My server was hacked

Yesterday evening while struggeling to keep up with work I noticed my internet connection was acting strangly. I checked my server (which have a fairly small amount of visitors) to see who the visitor was and noticed that I had a strange connection:

shire:/var/www# netstat -tanp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:37              0.0.0.0:*               LISTEN     1770/inetd
tcp        0      0 0.0.0.0:31337           0.0.0.0:*               LISTEN     3694/httpd -DSSL
tcp        0      0 0.0.0.0:9               0.0.0.0:*               LISTEN     1770/inetd
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN     1822/mysqld
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN     1985/smbd
tcp        0      0 0.0.0.0:13              0.0.0.0:*               LISTEN     1770/inetd
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN     1606/portmap
tcp        0      0 0.0.0.0:55443           0.0.0.0:*               LISTEN     3727/httpd -DSSL
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN     1969/master
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN     1985/smbd
tcp        0      0 127.0.0.1:669           0.0.0.0:*               LISTEN     1765/famd
tcp        0      0 10.0.255.1:34904        193.2.236.79:6667       ESTABLISHED13538/pscan2
tcp        0      0 10.0.255.1:139          10.0.0.5:1034           ESTABLISHED31714/smbd
tcp6       0      0 :::993                  :::*                    LISTEN     1757/couriertcpd
tcp6       0      0 :::143                  :::*                    LISTEN     1739/couriertcpd
tcp6       0      0 :::22                   :::*                    LISTEN     2044/sshd
tcp6       0      0 :::25                   :::*                    LISTEN     1969/master

Notice where httpd -DSSL is running and pscan2. The above is missing a suspecious bash process that I found located in /tmp. I killed the process before I got the great idea that I wanted to blog about it. In /tmp/.heva I found all the files used for this hack (I hope) including the compressed file cbk.tar.gz, which I guess was used to transport it all into my server.

I ran ps aux to see which processes where running and identified that the suspecious processes was started by www-data (the webserver user on Debian).

I assume that the intruder came in through either a security hole in one of the php-applications on my webserver or because Apache wasn’t updated with the latest security patches from Debian.

I found a cron script installed by www-data by running:

shire:/tmp# su - www-data -c 'crontab -l'
* * * * * /tmp/.heva/.cbk/y2kupdate >/dev/null 2>&1

I deleted it by running:

shire:/tmp# su - www-data -c 'crontab -r'

Recieved my Ubuntu Hoary CD's

Today I recieved my Ubuntu Hoary CD’s YAY… To bad I have been running Breezy for almost a month now :-D

Anyways - I got a version for Power PC and for AMD 64… I know just for whom ;)

I have been hit by a Breezy bug

A few days ago I updated my Ubuntu Breezy (developer preview of the new Ubuntu Linux), and the next day X (The grapical environment) wasn’t able to start. It suddenly didn’t automatically find my mouse at startup.

It seems I have beenhit by this bug.

Sid Meier's Pirates with WINE

A few days ago i tried to make Sid Meiers Pirates run again with WINE.

As usual when trying to install the game I got the following:

Well that didn’t stop me this time. I started to copy Pirates from my Windows XP partition to my fake WINE Windows drive (notice the cool new GNOME 2.12 copy dialog.

Now I tried to start Pirates again but this time I got a message about missing 2 dll files:

  • msvcp71.dll
  • msvcr71.dll

You can find them by searching on Google

I copied the files to my fake Windows’ system folder ie. /home/je/c/windows/system.

Finally I applied a No-CD-patch and was now able to start the game, where I was greeted by a… black screen for a long time.

I’m serious…. a VERY long time.

I’m telling you - it’s still there ;)

Then finally I was presented with the title menu. YEAH!

I think I fiddled a little with some settings before I dared try starting the game. Now a long waiting time again. But you don’t wanna go fetch coffe because you want to see this ;)

Woah, I see an ingame movie… cool. I was so quickly taking the screenshot, that the menu didn’t get time to disappear. They call my Lucky Luke ;-)

I’m actaully able to choose with whom I want to got to the new world. The grey man was a little to creepy so England it was.

Long wait time…. again, and no movie of me fighting the captain - perhaps I accidentally hit a key, dunno. Well suddenly I saw a little ship sailing and joy filled my body - YES!… and before I knew it the game had crashed. :-( Perhaps tweaking with the video setting and stuff might make the game somewhat playable :-)

The few screenshots I created was worth it all. See you on the other side.

Server moved... thus the downtime

I have moved my server from my parents low bandwith to my own low bandwidth DSL connection… so I’m the only one (when I’m at home) who enjoys my speedy weblog :-D