I am a bad geek.
Yesterday I got home from work and sat down at my G5 to check e-mail and such. I noticed that one of my processors was spiked at 100%. A quick journey to top revealed that my xbox user was hammering on perl.
A quick digression
I have a non-admin user on my G5 for the specific purpose of sharing out files to a hacked xbox in the living room. That user is called xbox. Stupidly, I also made its password xbox. Moving on.
Moving on
After that sinking feeling of seeing a perl process eating a lot of processor, owned by a non-person user, it was time to investigate. I killed the process of course. I then pulled up the console to have a look at the logs. 5 days of authentication failures on user xbox. More sinking. su over to the xbox account to have a look around the home folder. There it is. A downloaded irc bot and a ping flooding perl script. He was ping flooding someone when I killed it.
So what happened? About six months ago, I was traveling and set up my airport base station to pass ssh traffic through to my tower so I could log into it and tunnel traffic through my home network (now closed). I’m guessing that someone was port scanning blocks of IPs on Cox’s network and trying passwords for the xbox user name knowing that it’s getting pretty common for people to have hacked xboxen doing specifically what I’m doing with mine. The script kiddie didn’t try any other user names. He then dictionary attacked the account and after five days finally hit the right password. xbox. Der.
So, time to assess damage. Check the bash history. No attempts to su or even change the from the users home directory. He just curls the apps chmods them to +x and then exits. I check the logs for any attempts to root the box, and any rootkit stuff he might have attempted. Nothing. So this looks like an automated attack. He was just making the machine into a ping flood zombie to terrorize irc kids. sigh.
Time to sanitize. Changed all user passwords on the box. Used nasty nasty passwords. Xbox account is nuked completely. New user is set up to share files. New user has an unguessable name. New user has a shitty-hard password. New user has no home folder. New user has no write access anywhere in the system. New user has no ssh access. Ssh access is now on internal network only. Zero outside access.
Next steps
Need to kill ssh password authentication and move to keys only. Fuck dictionary attacks.
set up log monitoring script that will alert me to password attempts. Shouldn’t be needed after doing key authentication only, but hey, for good measure.
I’m stupid
What made this all possible for script kiddie x was a perfect storm of stupidity on my part. Passing ssh traffic to the G5, having a user with a weak password who had ssh access, running ssh keyless, my careless attitude. Since moving the servers to a hosted solution, I’ve been really lax with computer security figuring that I’m one little number in a sea of IP addresses. blah. Lock it down.
Thankfully, they xbox user account was pretty locked down as it was, so he wouldn’t have been able to root the box or do anything too nasty even if he tried, but it’s still scary.
Moral of the story? Don’t be stupid. Use strong passwords. Don’t open your machine to the cloud without locking it down tight. Thank you. Good night.