今日の月曜日はPaques(イースター、復活祭)でお休みです。

てゆーか息子の学校は春休みど真ん中ですわ。 この機に乗じて会社1週間ぐらい休む人もいるし。 Laval Virtualだってのに大丈夫かよ、ってところですけど、逆に彼らからすると「Paquesに仕事するなんて!!」てな感じです。

それに明らかに元気になって帰ってくるからなあ…あながち否定もできないんですが。

それはそうとこんな休日を狙ってか狙わずか…。

研究室でDDNSで立てていたUbuntu Linux Serverがハッカーさんに攻撃されたようです。 一部のサイトのindex.phpが書き換えられて、”HaCKeD By 0x90”というメッセージを流しながら、おどろおどろしいmidiを流すサイトになってしまいました。

…自分が管理してたので笑えません。

とりあえずログをチェックすると、確定的な不正は見つからなかったけど怪しいアタックがたくさん…。

./auth.log:Apr  8 18:20:14 localhost sshd[30982]: Connection from 66.78.1.132 port 33711 ./auth.log:Apr  8 18:20:15 localhost sshd[30982]: Invalid user test from 66.78.1.132 ./auth.log:Apr  8 18:20:15 localhost sshd[30982]: debug3: Trying to reverse map address 66.78.1.132. ./auth.log:Apr  8 18:20:16 localhost sshd[30982]: debug1: PAM: setting PAM_RHOST to “66.78.1.132” ./auth.log:Apr  8 18:20:16 localhost sshd[30982]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.78.1.132 ./auth.log:Apr  8 18:20:18 localhost sshd[30982]: Failed password for invalid user test from 66.78.1.132 port 33711 ssh2 ./auth.log:Apr  8 18:20:19 localhost sshd[30986]: Connection from 66.78.1.132 port 33905 ./auth.log:Apr  8 18:20:19 localhost sshd[30986]: Invalid user guest from 66.78.1.132 ./auth.log:Apr  8 18:20:19 localhost sshd[30986]: debug3: Trying to reverse map address 66.78.1.132. ./auth.log:Apr  8 18:20:20 localhost sshd[30986]: debug1: PAM: setting PAM_RHOST to “66.78.1.132” ./auth.log:Apr  8 18:20:20 localhost sshd[30986]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.78.1.132 ./auth.log:Apr  8 18:20:22 localhost sshd[30986]: Failed password for invalid user guest from 66.78.1.132 port 33905 ssh2 ./auth.log:Apr  8 18:20:22 localhost sshd[30990]: Connection from 66.78.1.132 port 34039 ./auth.log:Apr  8 18:20:23 localhost sshd[30990]: Invalid user admin from 66.78.1.132 ./auth.log:Apr  8 18:20:23 localhost sshd[30990]: debug3: Trying to reverse map address 66.78.1.132. ./auth.log:Apr  8 18:20:23 localhost sshd[30990]: debug1: PAM: setting PAM_RHOST to “66.78.1.132” ./auth.log:Apr  8 18:20:23 localhost sshd[30990]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.78.1.132 ./auth.log:Apr  8 18:20:25 localhost sshd[30990]: Failed password for invalid user admin from 66.78.1.132 port 34039 ssh2 ./auth.log:Apr  8 18:20:25 localhost sshd[30992]: Connection from 66.78.1.132 port 34177 ./auth.log:Apr  8 18:20:26 localhost sshd[30992]: Invalid user admin from 66.78.1.132 ./auth.log:Apr  8 18:20:26 localhost sshd[30992]: debug3: Trying to reverse map address 66.78.1.132. ./auth.log:Apr  8 18:20:27 localhost sshd[30992]: debug1: PAM: setting PAM_RHOST to “66.78.1.132” ./auth.log:Apr  8 18:20:27 localhost sshd[30992]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.78.1.132 ./auth.log:Apr  8 18:20:29 localhost sshd[30992]: Failed password for invalid user admin from 66.78.1.132 port 34177 ssh2 ./auth.log:Apr  8 18:20:29 localhost sshd[30996]: Connection from 66.78.1.132 port 34329 ./auth.log:Apr  8 18:20:30 localhost sshd[30996]: Invalid user user from 66.78.1.132 ./auth.log:Apr  8 18:20:30 localhost sshd[30996]: debug3: Trying to reverse map address 66.78.1.132. ./auth.log:Apr  8 18:20:30 localhost sshd[30996]: debug1: PAM: setting PAM_RHOST to “66.78.1.132” ./auth.log:Apr  8 18:20:30 localhost sshd[30996]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.78.1.132 ./auth.log:Apr  8 18:20:33 localhost sshd[30996]: Failed password for invalid user user from 66.78.1.132 port 34329 ssh2 ./auth.log:Apr  8 18:20:33 localhost sshd[31000]: Connection from 66.78.1.132 port 34488 ./auth.log:Apr  8 18:20:34 localhost sshd[31000]: debug3: Trying to reverse map address 66.78.1.132. ./auth.log:Apr  8 18:20:34 localhost sshd[31000]: debug1: PAM: setting PAM_RHOST to “66.78.1.132” ./auth.log:Apr  8 18:20:34 localhost sshd[31000]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.78.1.132  user=root ./auth.log:Apr  8 18:20:36 localhost sshd[31000]: Failed password for root from 66.78.1.132 port 34488 ssh2 ./auth.log:Apr  8 18:20:36 localhost sshd[31004]: Connection from 66.78.1.132 port 34636 ./auth.log:Apr  8 18:20:37 localhost sshd[31004]: debug3: Trying to reverse map address 66.78.1.132. ./auth.log:Apr  8 18:20:37 localhost sshd[31004]: debug1: PAM: setting PAM_RHOST to “66.78.1.132” ./auth.log:Apr  8 18:20:37 localhost sshd[31004]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.78.1.132  user=root ./auth.log:Apr  8 18:20:39 localhost sshd[31004]: Failed password for root from 66.78.1.132 port 34636 ssh2 ./auth.log:Apr  8 18:20:39 localhost sshd[31006]: Connection from 66.78.1.132 port 34785 ./auth.log:Apr  8 18:20:40 localhost sshd[31006]: debug3: Trying to reverse map address 66.78.1.132. ./auth.log:Apr  8 18:20:40 localhost sshd[31006]: debug1: PAM: setting PAM_RHOST to “66.78.1.132” ./auth.log:Apr  8 18:20:41 localhost sshd[31006]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.78.1.132  user=root ./auth.log:Apr  8 18:20:42 localhost sshd[31006]: Failed password for root from 66.78.1.132 port 34785 ssh2 ./auth.log:Apr  8 18:20:42 localhost sshd[31010]: Connection from 66.78.1.132 port 34922 ./auth.log:Apr  8 18:20:43 localhost sshd[31010]: Invalid user test from 66.78.1.132 ./auth.log:Apr  8 18:20:43 localhost sshd[31010]: debug3: Trying to reverse map address 66.78.1.132. ./auth.log:Apr  8 18:20:43 localhost sshd[31010]: debug1: PAM: setting PAM_RHOST to “66.78.1.132” ./auth.log:Apr  8 18:20:43 localhost sshd[31010]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.78.1.132 ./auth.log:Apr  8 18:20:45 localhost sshd[31010]: Failed password for invalid user test from 66.78.1.132 port 34922 ssh2 ./auth.log.0:Apr  8 04:18:38 localhost sshd[9718]: Connection from 66.78.1.132 port 46941 ./auth.log.0:Apr  8 04:18:39 localhost sshd[9718]: Invalid user test from 66.78.1.132 ./auth.log.0:Apr  8 04:18:39 localhost sshd[9718]: debug3: Trying to reverse map address 66.78.1.132. ./auth.log.0:Apr  8 04:18:41 localhost sshd[9718]: debug1: PAM: setting PAM_RHOST to “66.78.1.132” ./auth.log.0:Apr  8 04:18:41 localhost sshd[9718]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.78.1.132 ./auth.log.0:Apr  8 04:18:43 localhost sshd[9718]: Failed password for invalid user test from 66.78.1.132 port 46941 ssh2 ./auth.log.0:Apr  8 04:18:43 localhost sshd[9722]: Connection from 66.78.1.132 port 47118 ./auth.log.0:Apr  8 04:18:44 localhost sshd[9722]: Invalid user guest from 66.78.1.132 ./auth.log.0:Apr  8 04:18:44 localhost sshd[9722]: debug3: Trying to reverse map address 66.78.1.132. ./auth.log.0:Apr  8 04:18:44 localhost sshd[9722]: debug1: PAM: setting PAM_RHOST to “66.78.1.132” ./auth.log.0:Apr  8 04:18:44 localhost sshd[9722]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.78.1.132 ./auth.log.0:Apr  8 04:18:46 localhost sshd[9722]: Failed password for invalid user guest from 66.78.1.132 port 47118 ssh2 ./auth.log.0:Apr  8 04:18:46 localhost sshd[9726]: Connection from 66.78.1.132 port 47257 ./auth.log.0:Apr  8 04:18:47 localhost sshd[9726]: Invalid user admin from 66.78.1.132 ./auth.log.0:Apr  8 04:18:47 localhost sshd[9726]: debug3: Trying to reverse map address 66.78.1.132. ./auth.log.0:Apr  8 04:18:47 localhost sshd[9726]: debug1: PAM: setting PAM_RHOST to “66.78.1.132” ./auth.log.0:Apr  8 04:18:47 localhost sshd[9726]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.78.1.132 ./auth.log.0:Apr  8 04:18:50 localhost sshd[9726]: Failed password for invalid user admin from 66.78.1.132 port 47257 ssh2 ./auth.log.0:Apr  8 04:18:50 localhost sshd[9730]: Connection from 66.78.1.132 port 47425 ./auth.log.0:Apr  8 04:18:51 localhost sshd[9730]: Invalid user admin from 66.78.1.132 ./auth.log.0:Apr  8 04:18:51 localhost sshd[9730]: debug3: Trying to reverse map address 66.78.1.132. ./auth.log.0:Apr  8 04:18:51 localhost sshd[9730]: debug1: PAM: setting PAM_RHOST to “66.78.1.132” ./auth.log.0:Apr  8 04:18:51 localhost sshd[9730]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.78.1.132 ./auth.log.0:Apr  8 04:18:53 localhost sshd[9730]: Failed password for invalid user admin from 66.78.1.132 port 47425 ssh2 ./auth.log.0:Apr  8 04:18:53 localhost sshd[9732]: Connection from 66.78.1.132 port 47552 ./auth.log.0:Apr  8 04:18:54 localhost sshd[9732]: Invalid user user from 66.78.1.132 ./auth.log.0:Apr  8 04:18:54 localhost sshd[9732]: debug3: Trying to reverse map address 66.78.1.132. ./auth.log.0:Apr  8 04:18:54 localhost sshd[9732]: debug1: PAM: setting PAM_RHOST to “66.78.1.132” ./auth.log.0:Apr  8 04:18:54 localhost sshd[9732]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.78.1.132 ./auth.log.0:Apr  8 04:18:56 localhost sshd[9732]: Failed password for invalid user user from 66.78.1.132 port 47552 ssh2 ./auth.log.0:Apr  8 04:18:56 localhost sshd[9736]: Connection from 66.78.1.132 port 47713 ./auth.log.0:Apr  8 04:18:57 localhost sshd[9736]: debug3: Trying to reverse map address 66.78.1.132. ./auth.log.0:Apr  8 04:18:58 localhost sshd[9736]: debug1: PAM: setting PAM_RHOST to “66.78.1.132” ./auth.log.0:Apr  8 04:18:58 localhost sshd[9736]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.78.1.132  user=root ./auth.log.0:Apr  8 04:19:00 localhost sshd[9736]: Failed password for root from 66.78.1.132 port 47713 ssh2 ./auth.log.0:Apr  8 04:19:00 localhost sshd[9740]: Connection from 66.78.1.132 port 47903 ./auth.log.0:Apr  8 04:19:01 localhost sshd[9740]: debug3: Trying to reverse map address 66.78.1.132. ./auth.log.0:Apr  8 04:19:02 localhost sshd[9740]: debug1: PAM: setting PAM_RHOST to “66.78.1.132” ./auth.log.0:Apr  8 04:19:02 localhost sshd[9740]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.78.1.132  user=root ./auth.log.0:Apr  8 04:19:03 localhost sshd[9740]: Failed password for root from 66.78.1.132 port 47903 ssh2 ./auth.log.0:Apr  8 04:19:03 localhost sshd[9742]: Connection from 66.78.1.132 port 48050 ./auth.log.0:Apr  8 04:19:04 localhost sshd[9742]: debug3: Trying to reverse map address 66.78.1.132. ./auth.log.0:Apr  8 04:19:05 localhost sshd[9742]: debug1: PAM: setting PAM_RHOST to “66.78.1.132” ./auth.log.0:Apr  8 04:19:05 localhost sshd[9742]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.78.1.132  user=root ./auth.log.0:Apr  8 04:19:07 localhost sshd[9742]: Failed password for root from 66.78.1.132 port 48050 ssh2 ./auth.log.0:Apr  8 04:19:07 localhost sshd[9746]: Connection from 66.78.1.132 port 48212 ./auth.log.0:Apr  8 04:19:08 localhost sshd[9746]: Invalid user test from 66.78.1.132 ./auth.log.0:Apr  8 04:19:08 localhost sshd[9746]: debug3: Trying to reverse map address 66.78.1.132. ./auth.log.0:Apr  8 04:19:08 localhost sshd[9746]: debug1: PAM: setting PAM_RHOST to “66.78.1.132” ./auth.log.0:Apr  8 04:19:08 localhost sshd[9746]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.78.1.132 ./auth.log.0:Apr  8 04:19:10 localhost sshd[9746]: Failed password for invalid user test from 66.78.1.132 port 48212 ssh2

PAM認証とかX-Windowへのssh2などを試しているように見えますね…よくわかりませんが。 この66.78.1.132というIPはニューヨークから。まあたぶん仮宿でしょうけど…。

いろいろ調べてみてrootkit(ハッカーが活動を見られないよう細工を行うためのソフト群)は仕掛けられてないようなんですけど、状態としてはxoops英語版のinstallフォルダを使った攻撃なんではないかと見ています。まあどこまで攻撃されているかわからないのと、なんか今まさにオンラインで作業しているような雰囲気があるので、思い切ってシャットダウンしました。

少なくともハッカーに勝つことはできませんが、負けは無いでしょう。

物理的な管理者のできる最後の抗戦です。 ほっといたらログもファイルサーバーも全部消されてゾンビ化するだけですから…。

明日にでもLANからはずして解析、フォーマット＆再インストールですが…。ああめんどくさい。付加価値ない作業…。

ところで犯人は 「[email protected] 」に連絡くれ、と書いております。

てゆかこんなところにメール送ったら何されるか…。 誰か勇気のある人、試してみてください。

その後：

なんだか腹立つのでメールしてみました。ハッキングは違法ですし。

ついでに0x90.comのWhois情報を晒しておきます。

なおアルゼンチン人のSilvio Lunaなんて知り合いはいません。

ハッカーがこの人と関係ある、という証拠がつかめればいいのですが、とりあえず個人情報丸見えですね…。