“I've got some bad news,” I said to Smirk.
“You know the rules,” he said. “You have to make it sound like good news.”
I thought for a few moments. “We can save electricity by turning off this server,” I said, pointing to one of the boxes in the office.
“It doesn't work?”
“No,” I said.
“It was hacked?” asked Smirk.
“'Fraid so,” I said.
I only noticed because the network to the office went down. I could ping other boxes in the office, but couldn't get past the firewall. I then went into the data center, logged onto one of the servers and yes, I could still get out to the Internet (relief there). But I couldn't ping the firewall from outside.
I then checked the firewall, and it was still up and running. If I unplug the office network, I could ping the firewall from the outside. Plug the office network in, and it gets swamped.
So something on our network was spamming the network.
Spent the next few minutes plugging and unplugging various bits of the office network until I isolated the culprit—the system that monitors the servers and network.
It was at that point that I broke the news to Smirk.
Once it was unplugged, I start poking the machine and yup, there was this
odd process: “
./s 202.XXX.XXX.XXX”. It was pretty
easy to locate the actual executable under
which is normally not a place for executables. The process was
running as the
apache user, and the files under
/dev/shm/http were owned by
apache, which to me,
is a rather obvious clue that it was Apache was the vector of the
Among the files in
/dev/shm/http/ were configuration files
to a hacked IRC bot (which was named
s) and some other program (named
what that was) and a few scripts to start things up and to clean the log
files (which the cracker had not bothered to run). The hacked up IRC bot would just sit there until
commanded to participate in a DDoS attack, which obviously was the cause of the sudden
network activity, aimed at a site in Japan.
But how? How did this person get in?
More poking around the system lead to a rather curious request just a few
minutes before I lost network connectivity (due to the firewall being
swamped)—it was a request to Cacti, a data storage and graphic package
with a web based interface written in PHP (why does that not surprise me?). It
seems we had fallen prey to a Raxnet
graph_image.php Remote Command Execution Exploit,
which basically means the cracker was able to send a command to the server,
in this case, a command that would download a perl script and execute it,
opening up a shell to a remote connection. It was through this that the
hacked programs were uploaded and started.
Fortunately, this is the only system running Cacti, and second, there was no trust mechanism to any other machine on the network from this machine. And third, this is a machine that we only log in to, never log in from, so any damage was limited to just this machine.
On the bright side, it could have been worse.
On May 5th, 2005 (05/05/05 spooky!) I set out to determine just how much money I could lose by trusting SPAM.
What if I purchased 1000 shares of stock from EVERY stock tip mentioned in a SPAM email? Could we all really be missing out on a great opportunity?
Of course, I don't have the money to actually waste on an experiment like this. I made this little web site to keep track of the value of those stocks … without my actually purchasing anything.
I did a bit of stock trading back during the Internet Boom (and made enough to get a car and take it easy for a while, more due to timing than skill) so it's pretty easy to see the scam here (and yes, I get these stock spams too). A scammer buys a penny stock (a large volume of penny stock), hawks it like there's no tomorrow (because, really, there isn't) and sells it as soon as it upticks a few cents.
One thing to note: I thought that I would realize temporary windfalls on all penny stocks, but then see big losses. Instead almost ALL of those stocks I added went up a few cents max, then dropped like flies the next day. So much for short term gains.
One thing to consider—these are cheap! Picking one from his
HTSC.PK. Purchase price was 19¢ per share. Even if
it goes up 3¢, for 20,000 shares ($3,800) that's still $600 profit, and
two such trades per week isn't that bad a take (and the Spam Stock Tracker
“bought” it at 19¢—the spammer probably got it for a cent or two
An interesting strategy might be to “buy” the stock early in the morning, then “sell” just before the markets close the same day, and see how well one does.