|
On November 29, 2002 my fbsd box was hacked. The fbsd box doesn't have a monitor and I normally ssh in and work from the console. I had noticed some "odd" activity (mostly the hard drive kept spinning up) but I was working on something else and given that I had no reason to suspect that the box was under hacked, I simply choose to ignore this "odd" behaviour. Once I discovered that an attack as underway I began to make both hand written and typed notes of events. What follows is an account of the attacked that I wrote the following day and sent to several friends. November 30, 2002 summerstorm.net/bboyice.html Here are the gory details, although I actually enjoyed it to some degree. I noticed that something was 'odd' about the server, but I didn't know what
it was until I started poking around. The time is 18:35 when I su - to root. (The messages log records the time.) A check of who was connected showed a couple of IP's that I didn't know. I'm sort of concerned but preoccupied with some other things so I don't spend much time at the keyboard. About an hour later the hard drive is constantly spinning. Normally that only happens when the system does it backups at midnight and 3 AM. I started looking around the system logs for clues and found this entry in var/log/messages: Then I check again to see who's connected. 12.19.98.21 is trying to connect. And 12.19.98.21 resolves to swtech.danielind.com. Well, I sure don't know who this is. So I check the httpd-access.log. But they aren't in the http logs. I pull up swtech.danielind.com and decide that they don't look to threatening and the domain is owned by someone in Houston so I'm guessing that it isn't Al-Quida. I hang up the phone and decide NOT to call the FBI and CIA. (Maybe I should have called Larry.) But obviously someone from that site is trying to get in. So they are a threat. The other IP that's trying to telnet in is 208.186.184.16 which resolves to 208-186-184-16.gntech.net. That site doesn't look to threatening either. And they don't appear to be able to actually log in. But they're trying. At this point I know that at least two people are trying to hack in. I checked the processes and started killing those that I knew were the hackers and some others that I suspected. Now I realize that swtech.danielind.com has actually gained access via telnet. (I know, I know. I shouldn't have telnet enabled. I had done so a while back due to some weird problem with ssh and forgot to disable it.) I checked the processes again and started killing their processes. But as soon as I kill them they're back. So now I'm constantly doing ps -ax | grep TELNET and killing the pid's. And it becomes a vicious cycle. And there are multiple instances of their IP's. I don't know if they're using more than one telnet client or if only one is a real attempt and the others are phantoms waiting to die after a failed attempt. While I'm trying to fend them off I decide to check the httpd-access.log again. And what do I find: 213.255.24.228 - - [29/Nov/2002:19:12:48 -0600] "GET /icons/blank.gif HTTP/1.1" 304 - "http://xxx.summerstorm.net/" "Mozilla/5.0 (compatible; Konqueror/3; Linux)" NOTE: The xxx part of the address is something other than xxx and isn't commonly known. The fact that they were trying to access this site is a good sign that something is going on. And it isn't good. Seven other files were also accessed by the same IP. A check of the IP shows: Resolved 213.255.24.245 to h255-24-245.PA1.albacom.net Registered to someone in Italy! Is Rome on the rise and I've missed that memo? I have no idea who this can be. I continue to check the log and then it gets weird. 213.255.24.228 - - [29/Nov/2002:19:14:25 -0600] "GET /xxx.html HTTP/1.1"
200 321 "-" "Mozilla/5.0 (compatible; Konqueror/3; Linux)" (The DELETED is in place of the site they exited to, since that site maintained information that I didn'd want shared.) There were several other files accessed, but I've not shown them here since they are redundant in concept. Somewhere in all of this melee I manage to check the main web page of my site. Uh oh! I've been had. And look who left their calling card: BbOyIcE. Could this be bboy from swtech.danielind.com? My conclusion is yes. I think that they've finished the hacking since the main page was defaced. And based on the above I know where they went after they finished their business: http:/www.DELETED. I also suspect that they know what the operating system is, but based on something in the logs after the above I'm not to sure. Anyway, it turns out the www.DELETED is a web site for reporting hacked web pages. It's a self reporting thing. The little bastards had entered their little escapade on the site. Bragging rights I guess. Now I want to figure out where these IP's are coming from, so: At this point I'm suspicious that the .ru and .br are originating from hacked sites. If so, then the other two were probably hacked as well. But from my armchair it's impossible to tell. Anyway the break-in attempts, and apparently some successes, seem to have gone on for over an hour. Then I see a new IP in the httpd-access.log: I checked out the new IP only to find: Unable to resolve 200.217.245.20 There were at least 2 or 3 dozen script checks where they're trying to figure out the OS. Some of these were by the group of four IP's. But someone, and I assume them, has already defaced the page and should therefore know what the OS is. So I'm a bit confused about what's going on. Is someone trying to 'one-up' the first hacker? Now I'm half tempted to restart the server or take it off-line before they do some real damage. But I don't. I want to explore this further. So I continue to look in the http log and find the first hack attempt was at 14:48 by 213.255.24.228 which is h255-24-228.PA1.albacom.net. Three log entries from him and then nothing for 15 minutes. Then another 30 entries during the next 23 or so minutes ending at 15:29. Almost 2 1/2 hours pass and a new IP shows up in the logs: 213.255.24.228 at 17:55. I'm guessing that this is the same guy or his cross town buddy. Eight log entries in two minutes, and all to my unknown site. Now I want to figure out what the damage is, when it was done and which IP did it. So ls -alR | grep 'Nov 29' | grep -v '^d' looks through the htdocs directory structure to see what files have been changed on the 29th. Fortunately the damage was limited, as far as I can tell, to four very small files that only pointed to jpg's, and they were all backed up. Two of the files were changed at 15:26 and 15:27. A third one at 19:14. I've restored the fourth one, on the main page, and therefore lost the time stamp. All and all a rather busy bit of time. And I rapidly learned a few things about unix that I hadn't previously know. It's amazing what you can do when you have to. Now I have to set about upgrading the system and installing a new version of Apache. I'm not looking forward to this. I have a second 25 gig drive, same as the main drive, in that box which hasn't even been formatted. I may just do the install on the new drive, slave the old drive and transfer files as needed. Sounds easy, but 'easy' is definitely a relative term. David PS: For what it's worth I'd really like to have some quality time with these guys. World Peace be damned! |