I woke up on the couch very early this morning, like around 4:30ish, after falling asleep trying to watch Kill Bill 1. I decided in my half-dazed state to check the disk space on one of my servers before going to bed, because it's been getting pretty close to full. I logged into the machine and typed
last. Up came a login by user
mythtv from a few days ago.
That's funny, because I sure didn't log in as mythtv any time recently, and I'm ostensibly the only one allowed to log into this machine.
mythtv was not logged in at that moment. But there was an sshd process running owned by mythtv. I checked the auth log, and sure enough, mythtv had logged in with a password. It was not in the middle of any other break-in attempts; just one successful login. It was probably because I, ahem, left the password at the default. I would not have done that intentionally, but I might have done it nonetheless.
So, long story short, someone got access to one of my machines for a few days. They didn't do anything to the machine, and I'm pretty certain after doing standard verification things that I was not rooted. They didn't send any mail out. They just ran an instance of EnergyMech, which they had renamed to
sshd, probably for the same reason that they installed all this stuff in
.... I admit I missed it the first time looking. The instance spawned 3 bots, who then logged into 3 different irc servers.
Since they didn't seem to be doing anything harmful, and because I was curious and wanted to learn from this incident, I ran
tethereal all day and recorded their traffic. I now have an awful lot of people's (or other bots'?)
undernet passwords, and some conversations in Romanian. I'm not sure yet what to do with this information. If any of you speak what they speak in Romania and would like to translate some log files, let me know.
I'll post some more details about this later. Some of you will find the
~/.bash_history file entertaining, so I'll include that here. I also killed and restarted the EnergyMech in debug mode, and logged that for a while.
The question remains how they knew right off the bat that I was running mythtv. I have three theories at the moment. One is that they could be combing freenode's #mythtv-users channel for IPs, because it is publicly logged, and I have been there before (although normally my IP is obscured by my cloak). Second is that there has been some kind of compromise that allows them to monitor connections to the servers that myth boxes talk to in order to fill their database with channel info. Third is that they just got really lucky, and got in on the first try with a list of default users and passwords. I suppose there is the fourth possibility that they doctored the logs and actually exploited something to get in, but it doesn't look like that to me.
Obviously I will comb the bot and traffic logs for IPs and try to notify people that their machines have been compromised. Anything else I should do?
You'll see that they did some port scanning too. I'm not sure yet what all these strangely named binaries do, other than scan. They probably ran some more cracking attempts on other machines. They tried to set up a PHP cgi-bin script that lets them execute shell commands.
Among the artifacts they left laying around are files of common passwords and usernames. But
mythtv does not appear in any of these files.
They also ran
( ~/bash_historyCollapse )
mythtv-setup, which is downright bizarre. Maybe they were expecting X forwarding to be enabled (it's not). If that's the case, then that lends credibility to the theory that this is a mythtv-specific effort.