[volunteergrid2-l] my server has been hacked

sabotrax at gmail.com sabotrax at gmail.com
Wed Mar 7 22:39:50 UTC 2012 

i really don't know. the system has been a fully patched ubuntu 11.04.
external services were tahoe, ssh, postfix, apache, tor, polipo, f*ex,
subsonic and ownloud (under apache).
all but the last two were ubuntu packages, so i assume they were ok.
no daemon was configured unsafe (like fancy apache modules or such).
subsonic (a music streaming server) did run with non-root privs.
owncloud (a private cloud software) is implemented as a php script and
runs as the apache user (www-data).
the password of my user has been a 10 chars long semi random password
created by 'apg'. it looked something like 'EljadWole5'. i had the
password for about a year which i think is too long.
yesterday i installed debian 6.0.4 and i like to keep it running with
less packages and services. i secured ssh with one time passwords
(opie) now.


2012/3/7 Brad Rupp <bradrupp at gmail.com>:
> I would be curious to know if you figured out how they hacked you.  That is
> good information for all of us to know to make sure we don't have similar
> holes.
>
> Brad
>
>
> On 3/6/2012 8:55 AM, sabotrax at gmail.com wrote:
>>
>> Hi all,
>> it seems as if my server who is running tahoe has been hacked.
>> i hate to say this, but i think the introducer furl has to be changed
>> again.
>>
>> i just looked around my system when i saw a new dir "test" under
>> "/home" that has been created on 2012/02/21.
>> i then did:
>>
>> root at foo:/home# lsof |grep test
>> bash       1458       test  cwd       DIR               0,18      460
>>             6108855 /run/shm/   /   /bot
>> bash       1458       test  rtd       DIR                8,1     4096
>>                   2 /
>> bash       1458       test  txt       REG               0,18   492135
>>             6108126 /run/shm/   /   /bot/bash
>> bash       1458       test  mem       REG                8,1    79712
>>            14811193 /lib32/libresolv-2.13.so
>> bash       1458       test  mem       REG                8,1    46736
>>            14811192 /lib32/libnss_files-2.13.so
>> bash       1458       test  mem       REG                8,1  1532104
>>            14811189 /lib32/libc-2.13.so
>> bash       1458       test  mem       REG                8,1    22092
>>            14811194 /lib32/libnss_dns-2.13.so
>> bash       1458       test  mem       REG                8,1   126152
>>            14811196 /lib32/ld-2.13.so
>> bash       1458       test    0w      REG               0,18  2153806
>>             6108891 /run/shm/   /   /bot/LinkEvents
>> bash       1458       test    1u     sock                0,7      0t0
>>            85480587 can't identify protocol
>> bash       1458       test    2u     sock                0,7      0t0
>>            85479769 can't identify protocol
>> bash       1458       test    3u     IPv4            6108142      0t0
>>                 UDP *:49486
>> bash       1458       test    4u     sock                0,7      0t0
>>            85481277 can't identify protocol
>> bash       1458       test    5u     sock                0,7      0t0
>>            85698092 can't identify protocol
>> bash       1458       test    6u     sock                0,7      0t0
>>            85498612 can't identify protocol
>> bash       1458       test    7u     sock                0,7      0t0
>>            85576571 can't identify protocol
>> bash       1458       test    8u     sock                0,7      0t0
>>            86667704 can't identify protocol
>> bash       1458       test    9u     sock                0,7      0t0
>>            86667741 can't identify protocol
>> bash       1458       test   10u     sock                0,7      0t0
>>            86669526 can't identify protocol
>> bash       1458       test   11u     sock                0,7      0t0
>>            86669303 can't identify protocol
>> bash       1458       test   12u     sock                0,7      0t0
>>            86671788 can't identify protocol
>> bash       1458       test   13u     sock                0,7      0t0
>>            86670345 can't identify protocol
>> bash       1458       test   14u     IPv4           89167118      0t0
>>                 TCP foo.cyberdeck.null:38455->161.53.178.240:ircd
>> (SYN_SENT)
>> bash       1458       test   15u     sock                0,7      0t0
>>            86671794 can't identify protocol
>> bash       1458       test   16u     sock                0,7      0t0
>>            86707925 can't identify protocol
>> bash       1458       test   17u     sock                0,7      0t0
>>            87574595 can't identify protocol
>> bash       1458       test   18u     IPv4           89167113      0t0
>>                 TCP
>> foo.cyberdeck.null:49523->173.245.201.28:afs3-fileserver (SYN_SENT)
>> root at foo:/home# halt
>> W: molly-guard: SSH session detected!
>> Please type in hostname of the machine to halt: foo
>>
>> An alle Benutzer verteilte Nachricht von undo at foo
>>         (/dev/pts/0) um 16:24 ...
>>
>> Das System wird sich JETZT zum Anhalten herunterfahren!
>>
>> ---
>>
>> looks like my box has been a proud member of some botnet for the last two
>> weeks.
>> atm i really don't know how this could have happened. i just wanted to
>> tell you guys as fast as possible.
>>
>> greetings,
>> marcus
>>
> _______________________________________________
> volunteergrid2-l mailing list
> volunteergrid2-l at tahoe-lafs.org
> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
> http://bigpig.org/twiki/bin/view/Main/WebHome



-- 
Give us this day our garlic bread and lead us not into vegetarianism
but deliver us some pizza.

More information about the volunteergrid2-l mailing list