francisco

Posted on Oct 11, 2004

Last Tuesday, Francisco, a thirty-eight year old Argentinian, broke into the Debian machine that sits in my loft.

He seemed reluctant to provide details, but I’m guessing that he used the fact that I was running an outdated version of Samba to gain access initially. Either that or a weak password. Given shell access Francisco downloaded a couple of small applications from the net and used them to gain root privilege, presumably using holes in the 2.4.24 Linux kernel. With that privilege he created a new account (called format) and switched to it.

As format Francisco downloaded the source for an IRC bot called energy mech, compiled it and then set a couple of copies running. The bot connects to the Undernet IRC network and, in this case, joins a channel called #DrotDeGourvilleSrmANgod999. By joining the channel himself Francisco can give instructions to the bot.

Figuring all of this out was pretty straight-forward. Francisco doesn’t seem to have made any attempt to cover his tracks. The wtmp logs are intact, showing that he connected from 217.20.84.20, 212.191.89.200 and 168.226.100.133 - mostly the last of these. The bash history files for format are intact and show the websites that he used to download the tools to gain root access. The IRC bot source and binaries are sitting in /var/tmp/emech-2.8.4 and the running bot was visible in the process table as ./sni.

I noticed the break-in because I was looking for something else. Those ./sni processes stood out as something unexpected. The fact that the format user had appeared was the first big clue and things got easier from there.

On finding the IRC bot source I cleaned up and then went looking around. Joining Undernet is pretty easy and, given that I know the name of the channel the bot joined, finding Francisco wasn’t too hard. He was sitting in the channel with about fifty different copies of the IRC bot running on machines in at least Russia, Japan, Australia and the UK. After I’d sat in the channel for a few minutes he asked why I was here and I explained that I’d followed the bot. I’m still slightly surprised that he didn’t just /kick me right then.

Over the following ten minutes my almost non-existent Spanish and Francisco’s poor English allowed us to communicate a little. He didn’t seem to think that there was anything wrong with collecting “servants” from around the globe. Being a “hack” was his hobby, whereas working at a web publishing company was his paid work. He was going to demonstrate how he’d broken into the Pentagon, but the demo never seemed to appear.

In reality I was lucky. Francisco didn’t appear to use my machine for anything damaging either to itself or other systems. It could have been a lot worse. The machine in question needs a rebuild anyway (it’s currently running a mixture of Debian stable and testing). It would be nice to run Solaris, but drivers for the line card used by Asterisk don’t yet exist.

So, remember to keep your Linux machines up to date and, if you see Phil^ in #DrotDeGourvilleSrmANgod999 on Undernet, say “Hi Francisco!” for me.