Well, I know a lot of people don't like to admit it, but I got "hacked"
over the Xmas holidays, thanks to my own stupidity and oversight.
Meaning, I wasn't really "hacked" in the classical sense, and I got
what I deserved by being stupid -- akin to leaving the car keys in the
car and someone driving off with my car. (I flippantly created an
account for a virtual stereo to play my MP3's and made the password the
same as the username totally overlooking the fact that I had ssh open
and port-forwarded to this machine Du-uh!)
Fortunately, it looks like from the logs that all that happened was the
person who "hacked" me installed an IRC bot called 'EnergyMech'. I've
not found any root kits or any other exploits except this. Can someone
fill me in on exactly what EnergyMech does or can do? From what I've
read about EnergyMech, my reaction is "A person hacked into my computer
to install THIS?" It looks pretty innoculous, save for some
suggestions that EnergyMech was once used for hacking and 'evil
purposes' (from the EnergyMech home page.) Can someone give me a
better idea of the scope of this bot? It appears it was not used to
actually do anything. I know what IRC is, but I'm not a big user of it
and I'm not sure what an IRC bot does (or from what I've read, my
reaction is "Big deal. So what!?")
Meanwhile, I think I've battioned down all the hatches. Really stupid
on my part, so I got what I deserved.
-ceo

Sun, 01 Jan 2006 15:10:50 -0800, /usr/ceo wrote:

same as the username totally overlooking the fact that I had ssh open
and port-forwarded to this machine Du-uh!)

*This* machine is a Windows box. Why are you complaining here?

X-HTTP-UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8) Gecko/20051111 Firefox/1.5,gzip(gfe),gzip(gfe)

Dave Uhring wrote:
Sun, 01 Jan 2006 15:10:50 -0800, /usr/ceo wrote:

same as the username totally overlooking the fact that I had ssh open
and port-forwarded to this machine Du-uh!)

*This* machine is a Windows box. Why are you complaining here?

K, "my Linux machine." Does this help you a little more? How does my
UserAgent string throw you so much that you don't get the picture that
the object of my question is regarding EnergyMech?

X-HTTP-UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8) Gecko/20051111 Firefox/1.5,gzip(gfe),gzip(gfe)

I must be the first person in the history of the world to own a Linux
box but still use a Windows client for Web/NNTP access. I guess I
don't feel so stupid after all.
-ceo

1 Jan 2006 15:32:44 -0800, "/usr/ceo" <newsbot@cox.netwrote:

>Dave Uhring wrote:

>X-HTTP-UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
>rv:1.8) Gecko/20051111 Firefox/1.5,gzip(gfe),gzip(gfe)
>
>I must be the first person in the history of the world to own a Linux
>box but still use a Windows client for Web/NNTP access. I guess I
>don't feel so stupid after all.

Not alone, I do it too ;-) And yes, there's a few small-minded
people around like to show off their header reading skills.

I've no idea what the 'bot is, but I don't forward NEW stuff to
localnet boxen. You want to be really sure the 'bot is not a
decoy, if I felt a box was compromised, I'd clean wipe and
reinstall to be sure.

Then I'd look into improving my localnet security.

Grant.

Sun, 01 Jan 2006 15:32:44 -0800, /usr/ceo wrote:

Dave Uhring wrote:
>Sun, 01 Jan 2006 15:10:50 -0800, /usr/ceo wrote:
>>
>same as the username totally overlooking the fact that I had ssh open
>and port-forwarded to this machine Du-uh!)
>>
>*This* machine is a Windows box. Why are you complaining here?
>
K, "my Linux machine." Does this help you a little more? How does my
UserAgent string throw you so much that you don't get the picture that
the object of my question is regarding EnergyMech?

Nobody but *you* installed that thing. If you are stupid enough to run as
root you deserve the punishment which you receive.

>X-HTTP-UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
>rv:1.8) Gecko/20051111 Firefox/1.5,gzip(gfe),gzip(gfe)
>
I must be the first person in the history of the world to own a Linux
box but still use a Windows client for Web/NNTP access. I guess I
don't feel so stupid after all.

You may not feel stupid but you are. You not only installed something
which you did not want you are too dumb to remove it and then proclaim to
the Internet just how stupid you have been.

John Hasler wrote:

/usr/ceo writes:
>Fortunately, it looks like from the logs that all that happened was the
>person who "hacked" me installed an IRC bot called 'EnergyMech'.
>
You don't know that. The bot could be a decoy.

Let me get this right someone hacked you and installed this on your system.

Yeah we believe you. If you system is so open that someone can do that then
you are too stupid to run linux and I would go so far as to say sell your
computer and go back to your playstation before something really serious
happens.

John Hasler wrote:
/usr/ceo writes:
Fortunately, it looks like from the logs that all that happened was the
person who "hacked" me installed an IRC bot called 'EnergyMech'.

You don't know that. The bot could be a decoy.

Well, I didn't just conclude that the bot was the only thing installed.
I did a lot of looking around and sniffing for root kits, etc.
Checking key files, and this appears to be all that was done. That
still doesn't mean that I'm clean as you say, I know, but I didn't just
assume the bot was all that was installed once I found it. As someone
else mentioned, the only way to know is to clear off my server and
start over, which I need to do anyway, but can't right at the moment.

/usr/ceo

Dave Uhring wrote:
Sun, 01 Jan 2006 15:32:44 -0800, /usr/ceo wrote:

Dave Uhring wrote:
>Sun, 01 Jan 2006 15:10:50 -0800, /usr/ceo wrote:
>>
>same as the username totally overlooking the fact that I had ssh open
>and port-forwarded to this machine Du-uh!)
>>
>*This* machine is a Windows box. Why are you complaining here?
>
K, "my Linux machine." Does this help you a little more? How does my
UserAgent string throw you so much that you don't get the picture that
the object of my question is regarding EnergyMech?

Nobody but *you* installed that thing. If you are stupid enough to run as
root you deserve the punishment which you receive.

Wow Dave. You're a real Linux and internet NNTP sleuth. I stand in
awe of your abilities to sniff out my UserAgent (just how DID you pull
that one off?!!!), and you're ability to conjecter completely
incoorrectly (but make it sound S AUTHRITATIVE) that I was running
anything as root. The internet is indebted to you for your outstanding
capabilities. All these logs I have that show someone using a brute
force login attack against my machine must be a decoy that I set up for
myself to confuse myself that I ran something. Thanks for pointing
that out.

>X-HTTP-UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
>rv:1.8) Gecko/20051111 Firefox/1.5,gzip(gfe),gzip(gfe)
>
I must be the first person in the history of the world to own a Linux
box but still use a Windows client for Web/NNTP access. I guess I
don't feel so stupid after all.

You may not feel stupid but you are. You not only installed something
which you did not want you are too dumb to remove it and then proclaim to
the Internet just how stupid you have been.

Wow, I've really been put in my place by you Dave. Everytime I respond
to your postings, I truly do provide a better and further glimpse to
everyone else on the internet of just how far apart you and the others
here in c.o.l.m are on the intellectual scale.

/usr/ceo

David A' Rebel wrote:
John Hasler wrote:

/usr/ceo writes:
>Fortunately, it looks like from the logs that all that happened was the
>person who "hacked" me installed an IRC bot called 'EnergyMech'.
>
You don't know that. The bot could be a decoy.
--
Let me get this right someone hacked you and installed this on your system.

Yeah we believe you. If you system is so open that someone can do that then
you are too stupid to run linux and I would go so far as to say sell your
computer and go back to your playstation before something really serious
happens.

Is everyone named 'Dave' or 'David' on this list such intellectual
giants? Maybe this is why no one who gets hacked admits it because the
so called "help" they would receive is actually worse than the damage
done by the perprtrator?

/usr/ceo

/usr/ceo <newsbot@cox.netwrote:
John Hasler wrote:
>/usr/ceo writes:
>Fortunately, it looks like from the logs that all that happened was the
>person who "hacked" me installed an IRC bot called 'EnergyMech'.
>>
>You don't know that. The bot could be a decoy.

Well, I didn't just conclude that the bot was the only thing installed.
I did a lot of looking around and sniffing for root kits, etc.
Checking key files, and this appears to be all that was done. That

When you say "installed", do you mean "he got root and all I can see is
this eggbot"?

(I seem to recall these ae called eggbots - apologies if my memory is off,
I am not an IRCer and it has been years).

do you mean he stayed as user and installed in the account you
created, as that account?

The latter is more probable for an irc bot - these things become an
automated network for storing warez and like "resources", and they talk
to each other. They don't need root.

But of course a local root attack is possible after an entry.

still doesn't mean that I'm clean as you say, I know, but I didn't just
assume the bot was all that was installed once I found it. As someone
else mentioned, the only way to know is to clear off my server and
start over, which I need to do anyway, but can't right at the moment.

No - you can know other ways. Boot from a clean disk and compare the
md5sums of everything with your records (stored elsewhere, of course).

For example.

Peter

Peter T. Breuer wrote:
/usr/ceo <newsbot@cox.netwrote:
John Hasler wrote:
>/usr/ceo writes:
>Fortunately, it looks like from the logs that all that happened was the
>person who "hacked" me installed an IRC bot called 'EnergyMech'.
>>
>You don't know that. The bot could be a decoy.
>
Well, I didn't just conclude that the bot was the only thing installed.
I did a lot of looking around and sniffing for root kits, etc.
Checking key files, and this appears to be all that was done. That

When you say "installed", do you mean "he got root and all I can see is
this eggbot"?

I don't see any evidence that 'root' was obtained. Again, I know this
not an absolute certainty, but from what I can tell, 'root' was not
compromised.

(I seem to recall these ae called eggbots - apologies if my memory is off,
I am not an IRCer and it has been years).

do you mean he stayed as user and installed in the account you
created, as that account?

Yes, this is what it appears.

The latter is more probable for an irc bot - these things become an
automated network for storing warez and like "resources", and they talk
to each other. They don't need root.

So it seems.

But of course a local root attack is possible after an entry.

There were many brute force attacks from the outside on 'root' before
this account was compromised. None on 'root' from the inside. It
seems clear from the tracks left that the user was not concerned with
cleaning up after himself, nor could he have with the access he gained.
Though he could have at least deleted the shell history, but even this
was intact so I could see exactly the commands that were entered.

This almost equates to the one other time I was "hacked" when someone
logged into my FTP server using anonymous and dumped a bunch of .pdfs
and filled up my disk space. I'm more concerned (and better protected)
against real hacking than I am this sort of thing (anonymous FTP and
brute force against a non-root account that I stupidly setup in a hurry
one day without thinking.)

still doesn't mean that I'm clean as you say, I know, but I didn't just
assume the bot was all that was installed once I found it. As someone
else mentioned, the only way to know is to clear off my server and
start over, which I need to do anyway, but can't right at the moment.

No - you can know other ways. Boot from a clean disk and compare the
md5sums of everything with your records (stored elsewhere, of course).

Yeah, I thought of md5 checksum compares and how I should have those
stored somewhere, but I don't. It's time to start over anyway. This
is SuSE 8.0 with a 2.4 kernel. I've replaced the CPU fan twice and my
CD burner just died. All of this this week. And I'm ready for 64-bit
Linux, so It's all happening at the right time. And a "break in"
is probably all that I needed to convince my wife it really is time for
a new machine. :-)

Thanks for your realistic reply. I was beginning to think it wasn't
worth the post with some of the postulation going on here (none of
which answered my simple question "what can EnergyMech do?" Simple.)

/usr/ceo

Dan C wrote:
Sun, 01 Jan 2006 17:39:13 -0800, /usr/ceo wrote:

Thanks for your realistic reply. I was beginning to think it wasn't
worth the post with some of the postulation going on here (none of
which answered my simple question "what can EnergyMech do?" Simple.)

If that was your only question, wouldn't it have been easier to just stop
by the EnergyMech website and see for yourself? Simple. Sheesh.

If this was your only response, wouldn't it have been easier if you
just read my P and figured out that I already did that but was looking
for additional information and elaboration from others here? That I
already stated that I wasn't quite sure what an IRC bot could do and
that the information on the EnergyMech web site was oriented towards
those already "in the know"? Simple. Sheesh.

/usr/ceo

Mon, 02 Jan 2006 12:45:27 -0000, Harold Stevens <wookie@aces.localdomainwrote:

>I said it before now I'll say it again: M$ better take care of the net or
>the net will take care of M$. Firefox, anyone?

Try http://bugsplatter.mine.nu/ with MSIE :o)

Grant.