|
@voltagex | |||||
|
What the fuck?!
#infosec, a little help? This is my Plex server but it looks like it's been breached. pic.twitter.com/iQxxwUoS9a
|
||||||
|
||||||
|
Adam ♿ 🐧
@voltagex
|
29. sij |
|
plex:x:111:119::/var/lib/plexmediaserver:/bin/bash
Fuck, I'm an idiot.
|
||
|
|
||
|
Adam ♿ 🐧
@voltagex
|
29. sij |
|
Okay, so we've worked out how they got in (chsh bash when I was trying to fix something, then I didn't disable it again) and how they persisted (cron).
|
||
|
|
||
|
Adam ♿ 🐧
@voltagex
|
29. sij |
|
And my "entry" is in anon.groov.pl/index.php but why?
|
||
|
|
||
|
Adam ♿ 🐧
@voltagex
|
29. sij |
|
One way to get their attention. pic.twitter.com/wHuMbjj2uD
|
||
|
|
||
|
Adam ♿ 🐧
@voltagex
|
29. sij |
|
-rwxrwxr-x 1 plex plex 947 Sep 15 14:23 anon. So they've been in for a while.
|
||
|
|
||
|
Adam ♿ 🐧
@voltagex
|
29. sij |
|
So, do I nuke this from orbit? pic.twitter.com/9aMJDzstR7
|
||
|
|
||
|
Adam ♿ 🐧
@voltagex
|
29. sij |
|
SSH version was/is a false alarm.
|
||
|
|
||
|
Alex Sadleir
@maxious
|
29. sij |
|
"The TomatoAnon script will send information to an online database about your router's model and installed version of Tomato." github.com/Jackysi/advanc…
|
||
|
|
||
|
Adam ♿ 🐧
@voltagex
|
29. sij |
|
wtf++
|
||
|
|
||
|
Jamie
@JJJollyjim
|
29. sij |
|
Was it running qbittorrent? Seems to be a common theme with the IPs i've checked
|
||
|
|
||
|
Adam ♿ 🐧
@voltagex
|
29. sij |
|
I was at one point, but the UI was bound to localhost.
|
||
|
|
||