mike (digitalsushi) wrote,
mike
digitalsushi

  • Mood:

digitalsushi and the case of the aloha hacker

So I got hacked the other day. I figured I could post this blog entry as a bit of a web, to see if anyone else had any clues.

We noticed that our network was sluggish, and learned there was a SIP scanner called SipVicious running on one of our machines.  One of our websites on a remote system had also crashed, and later we learned it was the same system running.

Unfortunately for me, I had set up some ssh keys establishing trust between these systems, and so they ended up compromised.  As to how they gained access, though, is still a mystery.  I did notice there is a local user exploit for the 2.6.31 kernel, though.

One of our machines runs nginx, and others run apache.  

Once the hacker got in, they set up a screen session running in /dev/shm, so that it would be lost upon a reboot.  I managed to grab their kit and got this info:

-rwxr-xr-x 1 backup backup 4834 2008-08-10 12:20 Changelog
-rw-r--r-- 1 root root 24 2010-08-11 05:45 clase.txt
-rwxr-xr-x 1 root root 553 2010-07-30 18:19 doit.sh
-rwxr-xr-x 1 root root 46 2010-07-30 19:03 end.sh
-rwxr-xr-x 1 backup backup 12175 2008-08-10 12:20 fphelper.py
-rwxr-xr-x 1 root root 12232 2010-08-11 00:50 fphelper.pyc
-rw-r--r-- 1 root root 1050898 2010-07-02 13:01 GeoIP.dat
-rwxr-xr-x 1 root root 117 2010-07-30 17:44 geoip.pl
-rwxr-xr-x 1 backup backup 12288 2008-08-20 20:36 groupdb
-rwxr-xr-x 1 backup backup 35886 2008-08-10 12:20 helper.py
-rwxr-xr-x 1 root root 34787 2010-08-11 00:50 helper.pyc
-rwxr-xr-x 1 root root 660 2010-07-30 20:23 ip.sh
-rwxr-xr-x 1 root root 337 2010-07-30 20:23 ip.sh~
-rwxr-xr-x 1 backup backup 2 2008-08-20 16:18 log
-rwxr-xr-x 1 root root 424 2010-07-30 20:23 mail_test.sh
-rwxr-xr-x 1 root root 420 2010-07-30 20:23 mail_test.sh~
-rw-r--r-- 1 root root 23 2010-08-11 00:50 mail_to.txt
-rw-r--r-- 1 root root 556801 2010-08-11 09:17 parole.txt
-rwxr-xr-x 1 backup backup 4298 2008-08-10 12:20 pptable.py
-rwxr-xr-x 1 backup backup 4960 2009-08-21 02:31 pptable.pyc
-rwxr-xr-x 1 root root 14052 2010-07-30 16:52 pygeoip.py
-rw-r--r-- 1 root root 14491 2010-11-18 16:21 pygeoip.pyc
-rwxr-xr-x 1 backup backup 1361 2008-08-10 12:20 README
-rwxr-xr-x 1 backup backup 4229 2008-08-10 12:20 regen.py
-rwxr-xr-x 1 root root 3960 2010-08-11 00:50 regen.pyc
-rw-r--r-- 1 root root 154 2010-08-11 05:53 results.txt
-rwxr-xr-x 1 backup backup 249980 2009-12-07 23:12 screen
-rwxr-xr-x 1 backup backup 1837 2010-06-14 14:10 sipuli.txt
-rwxr-xr-x 1 backup backup 110592 2010-08-11 05:49 staticfull
-rwxr-xr-x 1 backup backup 282624 2010-08-11 05:49 staticheaders
-rwxr-xr-x 1 backup backup 21834 2010-07-30 17:28 svcrack.py
-rwxr-xr-x 1 backup backup 9159 2008-08-10 12:20 svlearnfp.py
-rw-r--r-- 1 root root 830499 2010-08-11 06:04 svmap.out
-rwxr-xr-x 1 backup backup 22045 2008-08-20 16:28 svmap.py
-rwxr-xr-x 1 backup backup 8285 2008-08-10 12:20 svreport.py
-rwxr-xr-x 1 backup backup 24458 2008-08-19 23:21 svwar.py
-rwxr-xr-x 1 backup backup 749 2008-08-10 12:20 sv.xsl
-rwxr-xr-x 1 backup backup 308 2008-08-10 12:20 THANKS
-rwxr-xr-x 1 backup backup 80 2008-08-10 12:20 TODO
-rwxr-xr-x 1 backup backup 45056 2008-08-20 20:37 totag
-rwxr-xr-x 1 root root 216 2010-07-30 16:52 t.py
-rw-r--r-- 1 root root 22194 2010-08-11 06:10 users.txt

These guys in russia had the same thing happen to them:

http://forum.searchengines.ru/showthread.php?p=7848015&langid=1

I asked them if they ever learned anything, and it didn't really sound like they did. Then again, the translator did a bad job of getting their subtle chiding.

The hacker was just using the boxes to set up shop scanning polish sip servers for guessable users. They had a geoip.dat file that lets them figure out which country they're getting results from. The results file I had actually had a few results.

I have their gmail address, too -- xqw019 gmail.com. I considered emailing him or her, but figured I wouldn't get a response. Probably an automated account.

They were literally scanning entire /8 blocks... 81 and 83 specifically.


inetnum: 83.0.0.0 - 83.0.7.255
netname: IP-TELEFONY
descr: VOIP services by Polish Telecom
country: PL
admin-c: TPHT
tech-c: TPHT
status: ASSIGNED PA
mnt-by: TPNET
mnt-lower: TPNET
mnt-routes: TPNET
source: RIPE # Filtered

Crappy way to start a day. If you know anything, or wanna vent, email me with mikec at this domain, digitalsushi.com.
Tags: linux hack remote ssh exploit apache ngi
Subscribe
  • Post a new comment

    Error

    default userpic

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 7 comments