[volunteergrid2-l] I'm sorry, but Introducer furl leaked
sabotrax at gmail.com
sabotrax at gmail.com
Wed Mar 7 13:34:13 UTC 2012
hi,
i sent this mail to the ml yesterday, but i didn't come through, so i
resend it as a reply:
Hi all,
it seems as if my server who is running tahoe has been hacked.
i hate to say this, but i think the introducer furl has to be changed again.
i just looked around my system when i saw a new dir "test" under
"/home" that has been created on 2012/02/21.
i then did:
root at foo:/home# lsof |grep test
bash 1458 test cwd DIR 0,18 460
6108855 /run/shm/ / /bot
bash 1458 test rtd DIR 8,1 4096
2 /
bash 1458 test txt REG 0,18 492135
6108126 /run/shm/ / /bot/bash
bash 1458 test mem REG 8,1 79712
14811193 /lib32/libresolv-2.13.so
bash 1458 test mem REG 8,1 46736
14811192 /lib32/libnss_files-2.13.so
bash 1458 test mem REG 8,1 1532104
14811189 /lib32/libc-2.13.so
bash 1458 test mem REG 8,1 22092
14811194 /lib32/libnss_dns-2.13.so
bash 1458 test mem REG 8,1 126152
14811196 /lib32/ld-2.13.so
bash 1458 test 0w REG 0,18 2153806
6108891 /run/shm/ / /bot/LinkEvents
bash 1458 test 1u sock 0,7 0t0
85480587 can't identify protocol
bash 1458 test 2u sock 0,7 0t0
85479769 can't identify protocol
bash 1458 test 3u IPv4 6108142 0t0
UDP *:49486
bash 1458 test 4u sock 0,7 0t0
85481277 can't identify protocol
bash 1458 test 5u sock 0,7 0t0
85698092 can't identify protocol
bash 1458 test 6u sock 0,7 0t0
85498612 can't identify protocol
bash 1458 test 7u sock 0,7 0t0
85576571 can't identify protocol
bash 1458 test 8u sock 0,7 0t0
86667704 can't identify protocol
bash 1458 test 9u sock 0,7 0t0
86667741 can't identify protocol
bash 1458 test 10u sock 0,7 0t0
86669526 can't identify protocol
bash 1458 test 11u sock 0,7 0t0
86669303 can't identify protocol
bash 1458 test 12u sock 0,7 0t0
86671788 can't identify protocol
bash 1458 test 13u sock 0,7 0t0
86670345 can't identify protocol
bash 1458 test 14u IPv4 89167118 0t0
TCP foo.cyberdeck.null:38455->161.53.178.240:ircd
(SYN_SENT)
bash 1458 test 15u sock 0,7 0t0
86671794 can't identify protocol
bash 1458 test 16u sock 0,7 0t0
86707925 can't identify protocol
bash 1458 test 17u sock 0,7 0t0
87574595 can't identify protocol
bash 1458 test 18u IPv4 89167113 0t0
TCP
foo.cyberdeck.null:49523->173.245.201.28:afs3-fileserver (SYN_SENT)
root at foo:/home# halt
W: molly-guard: SSH session detected!
Please type in hostname of the machine to halt: foo
An alle Benutzer verteilte Nachricht von undo at foo
(/dev/pts/0) um 16:24 ...
Das System wird sich JETZT zum Anhalten herunterfahren!
---
looks like my box has been a proud member of some botnet for the last two weeks.
atm i really don't know how this could have happened. i just wanted to
tell you guys as fast as possible.
greetings,
marcus
2012/3/5 Shawn Willden <shawn at willden.org>:
> Yup, I can see sabotrax.
>
> I think that's everyone, isn't it?
>
>
> On Mon, Mar 5, 2012 at 8:13 AM, <sabotrax at gmail.com> wrote:
>>
>> hi,
>> i just changed the introducer and restartet tahoe.
>> is my node kqyu52 connected? i'm just asking because i don't see it
>> from another box that's located in the same local net (but that could
>> be a routing issue).
>>
>> thanks
>>
>> 2012/3/3 Shawn Willden <shawn at willden.org>:
>> > 14 nodes on the new introducer FURL now! Only one or two haven't
>> > migrated.
>> >
>> >
>> > On Fri, Mar 2, 2012 at 4:15 PM, Christoph Langguth
>> > <christoph at rosenkeller.org> wrote:
>> >>
>> >> Wow!
>> >>
>> >> I'm absolutely amazed of you people here.
>> >>
>> >> It's been exactly 24 hours since we had a "911 call" on this list, with
>> >> people distributed around the globe.
>> >>
>> >> Within these 24 hours, we have managed to "migrate" 2/3 of the
>> >> infrastructure, maintained by almost 20 people, to a different
>> >> location. And
>> >> I'm sure that the rest of the maintainers will follow within a few
>> >> hours (or
>> >> when they read their mails.... jeez, it's weekend after all!).
>> >>
>> >> Quoting Jody, and in big letters:
>> >> YOU ARE AWESOME!
>> >>
>> >> Thanks! ;-)
>> >> -- Chris
>> >>
>> >>
>> >>
>> >> Am 01.03.2012 23:55, schrieb slush:
>> >>
>> >>> Hi all,
>> >>>
>> >>> I had deep-check cronjob on the same machine which has been hacked
>> >>> today (see
>> >>>
>> >>> http://bitcoinmedia.com/compromised-linode-coins-stolen-from-slush-faucet-and-others/).
>> >>> Although it looks like attackers come just for my bitcoins, they had
>> >>> also access to tahoe config, so we should expect that introducer furl
>> >>> leaked as well. How we should resolve this issue?
>> >>>
>> >>> Best,
>> >>> slush
>> >>> _______________________________________________
>> >>> volunteergrid2-l mailing list
>> >>> volunteergrid2-l at tahoe-lafs.org
>> >>> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
>> >>> http://bigpig.org/twiki/bin/view/Main/WebHome
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> volunteergrid2-l mailing list
>> >> volunteergrid2-l at tahoe-lafs.org
>> >> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
>> >> http://bigpig.org/twiki/bin/view/Main/WebHome
>> >
>> >
>> >
>> >
>> > --
>> > Shawn
>> >
>> > _______________________________________________
>> > volunteergrid2-l mailing list
>> > volunteergrid2-l at tahoe-lafs.org
>> > http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
>> > http://bigpig.org/twiki/bin/view/Main/WebHome
>>
>>
>>
>> --
>> Give us this day our garlic bread and lead us not into vegetarianism
>> but deliver us some pizza.
>> _______________________________________________
>> volunteergrid2-l mailing list
>> volunteergrid2-l at tahoe-lafs.org
>> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
>> http://bigpig.org/twiki/bin/view/Main/WebHome
>
>
>
>
> --
> Shawn
>
> _______________________________________________
> volunteergrid2-l mailing list
> volunteergrid2-l at tahoe-lafs.org
> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
> http://bigpig.org/twiki/bin/view/Main/WebHome
--
Give us this day our garlic bread and lead us not into vegetarianism
but deliver us some pizza.
More information about the volunteergrid2-l
mailing list