{"id":99,"date":"2008-03-26T19:44:00","date_gmt":"2008-03-26T23:44:00","guid":{"rendered":"http:\/\/blogs.n1zyy.com\/andrew\/2008\/03\/26\/you-had-a-bad-day\/"},"modified":"2008-03-26T19:44:00","modified_gmt":"2008-03-26T23:44:00","slug":"you-had-a-bad-day","status":"publish","type":"post","link":"https:\/\/blogs.n1zyy.com\/andrew\/2008\/03\/26\/you-had-a-bad-day\/","title":{"rendered":"You Had a Bad Day"},"content":{"rendered":"<p>So I just discovered that my dedicated machine, which is generally doing absolutely nothing, was running at a load average of about 1. The top CPU abuser? Some command I didn&#8217;t recognize (<a href=\"http:\/\/www.google.com\/search?q=barbut\">barbut<\/a>). I was immediately suspicious. I killed the process, then noticed that it had been running as the cvs user, so I ran a ps to find all commands running as cvs.<\/p>\n<p><i>webkill?<\/i><\/p>\n<p>Yes, that&#8217;s right, my dedicated box was an involuntary participant in a distributed denial of service attack, orchestrated by an IRC bot, also known as barbut (which I found, source and all, in \/home\/cvs\/).<\/p>\n<p>Time for damage control. First, I obliterated the user cvs. Then I installed and ran rkhunter; the &#8220;good&#8221; news is that no root kits were found. Then I went to change the SSH port &#8212; oh, wait, I&#8217;d already done that, but never restarted with the new config: shame on me!<\/p>\n<p>One of the unfortunate side effects of using CVS over SSH is that you need accounts with shell access. Apparently I&#8217;d created a user with a basic password to allow friends to check code out of my local CVS server; I&#8217;m guessing that password just got brute-forced. There doesn&#8217;t look to be anything else amiss, so I guess I was somewhat lucky.<\/p>\n<p>Anyone want the source code to an IRC bot?<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So I just discovered that my dedicated machine, which is generally doing absolutely nothing, was running at a load average of about 1. The top CPU abuser? Some command I didn&#8217;t recognize (barbut). I was immediately suspicious. I killed the process, then noticed that it had been running as the cvs user, so I ran [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,30],"tags":[44,52,71],"class_list":["post-99","post","type-post","status-publish","format-standard","hentry","category-brilliance","category-technology","tag-complacency","tag-idiocy","tag-stupidity"],"_links":{"self":[{"href":"https:\/\/blogs.n1zyy.com\/andrew\/wp-json\/wp\/v2\/posts\/99","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.n1zyy.com\/andrew\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.n1zyy.com\/andrew\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.n1zyy.com\/andrew\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.n1zyy.com\/andrew\/wp-json\/wp\/v2\/comments?post=99"}],"version-history":[{"count":0,"href":"https:\/\/blogs.n1zyy.com\/andrew\/wp-json\/wp\/v2\/posts\/99\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.n1zyy.com\/andrew\/wp-json\/wp\/v2\/media?parent=99"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.n1zyy.com\/andrew\/wp-json\/wp\/v2\/categories?post=99"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.n1zyy.com\/andrew\/wp-json\/wp\/v2\/tags?post=99"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}