SkyHog
Touchdown! Greaser!
- Joined
- Feb 23, 2005
- Messages
- 18,433
- Location
- Castle Rock, CO
- Display Name
Display name:
Everything Offends Me
Last night, I was browsing the internet, and things started going quite slow...like mollases slow. Took almost 5 minutes to load a page off PoA. Decided I better start digging.
Let me explain how I have my stuff set up at home.
I have a file server, a media server, a web server, and a "multi-purpose" server which does everything the others do, and then some. Why so many? Why not?
The "multi-purpose" server is my DNS server, my DHCP server, and has Apache running on it for a specilized website that I run internally, with an instance of MySQL specific to that one website. It also contained most of my important documents that I backed up for when I moved across the country. It also serves as the portal to my entire network, as I run VNC on it and an X-Server, for easy remote control.
At some point in the past, I am not sure when or why, I enabled port forwarding on my router, forwarding a bunch of ports to that IP address. Among those ports were the SSH port, the VNC port the MySQL port, and port 80. Still, no clue why I enabled this.
About 2 days ago, I was testing out TightVNC in lieu of the default Vino VNC that comes with Ubuntu. I neglected to set a password on this instance of VNC.
You can see the accident chain building up, can't you....
Now that the background is out of the way, back to the original story. I noticed the slowdown, VNCed into my "multi-purpose" server, and found Ubuntu Update Manager running, password window open, with a long password typed in and "Incorrect Password" on the screen. I turned to my wife and said "Stupid cats," since they like to play on the keyboard for the server sometimes, and I don't always disconnect it.
But then I closed the update window and saw that a spreadsheet was opened, with a dump of the data that is contained within the MySQL Server (financial information), and "You got pwned!!!" in cell A1.
Oh crap.
I immediately went into snoop mode. Found that nearly 100% of my CPU power was being taken up by 2 perl scripts, there were 4 instances of TightVNC running, and 2 active connections to IRC servers. It appears that connections to my other servers had not occurred, thankfully, despite them being wide open to that machine in question.
I dug through auth.log and found out that there have been attempts to break in going on for 2 days using the open SSH port and username 'root' (thank God that's disabled by default in Ubuntu). This was a brute force attempt that persisted for 2 days, every 2-3 seconds a different attempt was tried. auth.log was filled with "POSSIBLE BREAK IN ATTEMPT."
But then the attempts stopped in auth.log. And a bunch of cron jobs were created, which were set to restart the perl scripts in question above. The entire history of what this guy was doing was present in auth.log.
Then I found an IRC log...with some DCC file transfer in it that didn't look pretty. Unfortunately, I don't know where on my file system that these files were stored, because I can't seem to find them. I also am not missing a large amount of disk space, so I am not sure the files are even there anymore.
Rather then mess around too much more, its time to restore a backup.
Wow, I'm dumb.
Let me explain how I have my stuff set up at home.
I have a file server, a media server, a web server, and a "multi-purpose" server which does everything the others do, and then some. Why so many? Why not?
The "multi-purpose" server is my DNS server, my DHCP server, and has Apache running on it for a specilized website that I run internally, with an instance of MySQL specific to that one website. It also contained most of my important documents that I backed up for when I moved across the country. It also serves as the portal to my entire network, as I run VNC on it and an X-Server, for easy remote control.
At some point in the past, I am not sure when or why, I enabled port forwarding on my router, forwarding a bunch of ports to that IP address. Among those ports were the SSH port, the VNC port the MySQL port, and port 80. Still, no clue why I enabled this.
About 2 days ago, I was testing out TightVNC in lieu of the default Vino VNC that comes with Ubuntu. I neglected to set a password on this instance of VNC.
You can see the accident chain building up, can't you....
Now that the background is out of the way, back to the original story. I noticed the slowdown, VNCed into my "multi-purpose" server, and found Ubuntu Update Manager running, password window open, with a long password typed in and "Incorrect Password" on the screen. I turned to my wife and said "Stupid cats," since they like to play on the keyboard for the server sometimes, and I don't always disconnect it.
But then I closed the update window and saw that a spreadsheet was opened, with a dump of the data that is contained within the MySQL Server (financial information), and "You got pwned!!!" in cell A1.
Oh crap.
I immediately went into snoop mode. Found that nearly 100% of my CPU power was being taken up by 2 perl scripts, there were 4 instances of TightVNC running, and 2 active connections to IRC servers. It appears that connections to my other servers had not occurred, thankfully, despite them being wide open to that machine in question.
I dug through auth.log and found out that there have been attempts to break in going on for 2 days using the open SSH port and username 'root' (thank God that's disabled by default in Ubuntu). This was a brute force attempt that persisted for 2 days, every 2-3 seconds a different attempt was tried. auth.log was filled with "POSSIBLE BREAK IN ATTEMPT."
But then the attempts stopped in auth.log. And a bunch of cron jobs were created, which were set to restart the perl scripts in question above. The entire history of what this guy was doing was present in auth.log.
Then I found an IRC log...with some DCC file transfer in it that didn't look pretty. Unfortunately, I don't know where on my file system that these files were stored, because I can't seem to find them. I also am not missing a large amount of disk space, so I am not sure the files are even there anymore.
Rather then mess around too much more, its time to restore a backup.
Wow, I'm dumb.
That was totally Greek to me.
