know to be verified by VeriSign also and konqueror had no difficulty with it.
To conclude I am without a doubt being hacked badly (I've just tried to create a SL6 VM that was hacked almost immediately), though whether or not the phenomena with konqueror is a hack is still open I think.
If anyone has any tips on dealing with DNS spoofing and MITM attacks, books, webpages, etc., it would be appreciated.