Hack the Hackers – December 20, 2013

I have a customer who installed a machine with the administrator/root password very weak, and left it open to the internet.  Someone guessed the password, logged in, and then helpfully ran 'screen', so I could watch what he did (presumably - he might have been smart enough to do other things, and we will format the drive, but it was neat to see all of his commands, including typos, and guessing at some commands, because he must not have been familiar with CentOS).

He had a script that he ran to check out other machines around the world, simply doing a port scan, and then using ssh to try out accounts and passwords off of a statically generated list, so if you were bad enough to have the password "root" or "toor", etc. on your root account, then you get recorded.

His script generates a text file of hacked machines, so I emailed the administrators of those machines (living in Hungary, United Arab Emirates and Germany), and let them know that they have insecured machines on their network.  But, the cool part is still to come...

One of the machines was recorded as allowing multiple root passwords, which was sort of strange, so I tried logging in (hopefully my ISP won't count that as real hacking...) and it worked.  It is some sort of Live CD or something, so a pretty minimal system, but does have access out to the world.  But, the cool thing is that when you try to exit the system, it just pretends to exit, but leaves you logged in.  I even tried rebooting the system, and normal messages came up like it was rebooting and logging me off.  Since they kept the connection alive, then presumably when I go to try to connect to one of my machines, or I type "su", etc. then they get to get my password!  Pretty cool.

They even do a good job of watching what host name I type in, so I tried logging into test.limedaley.com, and it came up with an IP address that was incorrect (that would be one feature to add to the program - make the login show the right IP address).  The ssh key doesn't match, but some users are careless about checking the key, and might just think they were on a different machine or something, and skip over the warning message.  Then, I type in a password, and it shows a typical bash/minimal login prompt, complete with the hostname I used.

I emailed them to congratulate them on their setup.  It'd be cool if they got hacker's passwords, and were able to get back inside their networks.