[volunteergrid2-l] I'm sorry, but Introducer furl leaked
sabotrax at gmail.com
sabotrax at gmail.com
Wed Mar 7 14:13:59 UTC 2012
ahh kk, i wasn't sure :)
2012/3/7 Jody Harris <jharris at harrisdev.com>:
> I think we're all waiting for someone else to chime in.
>
> j
> ----
> Ph. 575-208-4567
> - Think carefully.
>
>
>
> On Wed, Mar 7, 2012 at 6:34 AM, <sabotrax at gmail.com> wrote:
>>
>> hi,
>> i sent this mail to the ml yesterday, but i didn't come through, so i
>> resend it as a reply:
>>
>> Hi all,
>> it seems as if my server who is running tahoe has been hacked.
>> i hate to say this, but i think the introducer furl has to be changed
>> again.
>>
>> i just looked around my system when i saw a new dir "test" under
>> "/home" that has been created on 2012/02/21.
>> i then did:
>>
>> root at foo:/home# lsof |grep test
>> bash 1458 test cwd DIR 0,18 460
>> 6108855 /run/shm/ / /bot
>> bash 1458 test rtd DIR 8,1 4096
>> 2 /
>> bash 1458 test txt REG 0,18 492135
>> 6108126 /run/shm/ / /bot/bash
>> bash 1458 test mem REG 8,1 79712
>> 14811193 /lib32/libresolv-2.13.so
>> bash 1458 test mem REG 8,1 46736
>> 14811192 /lib32/libnss_files-2.13.so
>> bash 1458 test mem REG 8,1 1532104
>> 14811189 /lib32/libc-2.13.so
>> bash 1458 test mem REG 8,1 22092
>> 14811194 /lib32/libnss_dns-2.13.so
>> bash 1458 test mem REG 8,1 126152
>> 14811196 /lib32/ld-2.13.so
>> bash 1458 test 0w REG 0,18 2153806
>> 6108891 /run/shm/ / /bot/LinkEvents
>> bash 1458 test 1u sock 0,7 0t0
>> 85480587 can't identify protocol
>> bash 1458 test 2u sock 0,7 0t0
>> 85479769 can't identify protocol
>> bash 1458 test 3u IPv4 6108142 0t0
>> UDP *:49486
>> bash 1458 test 4u sock 0,7 0t0
>> 85481277 can't identify protocol
>> bash 1458 test 5u sock 0,7 0t0
>> 85698092 can't identify protocol
>> bash 1458 test 6u sock 0,7 0t0
>> 85498612 can't identify protocol
>> bash 1458 test 7u sock 0,7 0t0
>> 85576571 can't identify protocol
>> bash 1458 test 8u sock 0,7 0t0
>> 86667704 can't identify protocol
>> bash 1458 test 9u sock 0,7 0t0
>> 86667741 can't identify protocol
>> bash 1458 test 10u sock 0,7 0t0
>> 86669526 can't identify protocol
>> bash 1458 test 11u sock 0,7 0t0
>> 86669303 can't identify protocol
>> bash 1458 test 12u sock 0,7 0t0
>> 86671788 can't identify protocol
>> bash 1458 test 13u sock 0,7 0t0
>> 86670345 can't identify protocol
>> bash 1458 test 14u IPv4 89167118 0t0
>> TCP foo.cyberdeck.null:38455->161.53.178.240:ircd
>> (SYN_SENT)
>> bash 1458 test 15u sock 0,7 0t0
>> 86671794 can't identify protocol
>> bash 1458 test 16u sock 0,7 0t0
>> 86707925 can't identify protocol
>> bash 1458 test 17u sock 0,7 0t0
>> 87574595 can't identify protocol
>> bash 1458 test 18u IPv4 89167113 0t0
>> TCP
>> foo.cyberdeck.null:49523->173.245.201.28:afs3-fileserver (SYN_SENT)
>> root at foo:/home# halt
>> W: molly-guard: SSH session detected!
>> Please type in hostname of the machine to halt: foo
>>
>> An alle Benutzer verteilte Nachricht von undo at foo
>> (/dev/pts/0) um 16:24 ...
>>
>> Das System wird sich JETZT zum Anhalten herunterfahren!
>>
>> ---
>>
>> looks like my box has been a proud member of some botnet for the last two
>> weeks.
>> atm i really don't know how this could have happened. i just wanted to
>> tell you guys as fast as possible.
>>
>> greetings,
>> marcus
>>
>> 2012/3/5 Shawn Willden <shawn at willden.org>:
>> > Yup, I can see sabotrax.
>> >
>> > I think that's everyone, isn't it?
>> >
>> >
>> > On Mon, Mar 5, 2012 at 8:13 AM, <sabotrax at gmail.com> wrote:
>> >>
>> >> hi,
>> >> i just changed the introducer and restartet tahoe.
>> >> is my node kqyu52 connected? i'm just asking because i don't see it
>> >> from another box that's located in the same local net (but that could
>> >> be a routing issue).
>> >>
>> >> thanks
>> >>
>> >> 2012/3/3 Shawn Willden <shawn at willden.org>:
>> >> > 14 nodes on the new introducer FURL now! Only one or two haven't
>> >> > migrated.
>> >> >
>> >> >
>> >> > On Fri, Mar 2, 2012 at 4:15 PM, Christoph Langguth
>> >> > <christoph at rosenkeller.org> wrote:
>> >> >>
>> >> >> Wow!
>> >> >>
>> >> >> I'm absolutely amazed of you people here.
>> >> >>
>> >> >> It's been exactly 24 hours since we had a "911 call" on this list,
>> >> >> with
>> >> >> people distributed around the globe.
>> >> >>
>> >> >> Within these 24 hours, we have managed to "migrate" 2/3 of the
>> >> >> infrastructure, maintained by almost 20 people, to a different
>> >> >> location. And
>> >> >> I'm sure that the rest of the maintainers will follow within a few
>> >> >> hours (or
>> >> >> when they read their mails.... jeez, it's weekend after all!).
>> >> >>
>> >> >> Quoting Jody, and in big letters:
>> >> >> YOU ARE AWESOME!
>> >> >>
>> >> >> Thanks! ;-)
>> >> >> -- Chris
>> >> >>
>> >> >>
>> >> >>
>> >> >> Am 01.03.2012 23:55, schrieb slush:
>> >> >>
>> >> >>> Hi all,
>> >> >>>
>> >> >>> I had deep-check cronjob on the same machine which has been hacked
>> >> >>> today (see
>> >> >>>
>> >> >>>
>> >> >>> http://bitcoinmedia.com/compromised-linode-coins-stolen-from-slush-faucet-and-others/).
>> >> >>> Although it looks like attackers come just for my bitcoins, they
>> >> >>> had
>> >> >>> also access to tahoe config, so we should expect that introducer
>> >> >>> furl
>> >> >>> leaked as well. How we should resolve this issue?
>> >> >>>
>> >> >>> Best,
>> >> >>> slush
>> >> >>> _______________________________________________
>> >> >>> volunteergrid2-l mailing list
>> >> >>> volunteergrid2-l at tahoe-lafs.org
>> >> >>> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
>> >> >>> http://bigpig.org/twiki/bin/view/Main/WebHome
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >> _______________________________________________
>> >> >> volunteergrid2-l mailing list
>> >> >> volunteergrid2-l at tahoe-lafs.org
>> >> >> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
>> >> >> http://bigpig.org/twiki/bin/view/Main/WebHome
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Shawn
>> >> >
>> >> > _______________________________________________
>> >> > volunteergrid2-l mailing list
>> >> > volunteergrid2-l at tahoe-lafs.org
>> >> > http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
>> >> > http://bigpig.org/twiki/bin/view/Main/WebHome
>> >>
>> >>
>> >>
>> >> --
>> >> Give us this day our garlic bread and lead us not into vegetarianism
>> >> but deliver us some pizza.
>> >> _______________________________________________
>> >> volunteergrid2-l mailing list
>> >> volunteergrid2-l at tahoe-lafs.org
>> >> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
>> >> http://bigpig.org/twiki/bin/view/Main/WebHome
>> >
>> >
>> >
>> >
>> > --
>> > Shawn
>> >
>> > _______________________________________________
>> > volunteergrid2-l mailing list
>> > volunteergrid2-l at tahoe-lafs.org
>> > http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
>> > http://bigpig.org/twiki/bin/view/Main/WebHome
>>
>>
>>
>> --
>> Give us this day our garlic bread and lead us not into vegetarianism
>> but deliver us some pizza.
>> _______________________________________________
>> volunteergrid2-l mailing list
>> volunteergrid2-l at tahoe-lafs.org
>> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
>> http://bigpig.org/twiki/bin/view/Main/WebHome
>
>
>
> _______________________________________________
> volunteergrid2-l mailing list
> volunteergrid2-l at tahoe-lafs.org
> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
> http://bigpig.org/twiki/bin/view/Main/WebHome
--
Give us this day our garlic bread and lead us not into vegetarianism
but deliver us some pizza.
More information about the volunteergrid2-l
mailing list