The Boston Diaries

The ongoing saga of a programmer who doesn't live in Boston, nor does he even like Boston, but yet named his weblog/journal “The Boston Diaries.”

Go figure.

Wednesday, October 05, 2005

It's squid eyeballs I tell ya!

For Spring, because I know she'll like it (via Flutterby).

I could have been worse

“I've got some bad news,” I said to Smirk.

“You know the rules,” he said. “You have to make it sound like good news.”

I thought for a few moments. “We can save electricity by turning off this server,” I said, pointing to one of the boxes in the office.

“It doesn't work?”

“No,” I said.

“It was hacked?” asked Smirk.

“'Fraid so,” I said.

I only noticed because the network to the office went down. I could ping other boxes in the office, but couldn't get past the firewall. I then went into the data center, logged onto one of the servers and yes, I could still get out to the Internet (relief there). But I couldn't ping the firewall from outside.

I then checked the firewall, and it was still up and running. If I unplug the office network, I could ping the firewall from the outside. Plug the office network in, and it gets swamped.

So something on our network was spamming the network.

Spent the next few minutes plugging and unplugging various bits of the office network until I isolated the culprit—the system that monitors the servers and network.

Of course!

It was at that point that I broke the news to Smirk.

Once it was unplugged, I start poking the machine and yup, there was this odd process: “./s 202.XXX.XXX.XXX”. It was pretty easy to locate the actual executable under /dev/shm/http/, which is normally not a place for executables. The process was running as the apache user, and the files under /dev/shm/http were owned by apache, which to me, is a rather obvious clue that it was Apache was the vector of the exploit.

Among the files in /dev/shm/http/ were configuration files to a hacked IRC bot (which was named s) and some other program (named httpd—not sure what that was) and a few scripts to start things up and to clean the log files (which the cracker had not bothered to run). The hacked up IRC bot would just sit there until commanded to participate in a DDoS attack, which obviously was the cause of the sudden network activity, aimed at a site in Japan.

But how? How did this person get in?

More poking around the system lead to a rather curious request just a few minutes before I lost network connectivity (due to the firewall being swamped)—it was a request to Cacti, a data storage and graphic package with a web based interface written in PHP (why does that not surprise me?). It seems we had fallen prey to a Raxnet Cacti graph_image.php Remote Command Execution Exploit, which basically means the cracker was able to send a command to the server, in this case, a command that would download a perl script and execute it, opening up a shell to a remote connection. It was through this that the hacked programs were uploaded and started.

Fortunately, this is the only system running Cacti, and second, there was no trust mechanism to any other machine on the network from this machine. And third, this is a machine that we only log in to, never log in from, so any damage was limited to just this machine.

On the bright side, it could have been worse.

Tracking Spam Stock

On May 5th, 2005 (05/05/05 spooky!) I set out to determine just how much money I could lose by trusting SPAM.

What if I purchased 1000 shares of stock from EVERY stock tip mentioned in a SPAM email? Could we all really be missing out on a great opportunity?

Of course, I don't have the money to actually waste on an experiment like this. I made this little web site to keep track of the value of those stocks … without my actually purchasing anything.

Via Jason Kottke, Spam Stock Tracker

I did a bit of stock trading back during the Internet Boom (and made enough to get a car and take it easy for a while, more due to timing than skill) so it's pretty easy to see the scam here (and yes, I get these stock spams too). A scammer buys a penny stock (a large volume of penny stock), hawks it like there's no tomorrow (because, really, there isn't) and sells it as soon as it upticks a few cents.

One thing to note: I thought that I would realize temporary windfalls on all penny stocks, but then see big losses. Instead almost ALL of those stocks I added went up a few cents max, then dropped like flies the next day. So much for short term gains.

Spam Stock Tracker

One thing to consider—these are cheap! Picking one from his list, HTSC.PK. Purchase price was 19¢ per share. Even if it goes up 3¢, for 20,000 shares ($3,800) that's still $600 profit, and two such trades per week isn't that bad a take (and the Spam Stock Tracker “bought” it at 19¢ the spammer probably got it for a cent or two less).

An interesting strategy might be to “buy” the stock early in the morning, then “sell” just before the markets close the same day, and see how well one does.

Obligatory Picture

[“I am NOT a number, I am … a Q-CODE!”]

Obligatory Contact Info

Obligatory Feeds

Obligatory Links

Obligatory Miscellaneous

You have my permission to link freely to any entry here. Go ahead, I won't bite. I promise.

The dates are the permanent links to that day's entries (or entry, if there is only one entry). The titles are the permanent links to that entry only. The format for the links are simple: Start with the base link for this site:, then add the date you are interested in, say 2000/08/01, so that would make the final URL:

You can also specify the entire month by leaving off the day portion. You can even select an arbitrary portion of time.

You may also note subtle shading of the links and that's intentional: the “closer” the link is (relative to the page) the “brighter” it appears. It's an experiment in using color shading to denote the distance a link is from here. If you don't notice it, don't worry; it's not all that important.

It is assumed that every brand name, slogan, corporate name, symbol, design element, et cetera mentioned in these pages is a protected and/or trademarked entity, the sole property of its owner(s), and acknowledgement of this status is implied.

Copyright © 1999-2024 by Sean Conner. All Rights Reserved.