Good try, script kiddies

10:47 pm on Monday, March 20, 2006

I had problems sending out email over the weekend and couldn’t figure it out. I was getting email but discovered that outbound was getting relay refused by my smarthost. They had disabled me because they claimed I was an open relay. I knew that wasn’t right. I started poking around in my logs and found a whole bunch of outbound emails to random addresses but nothing inbound that I was relaying. Everything seemed to be coming from inside my machine.

Hmmm. Weird. I was pretty sure I hadn’t been spamming the world. I looked and everything was being sent by my apache user. Ok, not good. I couldn’t figure out why it was doing this. I had no formmail or any other way to email me, or anyone else, from my site. I started digging in logs and found some very interesting lines in my apache2 error log. They were very long and were calling a page on my site I didn’t even remember having. Reading the lines I realized that they were exploiting a security hole in a piece of software I had forgotten I’d even installed. It was ages ago. I installed it, didn’t like it and removed it. When I had the hard drive crash last year I had restored from backup and apparently restored this file too.

First thing, move that file elsewhere until we figure out what’s going on. The exploit was rather ingenious. It could get my apache user to execute any code they felt like. This is where it gets funny. They’d get it to go out to a remote site and download a rootkit. Usually not a good thing. Then they’d command apache to run the exploit on my machine to give them root access so they could take over the box. Well, this is where they ran into problems. They’d try over and over to run their kit and it wasn’t seeming to work. Script kiddies aren’t that bright it seems. Here’s the ‘file’ output of one of their programs:

tony@www /tmp/hack $ file xxxxx
xxxxx: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.0.0, dynamically linked (uses shared libs), stripped

Here’s the ‘file’ output of one of the programs on my machine:

tony@www /tmp/hack $ file /usr/bin/w
/usr/bin/w: ELF 32-bit MSB executable, SPARC32PLUS, V8+ Required, version 1 (SYSV), for GNU/Linux 2.4.1, dynamically linked (uses shared libs), stripped

Any 1/2way smart sysadmin will see there’s a big problem when it comes to running their code on my machine. Yeah, mine’s a Linux box but it’s not your average run-of-the-mill Linux box. Their code would never run on my machine. They tried dozens of times to get it to run and I’m sure pulled their hair out wondering why it wasn’t working. They left all kinds of rootkit toys in my tmp directory too. Thanks, guys!

Now, one very smart person did get code to run. He got my machine to send out spam emails using a clever perl script. Unluckily for him, my smarthost clamps down hard and fast when it sees more than 1,000 messages in a short time. That he got my machine to send spam pisses me off to no end but was easily killed. It’s kind of sad that a seemingly skilled programmer is using his talent for something like cracking machines and sending spam.

Knowing that my box wasn’t fully compromised makes me feel much better though.

The Defender lives!

7:28 am on Monday, March 13, 2006

Well, I got the truck all put back together and on the road. We were supposed to go a Boy Scout campout with the kid so we packed it up and headed out. It was a beautiful weekend and it was nice to get out in the Defender again. I did somehow manage to crack my exhaust manifold flange so I have a small exhaust leak there. It makes the 90 sound like it’s got an huge engine under the hood now. I need to get it fixed because I hate sounding like I’ve ‘riced out’ my truck.
As for the campout, it went okay. I normally go camping to get away from people, like at Padre Island. At Padre Island you can find a spot and literally be miles from anyone. This weekend I had to camp mere feet from others and it wasn’t pleasant. If I’m going to put up with sleeping on the ground and pissing in the trees I better get the trade-off of having peace and quiet. My wife finally realized what I’ve been telling her all my life. I hate people. More specifically, I hate crowds. Anything more than 6-8 people I don’t know is a crowd. I put up with DisneyWorld but only because we go in the off seasons and never have to wait in line much. We were sitting around the campfire and my wife noticed that I was tensed up, rubbing my temples, and grinding my teeth and I think it dawned on her.
The weather was nice and I was able to sleep outside. I also get a kick out of watching people who have no right being outdoors trying to set up camp. They get these huge multi-room tents and take an hour getting them set up. They put on rain flys and all. They don’t seem to understand that unless the temp is under 50 degrees or so a rain fly is going to make that tent a broiler. Our entire campsite was setup in under 10 minutes. Personally, unless it’s raining, I sleep under the stars and that’s what I did this time. If it is going to rain I’ll setup a tarp and crawl under that. My wife and kid slept in our little three man tent because they are paranoid of bugs but that’s fine. I was the most comfortable person in camp sleeping out in the nice cool breezes.

Weekend fun

10:08 pm on Tuesday, March 7, 2006

This past weekend I finally got around to replacing the dead clutch in the Defender. The poor truck has been sitting for nearly three months. Things like a vacation, 4 weeks of illness, and then another month of crappy weekend weather kept putting it off. A couple of weeks ago I started the job and Saturday was the big day for the heavy work.

In most cars you have to drop the tranny out the bottom and you spend a lot of time on your back in the driveway. With a Defender you have an ‘easier’ option. Take it out through the top.

First, remove the seats.

Then find to 60 or so bolts holding down the seat box and transmission tunnel and remove them. Once they’re removed you see this.

Next, remove driveshafts, wiring, and clutch tubing, and hook up your friend, Mr. Engine Hoist.

Unbolt everything and with a little bit of wrestling it comes right out through the passenger door. Transmission, transfer case, and all.

This gives you easy access to the clutch.

Damn, that thing is glazed pretty bad. Attack it with a grinder to clean it up and reassemble with a new clutch plate and throwout bearing.

Now just put everything back in with the help of a friend.

Simple and easy. It’s back in the truck now. I just need to hook up driveshafts and wiring, bleed the clutch, and put a seat in for a quick test drive. All told about 8 hours of work. Now that I know how, I could probably do it in 4-5 with a friend. The book rate at the shop was 9.5 hours and with parts they quoted me $1300. I did it in a day and parts were $150. Nice little savings there which will probably go to a nice shiny Detroit Locker in the rear.