[volunteergrid2-l] I'm sorry, but Introducer furl leaked

Johannes Nix Johannes.Nix at gmx.net
Wed Mar 7 18:32:25 UTC 2012 

Hi Marcus,

what would be good to know is whether you were running any other
network-related thing besides Tahoe on the server?

Hope you can recover that quickly,

Johannes

On Wed, 7 Mar 2012 14:34:13 +0100
sabotrax at gmail.com wrote:

> hi,
> i sent this mail to the ml yesterday, but i didn't come through, so i
> resend it as a reply:
> 
> Hi all,
> it seems as if my server who is running tahoe has been hacked.
> i hate to say this, but i think the introducer furl has to be changed
> again.
> 
> i just looked around my system when i saw a new dir "test" under
> "/home" that has been created on 2012/02/21.
> i then did:
> 
> root at foo:/home# lsof |grep test
> bash       1458       test  cwd       DIR               0,18      460
>            6108855 /run/shm/   /   /bot
> bash       1458       test  rtd       DIR                8,1     4096
>                  2 /
> bash       1458       test  txt       REG               0,18   492135
>            6108126 /run/shm/   /   /bot/bash
> bash       1458       test  mem       REG                8,1    79712
>           14811193 /lib32/libresolv-2.13.so
> bash       1458       test  mem       REG                8,1    46736
>           14811192 /lib32/libnss_files-2.13.so
> bash       1458       test  mem       REG                8,1  1532104
>           14811189 /lib32/libc-2.13.so
> bash       1458       test  mem       REG                8,1    22092
>           14811194 /lib32/libnss_dns-2.13.so
> bash       1458       test  mem       REG                8,1   126152
>           14811196 /lib32/ld-2.13.so
> bash       1458       test    0w      REG               0,18  2153806
>            6108891 /run/shm/   /   /bot/LinkEvents
> bash       1458       test    1u     sock                0,7      0t0
>           85480587 can't identify protocol
> bash       1458       test    2u     sock                0,7      0t0
>           85479769 can't identify protocol
> bash       1458       test    3u     IPv4            6108142      0t0
>                UDP *:49486
> bash       1458       test    4u     sock                0,7      0t0
>           85481277 can't identify protocol
> bash       1458       test    5u     sock                0,7      0t0
>           85698092 can't identify protocol
> bash       1458       test    6u     sock                0,7      0t0
>           85498612 can't identify protocol
> bash       1458       test    7u     sock                0,7      0t0
>           85576571 can't identify protocol
> bash       1458       test    8u     sock                0,7      0t0
>           86667704 can't identify protocol
> bash       1458       test    9u     sock                0,7      0t0
>           86667741 can't identify protocol
> bash       1458       test   10u     sock                0,7      0t0
>           86669526 can't identify protocol
> bash       1458       test   11u     sock                0,7      0t0
>           86669303 can't identify protocol
> bash       1458       test   12u     sock                0,7      0t0
>           86671788 can't identify protocol
> bash       1458       test   13u     sock                0,7      0t0
>           86670345 can't identify protocol
> bash       1458       test   14u     IPv4           89167118      0t0
>                TCP foo.cyberdeck.null:38455->161.53.178.240:ircd
> (SYN_SENT)
> bash       1458       test   15u     sock                0,7      0t0
>           86671794 can't identify protocol
> bash       1458       test   16u     sock                0,7      0t0
>           86707925 can't identify protocol
> bash       1458       test   17u     sock                0,7      0t0
>           87574595 can't identify protocol
> bash       1458       test   18u     IPv4           89167113      0t0
>                TCP
> foo.cyberdeck.null:49523->173.245.201.28:afs3-fileserver (SYN_SENT)
> root at foo:/home# halt
> W: molly-guard: SSH session detected!
> Please type in hostname of the machine to halt: foo
> 
> An alle Benutzer verteilte Nachricht von undo at foo
>        (/dev/pts/0) um 16:24 ...
> 
> Das System wird sich JETZT zum Anhalten herunterfahren!
> 
> ---
> 
> looks like my box has been a proud member of some botnet for the last
> two weeks. atm i really don't know how this could have happened. i
> just wanted to tell you guys as fast as possible.
> 
> greetings,
> marcus
> 
> 2012/3/5 Shawn Willden <shawn at willden.org>:
> > Yup, I can see sabotrax.
> >
> > I think that's everyone, isn't it?
> >
> >
> > On Mon, Mar 5, 2012 at 8:13 AM, <sabotrax at gmail.com> wrote:
> >>
> >> hi,
> >> i just changed the introducer and restartet tahoe.
> >> is my node kqyu52 connected? i'm just asking because i don't see it
> >> from another box that's located in the same local net (but that
> >> could be a routing issue).
> >>
> >> thanks
> >>
> >> 2012/3/3 Shawn Willden <shawn at willden.org>:
> >> > 14 nodes on the new introducer FURL now!  Only one or two haven't
> >> > migrated.
> >> >
> >> >
> >> > On Fri, Mar 2, 2012 at 4:15 PM, Christoph Langguth
> >> > <christoph at rosenkeller.org> wrote:
> >> >>
> >> >> Wow!
> >> >>
> >> >> I'm absolutely amazed of you people here.
> >> >>
> >> >> It's been exactly 24 hours since we had a "911 call" on this
> >> >> list, with people distributed around the globe.
> >> >>
> >> >> Within these 24 hours, we have managed to "migrate" 2/3 of the
> >> >> infrastructure, maintained by almost 20 people, to a different
> >> >> location. And
> >> >> I'm sure that the rest of the maintainers will follow within a
> >> >> few hours (or
> >> >> when they read their mails.... jeez, it's weekend after all!).
> >> >>
> >> >> Quoting Jody, and in big letters:
> >> >> YOU ARE AWESOME!
> >> >>
> >> >> Thanks! ;-)
> >> >> -- Chris
> >> >>
> >> >>
> >> >>
> >> >> Am 01.03.2012 23:55, schrieb slush:
> >> >>
> >> >>> Hi all,
> >> >>>
> >> >>> I had deep-check cronjob on the same machine which has been
> >> >>> hacked today (see
> >> >>>
> >> >>> http://bitcoinmedia.com/compromised-linode-coins-stolen-from-slush-faucet-and-others/).
> >> >>> Although it looks like attackers come just for my bitcoins,
> >> >>> they had also access to tahoe config, so we should expect that
> >> >>> introducer furl leaked as well. How we should resolve this
> >> >>> issue?
> >> >>>
> >> >>> Best,
> >> >>> slush
> >> >>> _______________________________________________
> >> >>> volunteergrid2-l mailing list
> >> >>> volunteergrid2-l at tahoe-lafs.org
> >> >>> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
> >> >>> http://bigpig.org/twiki/bin/view/Main/WebHome
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> _______________________________________________
> >> >> volunteergrid2-l mailing list
> >> >> volunteergrid2-l at tahoe-lafs.org
> >> >> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
> >> >> http://bigpig.org/twiki/bin/view/Main/WebHome
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> > Shawn
> >> >
> >> > _______________________________________________
> >> > volunteergrid2-l mailing list
> >> > volunteergrid2-l at tahoe-lafs.org
> >> > http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
> >> > http://bigpig.org/twiki/bin/view/Main/WebHome
> >>
> >>
> >>
> >> --
> >> Give us this day our garlic bread and lead us not into
> >> vegetarianism but deliver us some pizza.
> >> _______________________________________________
> >> volunteergrid2-l mailing list
> >> volunteergrid2-l at tahoe-lafs.org
> >> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
> >> http://bigpig.org/twiki/bin/view/Main/WebHome
> >
> >
> >
> >
> > --
> > Shawn
> >
> > _______________________________________________
> > volunteergrid2-l mailing list
> > volunteergrid2-l at tahoe-lafs.org
> > http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
> > http://bigpig.org/twiki/bin/view/Main/WebHome
> 
> 
>

More information about the volunteergrid2-l mailing list