Ok, it was my own stupidity, but somebody logged onto my box yesterday through the clamav account which was used for my mail scanning and filtering. I get an email every day from the logwatch cron job which gives me a summary of what had happened throughout the day, and in this case, I just happened to see that the user clamav had logged in three times through SSH, from three different IP addresses. I had changed the default shell from /bin/false to /bin/bash to set up some anti-virus scanning stuff with ClamAV, and I forgot to change the shell back to /bin/false when I had finished and the password was still set to clamav.

I logged on to find the process own running at 100% cpu. I killed it quick smart and started investigating. The user didn’t have any home directory, so no bash history was available, unfortunately. What I did find was a folder called local with some goodies in it.

total 3588
-rwxr-xr-x 1 clamav clamav 19599 Feb 21 16:23 a
-rwxr-xr-x 1 clamav clamav 307990 Apr 10 11:46 aVe
-rwxr-xr-x 1 clamav clamav 452101 Oct 16 2004 brk2
-rwxr-xr-x 1 clamav clamav 4491 Mar 14 02:24 buffer
-rwxr-xr-x 1 clamav clamav 26584 Jan 15 12:49 elf
-rw-r--r-- 1 clamav clamav 10828 Jan 27 14:56 ex_gpsd.c
-rwxr-xr-x 1 clamav clamav 164 Apr 2 19:35 exim.pl
-rwxr-xr-x 1 clamav clamav 5939 Jan 15 12:49 gcc
-rwxr-xr-x 1 clamav clamav 445809 Feb 15 2004 h2
-rwxr-xr-x 1 clamav clamav 468696 Jan 15 12:50 kmx
-rwxr-xr-x 1 clamav clamav 9176 Mar 13 22:35 krad
-rwxr-xr-x 1 clamav clamav 27841 Jan 15 12:49 loc
-rwxr-xr-x 1 clamav clamav 551 Dec 14 2004 mailbomb
-rwxr-xr-x 1 clamav clamav 446714 Jan 8 15:50 mmap2
-rwxr-xr-x 1 clamav clamav 408978 Jan 8 15:52 mremap_pte
-rwxr-xr-x 1 clamav clamav 428551 Feb 12 09:18 op
-rwxr-xr-x 1 clamav clamav 19910 Mar 20 2003 own
-rwxr-xr-x 1 clamav clamav 14282 Mar 13 22:40 pwned
-rwxr-xr-x 1 clamav clamav 7745 Mar 23 05:28 root
-rwxr-xr-x 1 clamav clamav 9870 Apr 2 19:31 stackgrow2
-rw-r--r-- 1 clamav clamav 8366 Jan 16 17:30 stackgrow2.c
-rwxr-xr-x 1 clamav clamav 468689 Jan 8 15:56 w00t

I have had a poke around, and it seems that this is the only thing that has happened on the box. From the looks of it, they are a random bunch of local root exploits. Also a mailbomber too. There are no rootkits (I have scanned with rkhunter and chkrootkit) and currently no unaccounted open network connections, so I think i’m ok.

I have been noticing the amount of SSH attempts at random accounts appearing in my PAM logs. Mostly to root, but some to other accounts like test, admin and various common names. Out of interest sake (and I know that Timmy blocked email from all of China), I have decided to have a look at where these SSH attempts were coming from. I installed an IP-to-country converter on my server and checked the location of some of these attempts. The short list is:

• Korea
• China
• India
• Hong Kong
• Hungary
• Romania

I found a script on the net to generate iptables rules based on IP ranges of countries. I hope that it helps…

So, the lesson of the day is: don’t leave any accounts open with a default password and a valid shell!

4 Comments

The strangest thing happened to me yesterday. I was on my way back to big T, from a meeting down at Docklands, and it was freezing cold (funny, being winter and all…) so instead of walking, I jumped on a tram. The only thing was, that I didn’t buy a ticket. The only time I didn’t buy a ticket was the time that a ticket inspector decide to come on board.

When he asked me where my ticket was, I said that I had just got on the stop before, and I was waiting for the people who got on before me to finish buying their tickets, before I got on. The ticket inspector looked at me a little strange, and asked me where I got on. I pointed out the back window, to the tram stop a block away and said ‘that one’. He asked me again, and I repeated myself, pointing out the back window again. The funny thing was that the tram was only half full, so my story really wasn’t that convincing. I wasn’t even convincing myself

I don’t know what it was that I said, but he let me off the hook. He said i’d better buy one right now, but make sure I am more careful next time.

Phew! Don’t know how I got away with that one…

No Comments

I had an amazing sandwich experience today.

It was about the only good thing to happen today. Damn Solaris 9 was giving me the shits. While trying to install it, I booted off the CD, and it just stopped at the point “Searching for upgradable Solaris root device…” and just stopped. For an HOUR! In the end, I booted off the hard disk, and gave it a rm -fr /. That fixed it real good. Didn’t give me any trouble after that

Here’s some photos of Julz, Davo and me:

I found out today that my phone can take photos at 1280×960. I was suitably impressed, although the images still look a bit washed out. I had a play with videos too. They’re encoded in some 3gp format, which xine and mplayer can only half decode at the moment. Video works fine, but there is no codec for the audio yet. Realplayer/Helix player plays them fine, and apparently quicktime can do it too.

1 Comment

Some time ago, in true Team Hardcore spirit, Mick put up a sign on the Honours room door.

It has a picture of me on it, and it said:

The Andy Botting Memorial Room

Mick: you know how we have that Andy Botting Memorial Room sign up on the honours room door
Andy: hehe
Andy: you told me
Andy: i still haven't seen it yet
Mick: at least 3 people have asked what Andy Botting died of
Andy: bawhahahahah
Andy: that's gold
Andy: i need to see this room
Mick: so the explanation is: "Honours will do that to you"

Now that’s funny! Big up’s to Mick

UPDATE: Needed to put up the second picture that Mick sent me. This one is great, because it has the LinuxConf sign up too.

8 Comments

I can always judge a good night by what I walk away with. Literally.

At LinuxConf, it was the Carlton Draught beer mat. This time, I managed to pocket some pint glasses. Nine to be exact, plus this little fish bowl glass thing.

Also, big up’s to Shaneo, who told the couple over the other side of the bar to get a room! as we were leaving. Nice work buddy.

Had a pretty rough recovery yesterday. Had some lunch at the Classic Curry Company which fixed me right up. If you’re ever near the queen vic market, walk up Elizabeth St, and it’s near the Queensberry St. corner. It rocks.

Today, i’m off to see Geelong play down at Skilled Staduim against the Adelaide Crows. He’re hoping that Geelong can redeem themselves after their losses for the last two rounds.

2 Comments

I’m bummed about not being able to get tickets for the Geelong v Collingwood game tonight at the Telstra Dome (apparently it’s a not ticketed game.. but somehow they sold out BEFORE the game! grrrr) but the upside is that Bek and I are going to see Shihad tonight at the Hi-Fi Bar.

I’ve seen Shihad play a couple of times now, and they never disappoint me. So much loud guitar and energy, just rocks you socks off

Aplogies to Mick for missing out on his gig in Ballarat tonight.

As a side note, Gentoo rocks!

No Comments