Posts Tagged hacker
In China, we have the biggest number of people on internet in the world.
But unfortunately our security technology is too bad to support this number one.
In these days, from Dec. 21st to 26th, some hackers have released the passwords of over 70 million Chinese internet accounts. Because most people just have one accounts, so that means over 70 million people have been leaked. Compare with our population, about 5%.
Because some hackers released the users' information of many Chinese famous websites' databases, including the usernames, passwords, email addresses and phone numbers etc. It was not very difficult to find those files and download them, I have downloaded most of them.
But what made me most surprise was almost every people around me, they didn't know this happened, some of them knew that but didn't believe until I showed them their own passwords.
I think this is very dangerous, because hackers just put the passwords in public, so anyone who wants to do some evil things, they have a lot of methods. And because most people use same passwords and same user names for all websites, so that's very easy to find out and get more information from other places like email, IM software and some eCommerce websites. What they have leaked, not only the passwords of those websites.
I don't know whether this is a big news in other foreign countries, but in China, I think it will be bigger after many people are hurt.
The websites which leaked the passwords I have confirmed were:
Facebook-like service - renren.com - 4,768,600
Leading IT development website - csdn.net - 6,428,632
Twitter-like service - webo.com - 4,765,895
The biggest Chinese online community website - tianya.cn - 31,761,424
Popular online game community website - 17173.com - 18,333,776
Popular online game community website - duowan.com - 8,305,005
Popular online game community website - uuu9.com - 5,577,553
Other common websites -16,144,539 total
In the future may have more passwords leaked, now it's over 70 million. It's really a very huge number!
And from my opinion, they are not just the hackers' faults. Because most of those websites are using unencrypted passwords in the databases. That's why hackers can easily get users' passwords, if they put the passwords into database with MD5, hash or own-created algorithm, hackers can not get them so easily.
I even felt angry about the csdn.net, as the leading IT development website in China, so many developers talk about the technologies on it, but it is also using unencrypted passwords like other websites in databases, really really shit!! Unforgivable! This is why when I saw their official apology to users I felt worse than before. I've given up it.
If you are a foreign visitor on my blog, any questions you can just ask me, I'd like to tell you what I know.
This morning, the IDC told us that one of our server has been observed making at least 4 outgoing IRC connection attempts. This is not normal behavior. Later, I found the root cause of this IRC traffic issue.
The operation notes are as below:
[root@server ~]# ps aux
username 26650 0.0 0.0 2068 764 ? Ss Jul20 0:21 crond
This progress was belong to username, and the name was crond, it was very suspicious.
[root@server ~]# last | grep username
I checked the login history, but there was no record about the user username.
[root@server home]# ll | grep username
drwx------ 3 username username 4096 Jul 20 05:07 username
The home directory of username was modified at Jul 20 05:07.
[root@server username]# ll
But there was no normal files under it.
[root@server username]# ll -a
drwx------ 3 username username 4096 Aug 6 06:36 .ssh
Then check the hidden files, the directory .ssh was modified at 6:36 today.
[root@server .ssh]# ll -a
drwxr-xr-x 3 username username 4096 Jul 20 06:00 www
There was a suspicious directory under it.
There were a lot of suspicious files in this directory.
[root@server .ssh]# cd www
[root@server www]# ll
-rwxr-xr-x 1 username username 255 May 5 2010 1
-rw-r--r-- 1 username username 120 Jul 20 05:08 22.214.171.124.user
-rwxr-xr-x 1 username username 321 May 23 2009 autorun
-rwxr-xr-x 1 username username 612470 Jan 29 2010 crond
-rw-r--r-- 1 username username 54 Jul 20 05:08 cron.d
-rwxr-xr-x 1 username username 447 Feb 24 2010 go
-rwxr-xr-x 1 username username 5119 Apr 13 2010 inst
-rwxr-xr-x 1 username username 21 Jul 20 05:08 mech.dir
-rwxr-xr-x 1 username username 169692 Jul 20 05:08 pico
drwxr-xr-x 2 username username 4096 Jan 29 2010 randfiles
-rw-r--r-- 1 username username 1043 Aug 6 06:00 raw.levels
-rw------- 1 username username 6 Jul 20 05:08 raw.pid
-rw-r--r-- 1 username username 867 Aug 6 06:00 raw.session
-rw-r--r-- 1 username username 1091 Jul 20 05:08 raw.set
-rwxr-xr-x 1 username username 52 Feb 24 2010 run
-rwxr-xr-x 1 username username 194 Jul 20 05:08 update
-rwxr-xr-x 1 username username 8 Feb 24 2010 vhosts
[root@server www]# lsof crond
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
crond 26650 username txt REG 8,5 612470 67207186 crond
The file crond in this directory was the one which was running.
[root@server www]# crontab -u username -l
* * * * * /home/username/.ssh/www/update >/dev/null 2>&1
And it used the crontab jobs to update.
[root@server www]# grep 126.96.36.199 -rl .
The IP address 188.8.131.52 was included in some files.
There were a lot of domains and addresses in those files.
[root@server www]# cat raw.session
server Budapest.Hu.Eu.Undernet.org 7000
server Budapest.Hu.Eu.Undernet.org 6667
server Tampa.FL.US.Undernet.org 6667
server lidingo.se.eu.undernet.org 6667
server 184.108.40.206 6662
server 220.127.116.11 6660
server 18.104.22.168 6662
server 22.214.171.124 6667
server us.undernet.org 6667
There was no doubt about it, the user username was hacked.
Let’s kill the fake progress and clean them.
[root@server .ssh]# kill -9 26650
[root@server .ssh]# cat /dev/null > /var/spool/cron/username
[root@server .ssh]# rm -rf www