Just had to harden my server some more. I have now set up an account with an easily guessable username and password who’s login shell is a script which:

A. Sends me an email with the IP the attacker is from
B. Drops the attacker into a chrooted shell.

Anyway, a recent script kiddie left behind some files, most of which were long lists of usernames and passwords, while others were lists of IPs which had been portscanned on port 22. A few files were executables, which were apparently used to hack more machines. One of them was called “ssh”, and when I ran ./ssh, I got this:

./ssh <cate pizde sa incerc…>

I thought this must be some internationalized version of SSH. But when I tried to run ./ssh localhost, I got this:

Toata dragostea mea pentru diavola!!!!!!

I had seen this message before, in my apache logs:

72.252.209.134 – - [10/Jan/2009:04:27:44 -0800] “GET HTTP/1.1 HTTP/1.1″ 400 344 “-” “Toata dragostea mea pentru diavola”
72.252.209.134 – - [10/Jan/2009:04:27:45 -0800] “GET /roundcube//bin/msgimport HTTP/1.1″ 404 340 “-” “Toata dragostea mea pentru diavola”

And this:

147.83.113.228 – - [13/Jan/2009:23:50:47 -0800] “GET HTTP/1.1 HTTP/1.1″ 400 344 “-” “Toata dragostea mea pentru diavola”
147.83.113.228 – - [13/Jan/2009:23:50:48 -0800] “GET /mantisbt/login_page.php HTTP/1.1″ 404 339 “-” “Toata dragostea mea pentru diavola”
147.83.113.228 – - [13/Jan/2009:23:50:48 -0800] “GET /tracker/login_page.php HTTP/1.1″ 404 338 “-” “Toata dragostea mea pentru diavola”
147.83.113.228 – - [13/Jan/2009:23:50:49 -0800] “GET /bugtracker/login_page.php HTTP/1.1″ 404 341 “-” “Toata dragostea mea pentru diavola”
147.83.113.228 – - [13/Jan/2009:23:50:49 -0800] “GET /bugtrack/login_page.php HTTP/1.1″ 404 339 “-” “Toata dragostea mea pentru diavola”
147.83.113.228 – - [13/Jan/2009:23:50:50 -0800] “GET /support/login_page.php HTTP/1.1″ 404 338 “-” “Toata dragostea mea pentru diavola”
147.83.113.228 – - [13/Jan/2009:23:50:50 -0800] “GET /bug/login_page.php HTTP/1.1″ 404 334 “-” “Toata dragostea mea pentru diavola”
147.83.113.228 – - [13/Jan/2009:23:50:50 -0800] “GET /bugs/login_page.php HTTP/1.1″ 404 335 “-” “Toata dragostea mea pentru diavola”
147.83.113.228 – - [13/Jan/2009:23:50:51 -0800] “GET /mantis/login_page.php HTTP/1.1″ 404 337 “-” “Toata dragostea mea pentru diavola”
147.83.113.228 – - [13/Jan/2009:23:50:51 -0800] “GET /login_page.php HTTP/1.1″ 404 330 “-” “Toata dragostea mea pentru diavola”

Great. Now I have script kiddies trying to crack things that I don’t have installed, and they are using my server to portscan and hack other servers. Seriously, script kiddies, I know you’re not reading this, but GTFO my server.

Update: to see how script kiddies operate, I recommend you read this.

The server is currently at 85 days, 10mins of uptime as of this post. I am going for 100. Hopefully, there will not be a >1hour power failure, or a software crash (there never has been). I will be going for 200 days of uptime after this. I’d also like to thank the Debian team for a rock-solid OS.

Update: A live tracker is up: http://mattventura.net/uptime

Also, mattventura.net has a folding@home team (team 161515). The team will hit 100,000 points in a few days. I hope to pick up a few members to speed up the team. The team, in it’s current state, will hit 1,000,000 points in about six months. Anyone who wants to join is welcome. If you contribute, I will give you a link back to your site on a page on this site that will list all the contributors to the team (currently only me).

Read more for suckiness.
(more…)