{"id":93,"date":"2010-12-18T02:44:55","date_gmt":"2010-12-18T02:44:55","guid":{"rendered":"http:\/\/fatsquirrel.org\/bologs\/vng\/lameness-crackers-and-crappers\/"},"modified":"2010-12-18T02:44:55","modified_gmt":"2010-12-18T02:44:55","slug":"lameness-crackers-and-crappers","status":"publish","type":"post","link":"https:\/\/fatsquirrel.org\/oldfartsalmanac\/lameness-crackers-and-crappers\/","title":{"rendered":"Lameness: crackers and crappers"},"content":{"rendered":"<p>This is geeky. Be warned.<\/p>\n<p>There are some telltale signs when a server has been hacked &#8211; and nowadays I can smell them as clearly as I can smell bacon. Last night one of our servers exhibited the dead-cert-hack behaviour. To cut a long and tedious story short, I didn&#8217;t get to bed until around 3, and the problem was still not solved despite having access (albeit limited and a bit crap) to a KVM.<br \/>\nOn reflection it&#8217;s hardly surprising the box got hacked &#8211; it was running Debian &#8220;Etch&#8221; which lost support in 2009. But what got me was how far wrong I was with my assumptions.<\/p>\n<p>I&#8217;d assumed the rootkit was a kernel module and thus a right bugger to shift. It wasn&#8217;t. In fact it was an old fashioned SHV5 rootkit which nobbles programs like ifconfig, netstat, ps and friends. I didn&#8217;t think people still used them! Consequently they should be really easy to fix&#8230;but they weren&#8217;t. As root, trying to delete any of them failed with a &#8220;Permission Denied&#8221; error. This confirmed my theory that a kernel module was involved. The worst problem with this was that no matter how I tried to boot a clean kernel &#8211; these files were still immutable. It was really quite distressing.<\/p>\n<p>After some Googling, I&#8217;d noticed a pattern in the clueless comments of users that asserted the protection of these binaries was down to filesystem attributes such as &#8220;immutable&#8221;. Obviously, in this day and age this was rubbish! If you 0wn the kernel, you can do what you like. But out of desperation, I tried using lsattr and chattr&#8230;and, fuck me, it worked!<\/p>\n<p>The entire rootkit was removed without any special booting or rescue disk. Jesus guys &#8211; that is so 2000!<\/p>\n<p>Meanwhile my colleague, and benefactor, on the other side of the globe, had been running some backups to protect against the worse case scenario. Our hacker friend was coming from a netblock in Poland, and no matter what I did, the fucker still managed to get back in. It was driving me mad!<\/p>\n<p>I had blocked every single hole: pam libraries, sshd, etc etc yet the fucker was still able to glide in and do his bandwidth-destroying work! <\/p>\n<p>It was only during an IM session with my colleague that a correlation became apparent: every time he started a backup job, it got killed. I checked his IP address and realised that for the past few hours I was battling against him! The crackers hadn&#8217;t tried anything else all day &#8211; I was tilting at Windmills (well, at my friend).<\/p>\n<p>In defence, his netblock was <i>very<\/i> similar to our Polish friend&#8217;s. But it doesn&#8217;t stop me feeling like a bit of a prick.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is geeky. Be warned. There are some telltale signs when a server has been hacked &#8211; and nowadays I can smell them as clearly as I can smell bacon. Last night one of our servers exhibited the dead-cert-hack behaviour. To cut a long and tedious story short, I didn&#8217;t get to bed until around [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-93","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/fatsquirrel.org\/oldfartsalmanac\/wp-json\/wp\/v2\/posts\/93","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fatsquirrel.org\/oldfartsalmanac\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fatsquirrel.org\/oldfartsalmanac\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fatsquirrel.org\/oldfartsalmanac\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fatsquirrel.org\/oldfartsalmanac\/wp-json\/wp\/v2\/comments?post=93"}],"version-history":[{"count":0,"href":"https:\/\/fatsquirrel.org\/oldfartsalmanac\/wp-json\/wp\/v2\/posts\/93\/revisions"}],"wp:attachment":[{"href":"https:\/\/fatsquirrel.org\/oldfartsalmanac\/wp-json\/wp\/v2\/media?parent=93"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fatsquirrel.org\/oldfartsalmanac\/wp-json\/wp\/v2\/categories?post=93"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fatsquirrel.org\/oldfartsalmanac\/wp-json\/wp\/v2\/tags?post=93"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}