To the script kiddie that tried to hack my server — you’ll have to try a lot harder than that if you want to exploit my box. But congratulations, you managed to launch a wild perl process and take up half my CPU power for a couple of hours. Had it not been for the fact that your socket code writing skills aren’t very L337, I might never have noticed.
That you got in at all is due to an oversight on my part in not locking down a directory, and due to an exploit in a theme we were using on one of my other blogs. That exploit has been removed. I also removed your fun little script, and am analyzing it now. I am not impressed with your lame hacking skills. I’d strongly recommend sticking to masturbating to porn in your parents’ basement. The next person might call be annoyed enough to call the cops.
Call the cops anyway. Sometimes you later notice more forensic evidence of badness.
-Gene
It’s not worth it. I’ve been down this road and it’s a waste of time. The FBI won’t do anything until you suffered $250k in loss. The local cops can’t do much beyond send an email so they will be of no use. While the county detectives or AG’s office may be able to help, they won’t. Unless it’s kiddie porn they stay out of electronic crimes.
I have to laugh at the brilliance of your response.
To me, your response is a hybrid between a bitch slap and taking the hacker to the wood shed for an ole fashioned ass whoopin. Well played.
It looks like Colin and Lad have gotten some equally ineffective backup to help go after you.
I think Colin could be a less lame h4k0r than this guy, and Ladd would be more eager to try to mess up my shit. I think this guy was more interesting in having another server he could attack other servers from.
His script was essentially a vehicle for attacking other servers. It connected to an IRC server in Germany and could be controlled via IRC. Unfortunately, it looks like it could execute arbitrary shell commands. But it looks like it was mostly a vehicle for launching DDoS attacks. I need to find an IRC server so I can test the capabilities of this thing.
What got him caught is that the script he launched does busy waiting on the socket. That made it loop continually when it wasn’t doing anything. If he had written his socket code correctly, it might have been a while before I found out about this asshole.
Odds are, not a direct attack. You were found in a scan and auto infected, most likely.
A fun thing is to write a logger that connects to the IRC host and await/log the C&C instructions.
The attack pattern doesn’t indicate auto infection. He targeted Delicate themes quite specifically. That can be done by rote, certainly. But Delicate themes I don’t think are quite widespread enough to just let a process like that go.