November 19th, 2010

digitalsushi and the case of the aloha hacker

So I got hacked the other day. I figured I could post this blog entry as a bit of a web, to see if anyone else had any clues.

We noticed that our network was sluggish, and learned there was a SIP scanner called SipVicious running on one of our machines.  One of our websites on a remote system had also crashed, and later we learned it was the same system running.

Unfortunately for me, I had set up some ssh keys establishing trust between these systems, and so they ended up compromised.  As to how they gained access, though, is still a mystery.  I did notice there is a local user exploit for the 2.6.31 kernel, though.

One of our machines runs nginx, and others run apache.  

Once the hacker got in, they set up a screen session running in /dev/shm, so that it would be lost upon a reboot.  I managed to grab their kit and got this info:

-rwxr-xr-x 1 backup backup 4834 2008-08-10 12:20 Changelog
-rw-r--r-- 1 root root 24 2010-08-11 05:45 clase.txt
-rwxr-xr-x 1 root root 553 2010-07-30 18:19 doit.sh
-rwxr-xr-x 1 root root 46 2010-07-30 19:03 end.sh
-rwxr-xr-x 1 backup backup 12175 2008-08-10 12:20 fphelper.py
-rwxr-xr-x 1 root root 12232 2010-08-11 00:50 fphelper.pyc
-rw-r--r-- 1 root root 1050898 2010-07-02 13:01 GeoIP.dat
-rwxr-xr-x 1 root root 117 2010-07-30 17:44 geoip.pl
-rwxr-xr-x 1 backup backup 12288 2008-08-20 20:36 groupdb
-rwxr-xr-x 1 backup backup 35886 2008-08-10 12:20 helper.py
-rwxr-xr-x 1 root root 34787 2010-08-11 00:50 helper.pyc
-rwxr-xr-x 1 root root 660 2010-07-30 20:23 ip.sh
-rwxr-xr-x 1 root root 337 2010-07-30 20:23 ip.sh~
-rwxr-xr-x 1 backup backup 2 2008-08-20 16:18 log
-rwxr-xr-x 1 root root 424 2010-07-30 20:23 mail_test.sh
-rwxr-xr-x 1 root root 420 2010-07-30 20:23 mail_test.sh~
-rw-r--r-- 1 root root 23 2010-08-11 00:50 mail_to.txt
-rw-r--r-- 1 root root 556801 2010-08-11 09:17 parole.txt
-rwxr-xr-x 1 backup backup 4298 2008-08-10 12:20 pptable.py
-rwxr-xr-x 1 backup backup 4960 2009-08-21 02:31 pptable.pyc
-rwxr-xr-x 1 root root 14052 2010-07-30 16:52 pygeoip.py
-rw-r--r-- 1 root root 14491 2010-11-18 16:21 pygeoip.pyc
-rwxr-xr-x 1 backup backup 1361 2008-08-10 12:20 README
-rwxr-xr-x 1 backup backup 4229 2008-08-10 12:20 regen.py
-rwxr-xr-x 1 root root 3960 2010-08-11 00:50 regen.pyc
-rw-r--r-- 1 root root 154 2010-08-11 05:53 results.txt
-rwxr-xr-x 1 backup backup 249980 2009-12-07 23:12 screen
-rwxr-xr-x 1 backup backup 1837 2010-06-14 14:10 sipuli.txt
-rwxr-xr-x 1 backup backup 110592 2010-08-11 05:49 staticfull
-rwxr-xr-x 1 backup backup 282624 2010-08-11 05:49 staticheaders
-rwxr-xr-x 1 backup backup 21834 2010-07-30 17:28 svcrack.py
-rwxr-xr-x 1 backup backup 9159 2008-08-10 12:20 svlearnfp.py
-rw-r--r-- 1 root root 830499 2010-08-11 06:04 svmap.out
-rwxr-xr-x 1 backup backup 22045 2008-08-20 16:28 svmap.py
-rwxr-xr-x 1 backup backup 8285 2008-08-10 12:20 svreport.py
-rwxr-xr-x 1 backup backup 24458 2008-08-19 23:21 svwar.py
-rwxr-xr-x 1 backup backup 749 2008-08-10 12:20 sv.xsl
-rwxr-xr-x 1 backup backup 308 2008-08-10 12:20 THANKS
-rwxr-xr-x 1 backup backup 80 2008-08-10 12:20 TODO
-rwxr-xr-x 1 backup backup 45056 2008-08-20 20:37 totag
-rwxr-xr-x 1 root root 216 2010-07-30 16:52 t.py
-rw-r--r-- 1 root root 22194 2010-08-11 06:10 users.txt

These guys in russia had the same thing happen to them:

http://forum.searchengines.ru/showthread.php?p=7848015&langid=1

I asked them if they ever learned anything, and it didn't really sound like they did. Then again, the translator did a bad job of getting their subtle chiding.

The hacker was just using the boxes to set up shop scanning polish sip servers for guessable users. They had a geoip.dat file that lets them figure out which country they're getting results from. The results file I had actually had a few results.

I have their gmail address, too -- xqw019 gmail.com. I considered emailing him or her, but figured I wouldn't get a response. Probably an automated account.

They were literally scanning entire /8 blocks... 81 and 83 specifically.


inetnum: 83.0.0.0 - 83.0.7.255
netname: IP-TELEFONY
descr: VOIP services by Polish Telecom
country: PL
admin-c: TPHT
tech-c: TPHT
status: ASSIGNED PA
mnt-by: TPNET
mnt-lower: TPNET
mnt-routes: TPNET
source: RIPE # Filtered

Crappy way to start a day. If you know anything, or wanna vent, email me with mikec at this domain, digitalsushi.com.