Red Emerald
|
|
June 07, 2012, 06:43:43 PM |
|
So someone was able to login to my box and create users. I'm not sure how they did it as I have a rather long root password. They made multiple users and then fetched a file "gosh.tgz" and extracted it in /tmp/ and /dev/shm/ and /home/<their user>/.bash_history/
The location was different for each user. gosh contains some scripts and BNC, an IRC bouncer. They also stuck an entry in root's cron to run a script in /dev/shm/ to clear the user's history.
I'm going to build a new BAMT key, but for now I just looked at the histories of all of the new users (except the one that replaced .bash_history with a folder) to figure out where they stuck files and then deleted all the new users (easy to identify in /etc/passwd) and then edited /etc/sshd_config to only allow root without-password, so now my miner can only be logged into with a key.
How much of the system was exposed to the internet? Like all ports or were you doing some port forwarding? port 22 and 80 are all that are open. It's running ufw I'm guessing they either cracked my root password or somehow broke in through munin. It was clearly a person and not a script. There were typos in .bash_history lol. Things like ";s" instead of "ls"
|
|
|
|
lodcrappo (OP)
|
|
June 07, 2012, 06:51:27 PM |
|
So someone was able to login to my box and create users. I'm not sure how they did it as I have a rather long root password. They made multiple users and then fetched a file "gosh.tgz" and extracted it in /tmp/ and /dev/shm/ and /home/<their user>/.bash_history/
The location was different for each user. gosh contains some scripts and BNC, an IRC bouncer. They also stuck an entry in root's cron to run a script in /dev/shm/ to clear the user's history.
I'm going to build a new BAMT key, but for now I just looked at the histories of all of the new users (except the one that replaced .bash_history with a folder) to figure out where they stuck files and then deleted all the new users (easy to identify in /etc/passwd) and then edited /etc/sshd_config to only allow root without-password, so now my miner can only be logged into with a key.
How much of the system was exposed to the internet? Like all ports or were you doing some port forwarding? port 22 and 80 are all that are open. It's running ufw I'm guessing they either cracked my root password or somehow broke in through munin. It was clearly a person and not a script. There were typos in .bash_history lol. Things like ";s" instead of "ls" Well the various scripts and whatnot are certainly not well audited for security flaws. we don't have the budget for that type of thing the good news is that short of disrupting your mining (which hopefully you would notice) there isn't really anything someone can do with a compromised box. not like we store any actual btc or any credentials that matter on them. bamt rigs are designed to be "disposable" not indestructible.
|
|
|
|
tosku
|
|
June 08, 2012, 11:44:39 AM |
|
I'm trying out BAMT right now. This far, it works great!
|
Skude.se/BTC - an easier way to request your daily free coins!
|
|
|
jamesg
VIP
Legendary
Offline
Activity: 1358
Merit: 1000
AKA: gigavps
|
|
June 08, 2012, 03:18:59 PM |
|
Still looking for a proper fix to the networking thing, by proper I mean without reducing functionality.
Anyone that comes up with one, please let me know and we'll push out a fix.
I experienced the network issue for the last couple days. We fixed it by setting infinite leases for ip addresses. I know this doesn't fix the issue, but it at least keeps miners running.
|
|
|
|
lodcrappo (OP)
|
|
June 08, 2012, 05:19:38 PM |
|
Still looking for a proper fix to the networking thing, by proper I mean without reducing functionality.
Anyone that comes up with one, please let me know and we'll push out a fix.
I experienced the network issue for the last couple days. We fixed it by setting infinite leases for ip addresses. I know this doesn't fix the issue, but it at least keeps miners running. well crap.. if i remove the network manager that seems to be causing this, the people with wireless devices will cry. but atm thats the only "fix", besides setting static ips which sucks. ps did anyone ever get a machine that does this that I can ssh into while it's broke (second nic that works)?
|
|
|
|
Red Emerald
|
|
June 08, 2012, 05:28:58 PM |
|
So someone was able to login to my box and create users. I'm not sure how they did it as I have a rather long root password. They made multiple users and then fetched a file "gosh.tgz" and extracted it in /tmp/ and /dev/shm/ and /home/<their user>/.bash_history/
The location was different for each user. gosh contains some scripts and BNC, an IRC bouncer. They also stuck an entry in root's cron to run a script in /dev/shm/ to clear the user's history.
I'm going to build a new BAMT key, but for now I just looked at the histories of all of the new users (except the one that replaced .bash_history with a folder) to figure out where they stuck files and then deleted all the new users (easy to identify in /etc/passwd) and then edited /etc/sshd_config to only allow root without-password, so now my miner can only be logged into with a key.
How much of the system was exposed to the internet? Like all ports or were you doing some port forwarding? port 22 and 80 are all that are open. It's running ufw I'm guessing they either cracked my root password or somehow broke in through munin. It was clearly a person and not a script. There were typos in .bash_history lol. Things like ";s" instead of "ls" Well the various scripts and whatnot are certainly not well audited for security flaws. we don't have the budget for that type of thing the good news is that short of disrupting your mining (which hopefully you would notice) there isn't really anything someone can do with a compromised box. not like we store any actual btc or any credentials that matter on them. bamt rigs are designed to be "disposable" not indestructible. A new BAMT key is really easy to build, and from now on I'll limit access to root with a key only and not worry about it. Should have done that for any internet facing box anyways. I'm thinking the firewall was blocking his BNC bouncer, and that is why he kept trying with new user accounts.
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
June 08, 2012, 05:30:05 PM |
|
A new BAMT key is really easy to build, and from now on I'll limit access to root with a key only and not worry about it. Should have done that for any internet facing box anyways.
I'm thinking the firewall was blocking his BNC bouncer, and that is why he kept trying with new user accounts.
Are you going to pastebin his skiddie skripts for our enjoyment?
|
|
|
|
Red Emerald
|
|
June 08, 2012, 05:54:49 PM |
|
A new BAMT key is really easy to build, and from now on I'll limit access to root with a key only and not worry about it. Should have done that for any internet facing box anyways.
I'm thinking the firewall was blocking his BNC bouncer, and that is why he kept trying with new user accounts.
Are you going to pastebin his skiddie skripts for our enjoyment? You can just google search "gosh.tgz" Nothing fancy (sadly)
|
|
|
|
Transisto
Donator
Legendary
Offline
Activity: 1731
Merit: 1008
|
|
June 09, 2012, 11:07:14 PM |
|
Sorry if repeating the obvious , How can such a simple network connection exist in an enterprise ready OS ?
What is the best way to set a static IP via CLI ?
|
|
|
|
Inaba
Legendary
Offline
Activity: 1260
Merit: 1000
|
|
June 10, 2012, 02:14:18 AM |
|
edit /etc/networking files... or ifconfig them
|
If you're searching these lines for a point, you've probably missed it. There was never anything there in the first place.
|
|
|
ZPK
Legendary
Offline
Activity: 1302
Merit: 1021
|
|
June 10, 2012, 10:47:09 AM |
|
when version of bamt with support 7 series ?
|
Novacoin POS mining only now
|
|
|
Inaba
Legendary
Offline
Activity: 1260
Merit: 1000
|
|
June 10, 2012, 01:25:33 PM |
|
Version none.
|
If you're searching these lines for a point, you've probably missed it. There was never anything there in the first place.
|
|
|
Joshwaa
|
|
June 10, 2012, 03:57:43 PM |
|
We have a donation pool going to get a 64-bit release that supports the 7-Series cards. Please donate!
|
|
|
|
BitMinerN8
|
|
June 10, 2012, 04:06:37 PM |
|
Can anyone comment on the benefits of manually upgrading cgminer to version 2.4.2 vs. just sticking with 2.3.1 which I believe was the last official BAMT fix/updated version. I have BFL's and they are working, I'm just checking to see if there are any noticeable performance gains or fixes worth moving to 2.4.2. Thanks.
|
|
|
|
asdlsd
Member
Offline
Activity: 69
Merit: 10
|
|
June 10, 2012, 04:31:50 PM |
|
Can anyone comment on the benefits of manually upgrading cgminer to version 2.4.2 vs. just sticking with 2.3.1 which I believe was the last official BAMT fix/updated version. I have BFL's and they are working, I'm just checking to see if there are any noticeable performance gains or fixes worth moving to 2.4.2. Thanks.
https://bitcointalk.org/index.php?topic=65915.msg873655#msg873655
|
|
|
|
Inaba
Legendary
Offline
Activity: 1260
Merit: 1000
|
|
June 10, 2012, 05:55:52 PM |
|
I sent a cgminer update script to be included in bamt, did it never make it in?
|
If you're searching these lines for a point, you've probably missed it. There was never anything there in the first place.
|
|
|
lodcrappo (OP)
|
|
June 11, 2012, 12:02:15 AM |
|
I sent a cgminer update script to be included in bamt, did it never make it in?
no, i was travelling for a few weeks. back now, will look at some BAMT things in the next week, including that.
|
|
|
|
lodcrappo (OP)
|
|
June 11, 2012, 12:03:46 AM |
|
We have a donation pool going to get a 64-bit release that supports the 7-Series cards. Please donate!
To be clear, 64 bit and 7 series are two different issues. Assuming the committed donations come through, we have enough donations for me to purchase a 7 series card, so I'll work on that next.
|
|
|
|
Joshwaa
|
|
June 11, 2012, 12:10:50 AM |
|
Thanks for the clarification. Also if you have 80 BTC in the fund. I will trade for a New Daimond HD7970 Reference if you can not find one cheap(Ill cover shipping if in US). I get deals on them from time to time. Thats why I have 9 of them with more on the way. Just an offer to help out.
|
|
|
|
lodcrappo (OP)
|
|
June 11, 2012, 12:13:32 AM |
|
Thanks for the clarification. Also if you have 80 BTC in the fund. I will trade for a New Daimond HD7970 Reference if you can not find one cheap(Ill cover shipping if in US). I get deals on them from time to time. Thats why I have 9 of them with more on the way. Just an offer to help out.
Sounds good to me. we should have 80 soon. anything we can save on the card i'll put towards the next goal.
|
|
|
|
|