Warning: in_array() expects parameter 2 to be array, string given in /virtual/theblogs.bestsolution.at/httpd/htdocs/wp-content/plugins/google-one/google-plus-one.php on line 344

Warning: in_array() expects parameter 2 to be array, string given in /virtual/theblogs.bestsolution.at/httpd/htdocs/wp-content/plugins/google-one/google-plus-one.php on line 346

Warning: in_array() expects parameter 2 to be array, string given in /virtual/theblogs.bestsolution.at/httpd/htdocs/wp-content/plugins/google-one/google-plus-one.php on line 344

Warning: in_array() expects parameter 2 to be array, string given in /virtual/theblogs.bestsolution.at/httpd/htdocs/wp-content/plugins/google-one/google-plus-one.php on line 346

Warning: in_array() expects parameter 2 to be array, string given in /virtual/theblogs.bestsolution.at/httpd/htdocs/wp-content/plugins/google-one/google-plus-one.php on line 344

Warning: in_array() expects parameter 2 to be array, string given in /virtual/theblogs.bestsolution.at/httpd/htdocs/wp-content/plugins/google-one/google-plus-one.php on line 346

Warning: in_array() expects parameter 2 to be array, string given in /virtual/theblogs.bestsolution.at/httpd/htdocs/wp-content/plugins/google-one/google-plus-one.php on line 344

Warning: in_array() expects parameter 2 to be array, string given in /virtual/theblogs.bestsolution.at/httpd/htdocs/wp-content/plugins/google-one/google-plus-one.php on line 346

an unwanted honeypot for hackers: “y2kupdate”


Warning: in_array() expects parameter 2 to be array, string given in /virtual/theblogs.bestsolution.at/httpd/htdocs/wp-content/plugins/google-one/google-plus-one.php on line 344

Warning: in_array() expects parameter 2 to be array, string given in /virtual/theblogs.bestsolution.at/httpd/htdocs/wp-content/plugins/google-one/google-plus-one.php on line 346

Lazyness combined with too much work often causes very bad sideeffects … The following story happened due to my very own lazyness (or maybe even call it crazyness …):

After setting up a Debian Lenny KVM guest on one of our servers, I had to do some tests on it before making it available to the very public (or in other words: before I assigned it a public IP address).

So I added a dedicated user named “test” with again a very dedicated password named “test” … and from now on you know how the story continues: After provisioning the server, I simply forgot to remove the “test” user. And without surprize it didn’t take long until some funny people found out about my error and tried to hijack the server by installing some interesting pieces of software.

Obviously they were almost as lazy as I was because they left many traces on the server and in the end they did not come very far in hijaking the server.

Soon after I provisioned the server, I found weird log entries like these:

May 13 06:40:01 ahost /USR/SBIN/CRON[13837]: (test) CMD (/tmp/lib/y2kupdate >/dev/null 2>&1)

Now as a matter of fact I do read log entries and these entries soon got my attention.

Investigating the files in the /tmp/lib folder I quickly found out that the server had become a member of an IRC based bot net (or in fact, a number of IRC based bot nets), probably designated to flood remote victims with useless traffic.

It has been a long time since a hacker successfully broke our security barriers and so I find it quite amusing to dissect the applications found in /tmp/lib and also quite interesting reading the (now deleted) test user’s .bash_history file …

Luckily for me the hackers either did not come too far with hijacking the server or simply were not overly interested in the box, so reverting the changes they made seems doable, but let’s see how the story continues 🙂

Spread the love

1
Leave a Reply

avatar
1 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
1 Comment authors
Anonymous Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Anonymous
Guest
Anonymous

I got hit by this through redmine this week, seems the redmine user was configured with a shell in passwd, fixed that, and that should keep the buggers out. They didn’t even try to hide their tracks.

Post Navigation