francisco
Last Tuesday, Francisco, a thirty-eight year old Argentinian, broke into the Debian machine that sits in my loft.
He seemed reluctant to provide details, but I’m guessing that he used
the fact that I was running an outdated version of Samba to gain
access initially. Either that or a weak password. Given shell access
Francisco downloaded a couple of small applications from the net and
used them to gain root
privilege, presumably using holes in the
2.4.24 Linux kernel. With that privilege he created a new account
(called format
) and switched to it.
As format
Francisco downloaded the source for an IRC bot called
energy mech, compiled it and then set a
couple of copies running. The bot connects to the
Undernet IRC network and, in this case,
joins a channel called #DrotDeGourvilleSrmANgod999
. By joining the
channel himself Francisco can give instructions to the bot.
Figuring all of this out was pretty straight-forward. Francisco
doesn’t seem to have made any attempt to cover his tracks. The wtmp
logs are intact, showing that he connected from 217.20.84.20
,
212.191.89.200
and 168.226.100.133
- mostly the last of these.
The bash
history files for format
are intact and show the websites
that he used to download the tools to gain root
access. The IRC bot
source and binaries are sitting in /var/tmp/emech-2.8.4
and the
running bot was visible in the process table as ./sni
.
I noticed the break-in because I was looking for something else.
Those ./sni
processes stood out as something unexpected. The fact
that the format
user had appeared was the first big clue and things
got easier from there.
On finding the IRC bot source I cleaned up and then went looking
around. Joining Undernet is pretty easy and, given that I know the
name of the channel the bot joined, finding Francisco wasn’t too hard.
He was sitting in the channel with about fifty different copies of the
IRC bot running on machines in at least Russia, Japan, Australia and
the UK. After I’d sat in the channel for a few minutes he asked why I
was here and I explained that I’d followed the bot. I’m still
slightly surprised that he didn’t just /kick
me right then.
Over the following ten minutes my almost non-existent Spanish and Francisco’s poor English allowed us to communicate a little. He didn’t seem to think that there was anything wrong with collecting “servants” from around the globe. Being a “hack” was his hobby, whereas working at a web publishing company was his paid work. He was going to demonstrate how he’d broken into the Pentagon, but the demo never seemed to appear.
In reality I was lucky. Francisco didn’t appear to use my machine for
anything damaging either to itself or other systems. It could have
been a lot worse. The machine in question needs a rebuild anyway
(it’s currently running a mixture of Debian stable
and testing
).
It would be nice to run Solaris, but drivers for the line card used by
Asterisk don’t yet exist.
So, remember to keep your Linux machines up to date and, if you see
Phil^
in #DrotDeGourvilleSrmANgod999
on Undernet, say “Hi
Francisco!” for me.