j00 b33n 0wn3d, d00d
Hey, mom? I disabled your account. It got hacked. I hope you don’t mind.
I’m really more intrigued than shaken by this. I happened to find out when I noticed that my networks were lagging a bit, so I thought I’d check if there was a lot of web traffic. Instead I found that “crond” was connecting to some IRC servers. As clever as the use of “crond” for the IRC bot was, the rootkit I found wasn’t really all that creative. I doubt that anything more than my mom’s account was hacked (I think the password was “mom,” though I don’t know how they found this username. Maybe mom accounts are common in Romania?). The rootkit was installed in a globally writable area, and the script that was used to compile the source (wasn’t just an i386 executable! Maybe you shouldn’t have left the source around, though, chief), though not autoconf, was uncreatively name “configure.” Interestingly, it’s GPL. Here’s the whole header comment:
# !/bin/sh # # EnergyMech, IRC Bot software # Copyright (c) 1997-2001 proton, 2002-2003 emech-dev # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. #
I just feel so giddy about this whole thing. I’ve never had a rootkit installed on me before.