[Jenkins-infra] (fwd) RE: Your Azure Account - Terms of Use Reminder - Jenkins
Arnaud Héritier
aheritier at gmail.com
Mon Aug 6 12:49:27 UTC 2018
Couldn't we ask to M$ to have a more detailled timeline of when they are
discovering this issue (last activity occurred 8/1/2018 ...) and then we
look at the jenkins build history to find if there is a project building at
that times ?
For example this job (and branches) ran on August 1st :
https://ci.jenkins.io/job/Plugins/job/azure-app-service-plugin/
And it is launching a windows agent on Azure labelled win2012-ABCDEF
https://ci.jenkins.io/job/Plugins/job/azure-vm-agents-plugin/job/master/107/consoleFull
On Mon, Aug 6, 2018 at 1:42 PM Oleg Nenashev <o.v.nenashev at gmail.com> wrote:
> Sorry, 9:30PM UTC is too late in my TZ, I will unlikely be able to join.
> Could you please send out summary notes after the meeting?
>
> Thanks in advance,
>
> On Mon, Aug 6, 2018 at 1:19 PM, Olblak <me at olblak.com> wrote:
>
>> The main problem here is that kind of machine have short live and I don't
>> think we can know which project was build on that particular machine. For
>> auditing purpose, it would be nice to have a log file with such information.
>>
>> > * there's some repo(s) which are invoking Maven and using it to run
>> Or for instance gradlew https://git.io/fN1TZ
>> Unfortunately they are different ways to run arbitrary scripts on those
>> agents and I don't think it will be possible to avoid that.
>>
>> A solution that come to my mind would be to isolate those machine as much
>> as possible to forbid outgoing/ingoing connections as much as possible.
>>
>> We'll probably discuss about this during the infra meeting today so feel
>> free to join https://jenkins.io/event-calendar/
>>
>>
>> ---
>> -> gpg --keyserver keys.gnupg.net --recv-key 52210D3D
>> ---
>>
>>
>>
>>
>> On Mon, Aug 6, 2018, at 10:44 AM, Oleg Nenashev wrote:
>>
>> Likely, it looks like an urgent issue so we should get all available
>> folks working on it. Added the security team to CC.
>>
>> I have tried to investigate the issue by looking at build histories, etc.
>> I was not really successful, unfortunately I cannot help much on the
>> server side with my current permission level.
>>
>> It would help if Azure support provides more info about type of the
>> cryptominer running there and exact timestamps. It would allow narrowing
>> down the scope and going through plugins to find malicious dependencies.
>>
>> BR, Oleg
>>
>>
>>
>>
>> On Mon, Aug 6, 2018 at 10:27 AM, Olblak <me at olblak.com> wrote:
>>
>> Shouldn't we move this discussion to security?
>>
>> ---
>> -> gpg --keyserver keys.gnupg.net --recv-key 52210D3D
>> ---
>>
>>
>> On Mon, Aug 6, 2018, at 12:20 AM, R. Tyler Croy wrote:
>> > (replies inline)
>> >
>> > On Sun, 05 Aug 2018, Oleg Nenashev wrote:
>> >
>> > > Is any help needed with this case?
>> > > Or are you handling it together with Olivier?
>> >
>> >
>> > Olivier and I haven't had a chance to really discuss it, so any
>> thoughts you
>> > might have would be valuable.
>> >
>> >
>> > My current theories are:
>> >
>> > * there's some repo(s) which are invoking Maven and using it to run
>> > miners perhaps.
>> > * The dynamic agents are coming online and somehow being infected rather
>> > quickly, somehow, with nonsense.
>> >
>> >
>> >
>> > _______________________________________________
>> > Jenkins-infra mailing list
>> > Jenkins-infra at lists.jenkins-ci.org
>> > http://lists.jenkins-ci.org/mailman/listinfo/jenkins-infra
>> > Email had 1 attachment:
>> > + signature.asc
>> > 1k (application/pgp-signature)
>>
>> _______________________________________________
>> Jenkins-infra mailing list
>> Jenkins-infra at lists.jenkins-ci.org
>> http://lists.jenkins-ci.org/mailman/listinfo/jenkins-infra
>>
>>
>>
> _______________________________________________
> Jenkins-infra mailing list
> Jenkins-infra at lists.jenkins-ci.org
> http://lists.jenkins-ci.org/mailman/listinfo/jenkins-infra
>
--
-----
Arnaud Héritier
http://aheritier.net
Mail/GTalk: aheritier AT gmail DOT com
Twitter/Skype : aheritier
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.jenkins-ci.org/pipermail/jenkins-infra/attachments/20180806/5526f7fb/attachment.html>
More information about the Jenkins-infra
mailing list