?

Log in

digitalsushi


digitalsushi and the case of the aloha hacker

Recent Entries · Archive · Friends · Profile

* * *
So I got hacked the other day. I figured I could post this blog entry as a bit of a web, to see if anyone else had any clues.

We noticed that our network was sluggish, and learned there was a SIP scanner called SipVicious running on one of our machines.  One of our websites on a remote system had also crashed, and later we learned it was the same system running.

Unfortunately for me, I had set up some ssh keys establishing trust between these systems, and so they ended up compromised.  As to how they gained access, though, is still a mystery.  I did notice there is a local user exploit for the 2.6.31 kernel, though.

One of our machines runs nginx, and others run apache.  

Once the hacker got in, they set up a screen session running in /dev/shm, so that it would be lost upon a reboot.  I managed to grab their kit and got this info:

-rwxr-xr-x 1 backup backup 4834 2008-08-10 12:20 Changelog
-rw-r--r-- 1 root root 24 2010-08-11 05:45 clase.txt
-rwxr-xr-x 1 root root 553 2010-07-30 18:19 doit.sh
-rwxr-xr-x 1 root root 46 2010-07-30 19:03 end.sh
-rwxr-xr-x 1 backup backup 12175 2008-08-10 12:20 fphelper.py
-rwxr-xr-x 1 root root 12232 2010-08-11 00:50 fphelper.pyc
-rw-r--r-- 1 root root 1050898 2010-07-02 13:01 GeoIP.dat
-rwxr-xr-x 1 root root 117 2010-07-30 17:44 geoip.pl
-rwxr-xr-x 1 backup backup 12288 2008-08-20 20:36 groupdb
-rwxr-xr-x 1 backup backup 35886 2008-08-10 12:20 helper.py
-rwxr-xr-x 1 root root 34787 2010-08-11 00:50 helper.pyc
-rwxr-xr-x 1 root root 660 2010-07-30 20:23 ip.sh
-rwxr-xr-x 1 root root 337 2010-07-30 20:23 ip.sh~
-rwxr-xr-x 1 backup backup 2 2008-08-20 16:18 log
-rwxr-xr-x 1 root root 424 2010-07-30 20:23 mail_test.sh
-rwxr-xr-x 1 root root 420 2010-07-30 20:23 mail_test.sh~
-rw-r--r-- 1 root root 23 2010-08-11 00:50 mail_to.txt
-rw-r--r-- 1 root root 556801 2010-08-11 09:17 parole.txt
-rwxr-xr-x 1 backup backup 4298 2008-08-10 12:20 pptable.py
-rwxr-xr-x 1 backup backup 4960 2009-08-21 02:31 pptable.pyc
-rwxr-xr-x 1 root root 14052 2010-07-30 16:52 pygeoip.py
-rw-r--r-- 1 root root 14491 2010-11-18 16:21 pygeoip.pyc
-rwxr-xr-x 1 backup backup 1361 2008-08-10 12:20 README
-rwxr-xr-x 1 backup backup 4229 2008-08-10 12:20 regen.py
-rwxr-xr-x 1 root root 3960 2010-08-11 00:50 regen.pyc
-rw-r--r-- 1 root root 154 2010-08-11 05:53 results.txt
-rwxr-xr-x 1 backup backup 249980 2009-12-07 23:12 screen
-rwxr-xr-x 1 backup backup 1837 2010-06-14 14:10 sipuli.txt
-rwxr-xr-x 1 backup backup 110592 2010-08-11 05:49 staticfull
-rwxr-xr-x 1 backup backup 282624 2010-08-11 05:49 staticheaders
-rwxr-xr-x 1 backup backup 21834 2010-07-30 17:28 svcrack.py
-rwxr-xr-x 1 backup backup 9159 2008-08-10 12:20 svlearnfp.py
-rw-r--r-- 1 root root 830499 2010-08-11 06:04 svmap.out
-rwxr-xr-x 1 backup backup 22045 2008-08-20 16:28 svmap.py
-rwxr-xr-x 1 backup backup 8285 2008-08-10 12:20 svreport.py
-rwxr-xr-x 1 backup backup 24458 2008-08-19 23:21 svwar.py
-rwxr-xr-x 1 backup backup 749 2008-08-10 12:20 sv.xsl
-rwxr-xr-x 1 backup backup 308 2008-08-10 12:20 THANKS
-rwxr-xr-x 1 backup backup 80 2008-08-10 12:20 TODO
-rwxr-xr-x 1 backup backup 45056 2008-08-20 20:37 totag
-rwxr-xr-x 1 root root 216 2010-07-30 16:52 t.py
-rw-r--r-- 1 root root 22194 2010-08-11 06:10 users.txt

These guys in russia had the same thing happen to them:

http://forum.searchengines.ru/showthread.php?p=7848015&langid=1

I asked them if they ever learned anything, and it didn't really sound like they did. Then again, the translator did a bad job of getting their subtle chiding.

The hacker was just using the boxes to set up shop scanning polish sip servers for guessable users. They had a geoip.dat file that lets them figure out which country they're getting results from. The results file I had actually had a few results.

I have their gmail address, too -- xqw019 gmail.com. I considered emailing him or her, but figured I wouldn't get a response. Probably an automated account.

They were literally scanning entire /8 blocks... 81 and 83 specifically.


inetnum: 83.0.0.0 - 83.0.7.255
netname: IP-TELEFONY
descr: VOIP services by Polish Telecom
country: PL
admin-c: TPHT
tech-c: TPHT
status: ASSIGNED PA
mnt-by: TPNET
mnt-lower: TPNET
mnt-routes: TPNET
source: RIPE # Filtered

Crappy way to start a day. If you know anything, or wanna vent, email me with mikec at this domain, digitalsushi.com.
Current Mood:
cranky cranky
* * *
* * *
On January 18th, 2011 11:09 am (UTC), (Anonymous) commented:
Hi ...
found you via google ...
one of our redhat boxes was hacked yesterday too, with the same payload
They scanned the following net 173.0.0.0/8 and managed to max out our 10mbit SDSL all night long. :(

Same behaviour, reboot and there session is gone.
What is still left is there kit, found it in ...
/lib/modules/.ICE-unix.mysql.sock.spamd-13466-init

They probably got in because of a weak password.
This special machine is not on the net and was permitted ssh access just for some maintance work, but this was just for a couple of hours.


ls -All
-----------------------------------------------------------
-rwxr-xr-x 1 34 34 4834 Aug 10 2008 Changelog
-rw-r--r-- 1 root root 12 Nov 16 12:07 clase.txt
-rwxr-xr-x 1 root root 566 Oct 9 22:11 doit.sh
-rwxr-xr-x 1 root root 46 Jul 30 18:03 end.sh
-rwxr-xr-x 1 34 34 12175 Aug 10 2008 fphelper.py
-rwxr-xr-x 1 34 34 12452 Aug 21 2009 fphelper.pyc
-rw-r--r-- 1 root root 1050898 Jul 2 2010 GeoIP.dat
-rwxr-xr-x 1 root root 117 Jul 30 16:44 geoip.pl
-rwxr-xr-x 1 34 34 12288 Aug 20 2008 groupdb
-rwxr-xr-x 1 34 34 35886 Aug 10 2008 helper.py
-rwxr-xr-x 1 34 34 35300 Aug 21 2009 helper.pyc
-rwxr-xr-x 1 root root 660 Jul 30 19:23 ip.sh
-rwxr-xr-x 1 root root 337 Jul 30 19:23 ip.sh~
-rwxr-xr-x 1 34 34 2 Aug 20 2008 log
-rwxrwxrwx 1 root root 798109 Nov 16 12:07 parole.txt
-rwxr-xr-x 1 34 34 4298 Aug 10 2008 pptable.py
-rwxr-xr-x 1 34 34 4960 Aug 21 2009 pptable.pyc
-rwxr-xr-x 1 root root 14052 Jul 30 15:52 pygeoip.py
-rw-r--r-- 1 root root 14117 Jul 30 15:52 pygeoip.pyc
-rwxr-xr-x 1 34 34 1361 Aug 10 2008 README
-rwxr-xr-x 1 34 34 4229 Aug 10 2008 regen.py
-rwxr-xr-x 1 34 34 4068 Aug 21 2009 regen.pyc
-rw-r--r-- 1 root root 316 Jan 17 20:30 results.txt
-rwxr-xr-x 1 34 34 249980 Dec 7 2009 screen
-rwxr-xr-x 1 34 34 1837 Jun 14 2010 sipuli.txt
-rw-r--r-- 1 root root 336596992 Jan 18 02:34 .sipviciousrandomtmp
-rwxr-xr-x 1 34 34 110592 Jul 30 16:58 staticfull
-rwxr-xr-x 1 34 34 282624 Jan 17 10:44 staticheaders
-rwxr-xr-x 1 34 34 21834 Jul 30 16:28 svcrack.py
-rwxr-xr-x 1 34 34 9159 Aug 10 2008 svlearnfp.py
-rw-r--r-- 1 root root 21452933 Jan 18 02:34 svmap.out
-rwxr-xr-x 1 34 34 22045 Aug 20 2008 svmap.py
drwxr-xr-x 6 34 34 4096 Aug 10 2008 .svn
-rwxr-xr-x 1 34 34 8285 Aug 10 2008 svreport.py
-rwxr-xr-x 1 34 34 24458 Aug 19 2008 svwar.py
-rwxr-xr-x 1 34 34 749 Aug 10 2008 sv.xsl
-rwxr-xr-x 1 34 34 308 Aug 10 2008 THANKS
-rwxr-xr-x 1 34 34 80 Aug 10 2008 TODO
-rwxr-xr-x 1 34 34 45056 Aug 20 2008 totag
-rwxr-xr-x 1 root root 216 Jul 30 15:52 t.py
-rwxrwxrwx 1 root root 798109 Nov 16 12:07 users.txt
-----------------------------------------------------------

Cheers
Sebastian
* * *
On January 18th, 2011 11:10 am (UTC), (Anonymous) commented:
and yes ... a crappy way to start a day
* * *
On January 19th, 2011 08:22 pm (UTC), zigar commented:
hey

i got exactly the same. trying to figure out what happened on the forum you have visited as well, so there are couple new posts from me now.

in my case the whole /var/log has been emptied.

no idea how it got into my server though.
On February 10th, 2011 10:53 pm (UTC), (Anonymous) replied:
Me too!
Exactly the same symptoms - slow server this morning. A quick "ps" revealed plenty of python processes running and a google revealed that these were the sipvicious tools. In my case, I'm pretty sure they must've hacked via on of our hosted websites because they'd installed a copy of sipvicious in /tmp/aloha/ and it was all owned by "nobody" (our apache user). Investigation continuses....
* * *
On April 9th, 2011 11:20 am (UTC), wenoteak commented:
Did you heard what Rob Matts said about that?

[User Picture]
On April 9th, 2011 03:18 pm (UTC), digitalsushi replied:
no, i would love to hear more or see a link though!
* * *
On April 14th, 2011 01:51 pm (UTC), ruhasaul commented:
Thanks for posting, I like this blog!

* * *

Previous Entry · Leave a comment · Share · Next Entry