digitalsushi

* * *
Mine is a tale, told by an idiot,
full of sound and fury, signifying nothing.
Peering out at the edge of this dock, over
the dark abyss of the ocean, at damned near
thirty-five years of age, I now have the keen
intellect to conjure how I must turn back
and walk thirty-five more years to the shore.
But that moon does rise behind me, and though
the walk back is ever colder, and the tide is
rising and cracking against these old timbers,
it is not so perilous as the shadows beckon.
The moonlight waxes crease and crevice, ancient
steps I took before. Ancient steps I take again
and sturdy though I weaken, my mind is now the
bastion of my manifested person. My mind is now
the treasure and my mind is now the chest. My findings
are uncovered, now I walk to take the rest.
* * *
and it felt like having my gibson hacked.
* * *
I've been with dotster since 1999. Lots of domains over there.

They are a huge registrar and they have been very good to me. But they are not providing ipv6 glue records. Ever. They won't even make a vague comment like "it is being discussed by our engineers".

I have asked them three times over the past four years. Same answer each time. Each time I have threatened to migrate to another registrar.

Anyways, dotster, you have failed. It is 2011 and June 8 IPv6 day is in a week. My data center, Linode, offers native IPv6 and I can't even publish that it's there. You have the smallest job to do, they finished their big project. You've turned into the network solutions I went running from in the late 1990s.

* * *
So I got hacked the other day. I figured I could post this blog entry as a bit of a web, to see if anyone else had any clues.

We noticed that our network was sluggish, and learned there was a SIP scanner called SipVicious running on one of our machines.  One of our websites on a remote system had also crashed, and later we learned it was the same system running.

Unfortunately for me, I had set up some ssh keys establishing trust between these systems, and so they ended up compromised.  As to how they gained access, though, is still a mystery.  I did notice there is a local user exploit for the 2.6.31 kernel, though.

One of our machines runs nginx, and others run apache.  

Once the hacker got in, they set up a screen session running in /dev/shm, so that it would be lost upon a reboot.  I managed to grab their kit and got this info:

-rwxr-xr-x 1 backup backup 4834 2008-08-10 12:20 Changelog
-rw-r--r-- 1 root root 24 2010-08-11 05:45 clase.txt
-rwxr-xr-x 1 root root 553 2010-07-30 18:19 doit.sh
-rwxr-xr-x 1 root root 46 2010-07-30 19:03 end.sh
-rwxr-xr-x 1 backup backup 12175 2008-08-10 12:20 fphelper.py
-rwxr-xr-x 1 root root 12232 2010-08-11 00:50 fphelper.pyc
-rw-r--r-- 1 root root 1050898 2010-07-02 13:01 GeoIP.dat
-rwxr-xr-x 1 root root 117 2010-07-30 17:44 geoip.pl
-rwxr-xr-x 1 backup backup 12288 2008-08-20 20:36 groupdb
-rwxr-xr-x 1 backup backup 35886 2008-08-10 12:20 helper.py
-rwxr-xr-x 1 root root 34787 2010-08-11 00:50 helper.pyc
-rwxr-xr-x 1 root root 660 2010-07-30 20:23 ip.sh
-rwxr-xr-x 1 root root 337 2010-07-30 20:23 ip.sh~
-rwxr-xr-x 1 backup backup 2 2008-08-20 16:18 log
-rwxr-xr-x 1 root root 424 2010-07-30 20:23 mail_test.sh
-rwxr-xr-x 1 root root 420 2010-07-30 20:23 mail_test.sh~
-rw-r--r-- 1 root root 23 2010-08-11 00:50 mail_to.txt
-rw-r--r-- 1 root root 556801 2010-08-11 09:17 parole.txt
-rwxr-xr-x 1 backup backup 4298 2008-08-10 12:20 pptable.py
-rwxr-xr-x 1 backup backup 4960 2009-08-21 02:31 pptable.pyc
-rwxr-xr-x 1 root root 14052 2010-07-30 16:52 pygeoip.py
-rw-r--r-- 1 root root 14491 2010-11-18 16:21 pygeoip.pyc
-rwxr-xr-x 1 backup backup 1361 2008-08-10 12:20 README
-rwxr-xr-x 1 backup backup 4229 2008-08-10 12:20 regen.py
-rwxr-xr-x 1 root root 3960 2010-08-11 00:50 regen.pyc
-rw-r--r-- 1 root root 154 2010-08-11 05:53 results.txt
-rwxr-xr-x 1 backup backup 249980 2009-12-07 23:12 screen
-rwxr-xr-x 1 backup backup 1837 2010-06-14 14:10 sipuli.txt
-rwxr-xr-x 1 backup backup 110592 2010-08-11 05:49 staticfull
-rwxr-xr-x 1 backup backup 282624 2010-08-11 05:49 staticheaders
-rwxr-xr-x 1 backup backup 21834 2010-07-30 17:28 svcrack.py
-rwxr-xr-x 1 backup backup 9159 2008-08-10 12:20 svlearnfp.py
-rw-r--r-- 1 root root 830499 2010-08-11 06:04 svmap.out
-rwxr-xr-x 1 backup backup 22045 2008-08-20 16:28 svmap.py
-rwxr-xr-x 1 backup backup 8285 2008-08-10 12:20 svreport.py
-rwxr-xr-x 1 backup backup 24458 2008-08-19 23:21 svwar.py
-rwxr-xr-x 1 backup backup 749 2008-08-10 12:20 sv.xsl
-rwxr-xr-x 1 backup backup 308 2008-08-10 12:20 THANKS
-rwxr-xr-x 1 backup backup 80 2008-08-10 12:20 TODO
-rwxr-xr-x 1 backup backup 45056 2008-08-20 20:37 totag
-rwxr-xr-x 1 root root 216 2010-07-30 16:52 t.py
-rw-r--r-- 1 root root 22194 2010-08-11 06:10 users.txt

These guys in russia had the same thing happen to them:

http://forum.searchengines.ru/showthread.php?p=7848015&langid=1

I asked them if they ever learned anything, and it didn't really sound like they did. Then again, the translator did a bad job of getting their subtle chiding.

The hacker was just using the boxes to set up shop scanning polish sip servers for guessable users. They had a geoip.dat file that lets them figure out which country they're getting results from. The results file I had actually had a few results.

I have their gmail address, too -- xqw019 gmail.com. I considered emailing him or her, but figured I wouldn't get a response. Probably an automated account.

They were literally scanning entire /8 blocks... 81 and 83 specifically.


inetnum: 83.0.0.0 - 83.0.7.255
netname: IP-TELEFONY
descr: VOIP services by Polish Telecom
country: PL
admin-c: TPHT
tech-c: TPHT
status: ASSIGNED PA
mnt-by: TPNET
mnt-lower: TPNET
mnt-routes: TPNET
source: RIPE # Filtered

Crappy way to start a day. If you know anything, or wanna vent, email me with mikec at this domain, digitalsushi.com.
Current Mood:
cranky cranky
* * *
and i am starting to get bored.
* * *
I quit facebook a few months ago.  It was sucking my soul up.

Today I redid some potted plants.  My little rex begonia, holiday cactus, and jade are still alive and well.  They have a plant light, which I affixed to a swing arm lamp.  It's getting dark around 7pm now -- I can barely see the sun.  The nights are a cool mist of pre-autumn air.  Living on the river facilitates.

Happy 10th birthday, LJ.  We met almost 7 years ago, when I was 23.  Ta,

* * *
I won't use my professor's name... Tonight was my final presentation for a class called "The Theory of Computation".  I went in, and started presenting, and within the first 60 seconds she had interrupted me, claiming she didn't understand what I was saying.  And so for the next 45 minutes, she interrupted me every half a minute, saying that my definitions were meaningless.  I'd say "In this rule, a Variable maps to a string in the language L consisting of either Terminals or Variables".  She'd cut me off and say "I don't know what map means."  Every other sentence.  At the end, she asked me to identify whether a^n b^n c^m for m,n >= 0 in integers was a context-free grammar.  At first I didn't think it was, but then I started to generate a context free grammar for it.  She interrupted me -- "Michael, clearly I don't have enough time to explain this to you such that you can understand it.  Let's just stop here.  Thanks for coming in."  argh.
* * *
Thank you for motivating me, Charles Mingus.
* * *
Mexico was fun. We were there for a week, Saturday through Saturday. When we got there, we were taken to the resort by taxi. Since the taxi didn't have the little access pass the resort gives you at sign-in, we had to go the back way through this really third-world neighborhood. The streets were all dirt and flooded, and every third puddle had a carrion smell that forced held breath.

The resort was nice enough. It was the off-season down there, so amid sparce occupancy, we dociled with no other USA folk and the rest, locals. The real star of the vacation was the Bar Lanai, a little restaurant built into a rear alcove of the resort. By the end of the week, the wait staff knew us on a first name basis. Their food was humble but delicious, and we ate most of our meals there. Javier was our friendliest waiter, but we liked the well groomed older gentleman and the taller fellow more, nameless to us.

The resort got only one television station, TBS. We ended up watching a lot of it, since we stayed in most of the days there. We ventured out a few of the days, but each one left us staying in the next. The first time we went out, we tried the main drag of Acapulco. It was fun, but a little stressful. We were constantly heckled by street vendors. The ocean beach with all the skyscraper resorts was nice; a little dirtier than we expected, but that was true of the entire city. Up on the street, the same proliferation of flooded intersections abounded. Construction was ubiquitous in Acapulco, perhaps due to tourism's off-season. We took some much needed downtime in a small mall to see a Spanish subtitled Batman. Hearing English was comforting after a half week of Spanish only.

Speaking of Spanish, it really comes back to you. Not just the grammer, either. Vocabulary pops back into your head, lost words reconnected.

We stayed in Torre Blanca, overlooking Puerto Marquez Bay
* * *
I got braces exactly 20 years ago today. How else could you remember such a thing?

Well, I'm off to mexico. I'll be back in a week with photos. Bye!

* * *