--- Log opened Tue Aug 18 00:00:12 2020
03:12 -!- _neb_imgur[m] [nebimgurma@gateway/shell/matrix.org/x-shrkzmhtfubovnga] has quit [Quit: killed]
03:21 -!- _neb_imgur[m] [nebimgurma@gateway/shell/matrix.org/x-wusfnzdghazyhrfl] has joined #se2600
06:49 < xray> That was great.
07:11 <@Mirage> Holy shit...Spectrum finally got my PTR record in correctly.
07:15 <@Evilpig> lol
07:18 <@Evilpig> Aug 18 01:20:16 hosting7 systemd: httpd.service stop-sigterm timed out. Killing.
07:18 <@Evilpig> Aug 18 01:20:16 hosting7 systemd: Unit httpd.service entered failed state.
07:18 <@Evilpig> Aug 18 01:20:16 hosting7 systemd: httpd.service failed.
07:19 <@Evilpig> hrmmm
07:19 <@Evilpig> Aug 18 01:18:43 hosting7 systemd: Unit named.service entered failed state.
07:19 <@Evilpig> Aug 18 01:18:43 hosting7 systemd: named.service failed.
07:19 <@Evilpig> Aug 18 01:18:46 hosting7 systemd: httpd.service: main process exited, code=killed, status=9/KILL
07:19 <@Evilpig> Aug 18 01:18:46 hosting7 systemd: crond.service: main process exited, code=killed, status=9/KILL
07:19 <@Evilpig> Aug 18 01:18:46 hosting7 systemd: Unit crond.service entered failed state.
07:19 <@Evilpig> Aug 18 01:18:46 hosting7 systemd: crond.service failed.
07:19 <@Evilpig> Aug 18 01:18:47 hosting7 systemd: dovecot.service: main process exited, code=killed, status=9/KILL
07:19 <@Evilpig> Aug 18 01:18:47 hosting7 systemd: Unit dovecot.service entered failed state.
07:19 <@Evilpig> Aug 18 01:18:47 hosting7 systemd: dovecot.service failed.
07:20 <@Evilpig> wtf happened last night?  this is weird
07:22 <@Evilpig> damnit
07:23 <@Evilpig> that was an exploit in dovecot it looks like
07:23 <@Evilpig> [root@hosting7 wilbur]# ls -alsh /tmp/up.txt
07:23 <@Evilpig> 4.0K -rw-r--r-- 1 root root 14 Aug 18 00:55 /tmp/up.txt
07:23 <@Evilpig> sucks for whomever that was because that host doesn't have ssh or any other access
07:31 <@Evilpig> /root/.configrc
07:31 <@Evilpig> /root/.configrc/a
07:31 <@Evilpig> /root/.configrc/a/kswapd0
07:31 <@Evilpig> /root/.configrc/a/run
07:31 <@Evilpig> /root/.configrc/a/stop
07:31 <@Evilpig> /root/.configrc/a/a
07:31 <@Evilpig> /root/.configrc/a/init0
07:31 <@Evilpig> /root/.configrc/a/.procs
07:31 <@Evilpig> /root/.configrc/a/dir.dir
07:31 <@Evilpig> /root/.configrc/a/upd
07:31 <@Evilpig> /root/.configrc/a/bash.pid
07:31 <@Evilpig> /root/.configrc/b
07:31 <@Evilpig> /root/.configrc/b/run
07:31 <@Evilpig> /root/.configrc/b/stop
07:31 <@Evilpig> /root/.configrc/b/a
07:31 <@Evilpig> /root/.configrc/b/dir.dir
07:31 <@Evilpig> /root/.configrc/b/sync
07:31 <@Evilpig> /root/.configrc/dir2.dir
07:31 <@Evilpig> /root/.configrc/cron.d
07:31 <@Evilpig> they definitely got a payload in
07:37 <@Evilpig> good thing I have a replacement ready for this server. :-/
07:50 < aestetix> can you paste the result of "cat ~/.ssh/id_rsa" ?
07:51 <@Mirage> Dolemite: https://www.youtube.com/watch?v=BV1eKphHFjY
07:51 <@Evilpig> [root@hosting7 wilbur]# cat ~/.ssh/id_rsa
07:51 <@Evilpig> cat: /root/.ssh/id_rsa: No such file or directory
07:51 <@Evilpig> happy?
07:51 < PigBot> Awesome Dance Mix - YouTube (at www.youtube.com) http://tinyurl.com/ktnpshh
07:52 <@Evilpig> that server is cut off from all of my others on purpose
07:55 <@Mirage> If remote access was the intention, then /root/.ssh/authorized_keys is what you wanna look at.  I wouldn't think that some "hacker" would be so monumentally stupid as to provide you with an ssh key to access a system they control.
07:57 <@Evilpig> that was changed
07:57 <@Evilpig> ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr
07:57 <@Evilpig> mdrfckr.  kinda funny
07:58 <@Evilpig> annoying, but cute
07:58 <@Mirage> Heh, first thing that jumped out at me too
07:58 <@Evilpig> but again, you can't ssh to that system so they were shit outta luck
08:00 <@_NSAKEY> Evilpig: Have you googled "mdrfckr" yet?
08:00 <@Evilpig> they didn't try too hard,  none of the filetimes appear to have been set purposely back
08:00 <@Evilpig> I am now
08:01 <@Evilpig> yeah that looks like the mess I just cleaned out
08:01 <@Evilpig> they left an rsync daemon connected to an amsterdam server and put something out there lurking in memory that looked like the kernel swap daemon
08:02 <@_NSAKEY> this seems to be the best result on page 1 http://jakob.space/blog/investigating-a-shellbot-aa-infection.html
08:02 < PigBot> Investigating a Backdoor.SH.SHELLBOT.AA Infection — Jakob's Personal Webpage (at jakob.space) http://tinyurl.com/yy7nn4e8
08:02 <@_NSAKEY> although the others are useful for learning that what you encountered has been around for about 2 years
08:03 <@Evilpig> it's hit me before.  through a hole in dovecot/postfix
08:03 <@Evilpig> that's why I started building the replacement out because there isn't a patch for it
08:05 <@Evilpig> sshd[19724]: Address 138.197.130.138 maps to shitcointopia-grana.com.py-clima.grana.com.py, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
08:05 <@Evilpig> lol
08:07 <@Mirage> Evilpig: make fun of me for sticking to UW-Imap/Sendmail now.  =P
08:07 <@Evilpig> yeah yeah
08:25 <@Mirage> Not sure why but this morning I find myself listening to 2 Live Crew
08:31 <@Evilpig> because you couldn't find the chronic?
08:39 -!- PigBot [~PigBot@wilpig.org] has quit [Remote host closed the connection]
08:42 -!- PigBot [~PigBot@wilpig.org] has joined #se2600
09:32 -!- strages [uid11297@gateway/web/irccloud.com/x-zkyvwuaawzpmzhzp] has joined #se2600
09:34 < strages> morning
09:41 <@brimstone> hihi
09:59 < strages> citadel.org and tildeverse, discuss
10:03 -!- PigBot [~PigBot@wilpig.org] has quit [Ping timeout: 264 seconds]
10:04 -!- PigBot [~PigBot@wilpig.org] has joined #se2600
10:07 <@brimstone> tildeverse is fun, but i had to drop off their IRC server, I just can't put forth the time to maintain a tilde
10:09 < strages> I have not messed with it myself but can appreciate the nostalgia of it having once had a  some.insti.tution.edu/~username myself once
10:11 < strages> do universities do that still?
11:23 <@Evilpig> not really
11:23 <@Evilpig> some of the computer science departments have user spaces set up but mostly not
11:23 <@Evilpig> likely too big of a liability now
11:27 < strages> Boo
11:44 <@Mirage> While interesting, the highlight to me is that he's wearing a Swatch.  https://www.youtube.com/watch?v=q1RSIwexj9g
11:45 < PigBot> John Cleese Did Not Enjoy Filming Monty Python and the Holy Grail - YouTube (at www.youtube.com) http://tinyurl.com/y5z2mdm7
11:49 <@Mirage> The bit about the Trump jokes at the end is pretty good too
11:59 <@Mirage> Lol...deployment error from vRA "Cannot find matching cluster zones to satisfy memory requirement of '274,877,906,944' bytes of memory per instance.'
12:05 <@Mirage> https://www.youtube.com/watch?v=S1wkqZIJOAQ
12:05 < PigBot> David Cross Is Starting To Regret His Vote for Trump... - YouTube (at www.youtube.com) http://tinyurl.com/y2vocs4b
13:42 <@Dagmar> I'll bet Robert Trump would regret voting for Donald, if he hadn't likely died of COVID
13:43 <@Dagmar> Since they've not mentioned a cause of dead, it's probably a lock that it was actually COVID.
13:43 <@Dagmar> s/dead/death/
14:18 <@Mirage> Just got a wrong number call on my work skype.  Didn't even know that it was connected to a phone number for inbound calls.   very weird.
14:42 <@Mirage> heh, speaking of death.. https://www.benjerry.com/flavors/flavor-graveyard
14:42 < PigBot> Flavor Graveyard | Ben & Jerry’s (at www.benjerry.com) http://tinyurl.com/yxhcphsm
14:44 <@Mirage> Dagmar: I doubt we'll ever know the truth of it and there will be conspiracies flying everywhere
15:17 <@Evilpig> Mirage: I hope that's a real thing and they didn't just make that for the video.  that's amazing!
16:33 <@Evilpig> notlarry never ceases to amuse me
16:34 <@Evilpig> he just called me to tell me about a conversation he had with a dude that claimed the internet isn't just for porn.  that he had gotten interested in welding and went online and now he's pretty good at it.
16:34 <@Evilpig> so notlarry told me to hit up the urban dictionary for welding.  https://www.urbandictionary.com/define.php?term=welding
16:34 < PigBot> Urban Dictionary: welding (at www.urbandictionary.com) http://tinyurl.com/y26k6bu5
16:34 <@Evilpig> Did not disappoint.
16:50 < lastchild> He told me about that when I was back in 148
16:50 < lastchild> they need to up his dosages
18:40 -!- dc0de [~dc0de@198.46.153.211] has joined #se2600
18:40 -!- mode/#se2600 [+o dc0de] by ChanServ
19:59 -!- strages [uid11297@gateway/web/irccloud.com/x-zkyvwuaawzpmzhzp] has quit [Quit: Connection closed for inactivity]
20:00 -!- dc0de [~dc0de@198.46.153.211] has quit [Remote host closed the connection]
21:02 -!- northrup9 [~northrup@bragi.8bitwizard.net] has joined #se2600
21:02 -!- mode/#se2600 [+o northrup9] by ChanServ
21:04 -!- northrup [~northrup@bragi.8bitwizard.net] has quit [Ping timeout: 265 seconds]
21:04 -!- northrup9 is now known as northrup
21:04 -!- Dagmar [~dagmar@unaffiliated/dagmar] has quit [Ping timeout: 265 seconds]
21:05 -!- opticron [~opticron@136.53.69.43] has quit [Ping timeout: 265 seconds]
21:05 -!- _NSAKEY [~nsa@backdoored.equipment] has quit [Ping timeout: 265 seconds]
21:05 -!- _NSAKEY [~nsa@backdoored.equipment] has joined #se2600
21:06 -!- mode/#se2600 [+o _NSAKEY] by ChanServ
21:17 -!- opticron [~opticron@136.53.69.43] has joined #se2600
21:17 -!- mode/#se2600 [+o opticron] by ChanServ
21:20 -!- Dagmar [~dagmar@c-69-247-146-235.hsd1.tn.comcast.net] has joined #se2600
21:20 -!- Dagmar [~dagmar@c-69-247-146-235.hsd1.tn.comcast.net] has quit [Changing host]
21:20 -!- Dagmar [~dagmar@unaffiliated/dagmar] has joined #se2600
21:20 -!- mode/#se2600 [+o Dagmar] by ChanServ
--- Log closed Wed Aug 19 00:00:14 2020