--- Log opened Tue Jun 11 00:00:55 2019
03:21 -!- opticron [~opticron@75.76.209.103] has quit [Ping timeout: 258 seconds]
06:03 -!- opticron [~opticron@75.76.209.103] has joined #se2600
06:03 -!- mode/#se2600 [+o opticron] by ChanServ
06:45 <@Dolemite> mr0ning, be0tches and h0ez!
06:58  * Shadow404 hugs Dolemite 
06:58 <@Shadow404> https://i.imgur.com/jmEbk2o.jpg
06:58 < PigBot> None (at i.imgur.com) http://tinyurl.com/y458aszw
07:19 <@NotLarry> shhhhhh
07:30 -!- strages [uid11297@gateway/web/irccloud.com/x-uemovdlaqpuuymnn] has joined #se2600
07:35 <@Dolemite> NotLarry: So you've caught the "Appalachian Trail" bug, eh?
07:36 <@Dolemite> The older I get, the more I appreciate activities that take me away from nearly all human contact.
07:37 <@NotLarry> Dolemite: Think maybe so.
07:38 <@Dolemite> You also enjoy bicycling, right?
07:39 <@Dolemite> If so, you should check out the Virginia Creeper trail, in Damascus, VA.
07:39  * aestetix hugs Dolemite 
07:39  * aestetix pokes Shadow404 with a spoon
07:39 <@Dolemite> About 17 miles of converted railroad to mountain bike trail
07:39 <@Dolemite> And all downhill
07:39 <@Dolemite> There's another ~ 19 mile section from Damascus to Abingdon, but it's flat :)
07:41 <@NotLarry> Na, bicycleing is what happened to my hip:)
07:55 < aestetix> Shadow404: is Dolemite's 2020 website ready yet?
07:56 < aestetix> he could be the first POTUS candidate to accept bitcoin
07:56 <@Shadow404> you mean for the obvious bribes?
09:21 -!- TheDukh [~thedukh@66-38-50-114.pool.dsl.duo-county.com] has joined #se2600
10:02 -!- strages [uid11297@gateway/web/irccloud.com/x-uemovdlaqpuuymnn] has quit [Quit: Connection closed for inactivity]
13:22 <@Evilpig> who wants a live root kit?
13:23 <@Evilpig> friend/customer of mine just called about some crontab failure emails he was getting that started this morning and after I got home and looked he's been rooted
13:23 <@Evilpig> dirty fucker did a chmod +i on authorized_keys too
13:23 <@Shadow404> is this on your server?
13:23 <@Evilpig> nope
13:23 <@Evilpig> I'm about to scp it over to my ftp though
13:24 <@Shadow404> whew, at least he was an idiot on his own server
13:26 <@Dolemite> You mean chattr +i?
13:26 <@Dolemite> and yeah, that's durty
13:28 <@Evilpig> yes chattr sorry.  doing too many things at once here
13:29 <@Evilpig> there's a nice set of scripts on my ftp under upload called "rootkit.tgz" should anyone want to poke
13:29 <@Dolemite> DAMN.   Rancher 2.2.4 has definitely upped their game on the management UI.
13:30 <@Evilpig> the bad part is I can't tell how the fucker got in because they at least were smart enough to nuke the last couple hours of the logs
13:34 <@Shadow404> speaking of hax, i wonder how many people still have routers that are vulnerable to the irc txt hack that rebooted the router due to buffer overflow
13:35 <@Evilpig> should be nobody in here cause dagmar ran that into the ground.
13:35 <@Evilpig> and it was funny every single time
13:36 <@Shadow404> Evilpig: sure as hell was
13:37 <@Shadow404> but must of been a nightmare for months for the server admins ridding the network of script kiddies
13:38 <@Shadow404> Evilpig: it was the chineese
13:38 <@Shadow404> industrious little fellas
13:40 <@Shadow404> https://youtu.be/jXAgTfyVacI?t=11
13:40 < PigBot> Top Gear:  The Most Offensive Clips... In The World. (at youtu.be) http://tinyurl.com/y6htje7d
13:41 <@Evilpig> I think I just foudn the source of his intrusion
13:41 <@Shadow404> ??? do tell
13:41 <@Evilpig> there is a login to pureftp and then this 
13:41 <@Evilpig> Jun 11 06:12:42 ns1 yum[20913]: Installed: bash-4.1.2-48.el6.x86_64
13:41 <@Evilpig> Jun 11 06:12:44 ns1 yum[20913]: Installed: wget-1.12-10.el6.x86_64
13:41 <@Evilpig> Jun 11 06:12:45 ns1 yum[20913]: Installed: cronie-1.4.4-16.el6_8.2.x86_64
13:41 <@Evilpig> Jun 11 06:12:46 ns1 yum[20913]: Installed: unzip-6.0-5.el6.x86_64
13:41 <@Evilpig> Jun 11 06:12:47 ns1 yum[20913]: Installed: curl-7.19.7-53.el6_9.x86_64
13:41 <@Evilpig> Jun 11 06:12:48 ns1 yum[20913]: Installed: net-tools-1.60-114.el6.x86_64
13:41 <@Shadow404> yep
13:42 <@Shadow404> weak ftp password?
13:42 <@Evilpig> and the login on the ftp is this customer.  so I am guessing he is using a common password for his shit and that's it
13:42 <@Evilpig> the next thing in the log is a reboot.
13:44 <@Shadow404> im guessing to install the services above and start them?
13:46 <@eryc> what's chattr +i do
13:50 <@Dolemite> immutable
13:55 <@Evilpig> ooooo lucky day!
13:55 <@Evilpig> auditd was enabled on this server and the logs haven't rolled off and haven't been touched
14:00 <@Evilpig> https://www.exploit-db.com/exploits/46974
14:00 < PigBot> Exim 4.87 < 4.91 - (Local / Remote) Command Execution (at www.exploit-db.com) http://tinyurl.com/y689dm78
14:02 <@Evilpig> oh holy hell
14:02 <@Evilpig> I thought he had a firewall on this
14:02 <@Shadow404> looks like north koreans now
14:04 <@Shadow404> wonder what they wanted with your "friends" server?
14:06 <@Evilpig> low hanging fruit
14:12 < aestetix> fuck wordpress
14:13 < aestetix> what a horrible piece of shit
14:22 <@Evilpig> https://blog.cpanel.com/exim-cve-2019-10149-protect-yourself/?utm_source=cpanel_forums&utm_medium=banner&utm_campaign=exim-cve-2019-10149
14:22 < PigBot> Exim CVE-2019-10149, how to protect yourself | cPanel Blog (at blog.cpanel.com) http://tinyurl.com/yyoc5z94
15:10 < aestetix> https://www.youtube.com/watch?v=Y2QMqsNvWuc
15:10 < PigBot> Jon Stewart chokes up, gives angry speech to Congress (at www.youtube.com) http://tinyurl.com/y3r3bt9n
16:33 <@eryc> Shadow404: why would it be NK?
16:33 <@eryc> china is the usual suspect
16:35 <@eryc> it was probably some automated thing that setup the rootkit and exfiltrated some inventory data for later
16:39 <@Evilpig> it looked like it was setting up a botnet for later user
16:39 <@Evilpig> use*
16:42 -!- crashcartpro [uid29931@gateway/web/irccloud.com/x-nlsuhnfdiepbkthg] has joined #se2600
18:29 <@Shadow404> eryc: always suspect NK
18:29 <@eryc> before you thought it was russia
18:30 <@eryc> NK and Russa do targetted attacks
18:30 <@eryc> china loves botnets
18:30 <@eryc> check your logs fool
18:31 <@eryc> they be bruteforcing e'eryone out here
18:48 <@Shadow404> hehe, not really opening many ports and no attacks to date so far...knock on wood
18:49 <@Shadow404> i actually havent opened any hard ports since i changed routers
18:50 <@eryc> you like softcore ports then?
18:50 <@Shadow404> mmm, doesnt everyone?
18:50 <@Shadow404> i could leave softcore on all day, even muted, if im working from my house
--- Log closed Wed Jun 12 00:00:57 2019