Dinner with Captain Crunch

It is a fairly rare occasion when one gets to meet one’s childhood (or to be more accurate, teen) hero. For me, growing up as a teenage computer geek in Israel, during the late 80’s, early 90’s, the electronic world was a bold new frontier of opportunities and challenges. I distinctively remember the original myths that were spread around the teenage geeks – there is a box, called a “blue-box”, it’s a box of wonders – enabling you to bypass the local PTT systems and call abroad for FREE. It was the early 90’s, long distance phone calls were expensive, beyond expensive – they were outrageous. Calling abroad was even worse, it could easily amount to $2-$3 per minute, doing it the normal way. The “blue-box” for us was a myth, a box of wonders that no one never get around to actually seeing one.

Then, late 1989 something happened, a friend of mine returned from the US with, what I could only call a magazine – back then it was called a zine. I can’t call it a magazine, as it was a group of dot-matrix printed pages, stapled together. My friend said: “This is a hacker’s magazine, but I can’t understand the blue-box thing”. My eyes lit, could it be, did the pages truly include description of what the blue-box was? I looked at it and replied: “Of course you don’t understand this, you are a computer science major – not electronics”. I studies electronics and the blue box made sense to me. The pages included the entire circuit diagram – I was fascinated. I built the my first “blue-box” using those diagrams, it was crude, it wasn’t pretty, but it worked – well, it worked for exactly 15 minutes, then the power regulator I used kind’a fried. That was my beginning in the world of Hacking and Computer security.

Following to reading about/building my first “blue-box”, I continued to consume information. I used the box, each time for short intervals and each time getting to download more information. I remember being connected to the Channel One BBS in the US, downloading the hacker’s chronicle and reading through like mad. I learned about the works of a man nick named: “Captain Crunch”. His work in investigating the various properties of the telephone network amazed me – at that age, for me, he was a modern day Robin Hod. Fighting the system, from within the system – showing how frail it is, and abusing it to the max. I must say something here, unlike the USA at those time, we didn’t have anti-hacker laws in Israel, thus, computer crime was so rare, they didn’t even know what to do with hackers – if they ever managed to catch them.

Fast forward 25 years, I’ll be 40 next month. Over the years I’ve learned that Captain Crunch is the alias of John Draper. I’ve met John first time in 2000, in a hackers’ convention in Israel called Y2Hack. I didn’t get to chat with him much back then, it was a busy event. This years’ Astricon was in Las Vegas, where John currently lives. After learning about John’s medical condition, I’ve decided I would like to pay the man a visit. Normally, you don’t get around to meeting people who had influenced your life in such a deep manner, but here I had a chance. So, Eric and I contacted John – who was more than happy to join us for dinner.

It is clear that John is not at his best, in severe pain from his latest surgery – and most surely medicated for his pain. However, sitting down with him for dinner, one thing is very much clear – when it comes to technology, John is as sharp as ever. The conversation rapidly moved from talking about history, to talking about modern day cellular technologies, how roaming works, phantom base stations, HTML5, WebRTC and more. At times, it would seem that the conversation would float away, but John rapidly closes in on the subject – and being in his physical condition, that isn’t simple (I guess).

John, very much like other visionaries that hadn’t been completely acknowledged by society – sorry to say, is far from what we would imagine him to be at this age. Normally, we imagine that people like John would be living a good life, after all, the computer age was very much built on much of his work and findings. But, the truth is that John’s friends started a qikfunder campaign to fund hi medical bills. Amazingly enough, John isn’t a rich man at all. For someone who was acclaimed as “If it hadn’t been for the blue box, there would have been no apple” (Steve Jobs, 1994) – it is somewhat discomforting to see him like this.

I truly wish John all the best and wish him a speedy recovery – as his mind is as sharp as ever, and I truly hope to see him back at the tech-helm as soon as he can.

A little security experiment…

Back in the year 1999, long before I started my Asterisk days, I spent most of my time as a security consultant and cyber forensics expert. I remember that in those days, most of the hacks were script kiddies exploiting some Windows IIS well known hole, and you would usually get the “Hacked by Chinese” black display on your website – how annoying!

In any case, I’ve recently replaced my co-location firewall. I’ve migrated from a Linux system running IPtables with a manual script, to a fully blown IPCOP installation. Ok, so IPCOP is nothing more than a fancy GUI for IPtables, but hey, it makes my life a whole lot easier on the management side – and it’s very stable – so who am I to complain?

I’ve decided to run a small experiment, I wanted to setup a Linux box, with a root password of 123456. My question was this, how much time will pass from the moment the machine was up, on a new IP address, till the machine gets hacked – and more importantly, from where and what got installed on the machine?

So, the machine fired up for the first time at Fri Jul 25 23:19, believe it or not, the machine got hacked at Sat Jul 26 00:50. A mere 90 minutes into the air, and the machine got hacked. The funny thing was that at Sat Jul 26 03:09 it got hacked again to the same account, then at Sat Jul 26 03:21, which also closed the root access via SSH at this point. Following below is the last log:

root     pts/0    Sat Jul 26 06:04   still logged in
reboot   system boot  2.6.18-53.1.14.e Sat Jul 26 06:02          (00:17)
root     pts/1    Sat Jul 26 03:21 - 03:24  (00:03)
root     pts/0    Sat Jul 26 03:09 - 05:20  (02:11)
root     pts/1     Sat Jul 26 00:50 - 00:50  (00:00)
root     pts/0    Fri Jul 25 23:24 - 01:39  (02:14)
root     tty1                          Fri Jul 25 23:22 - 23:24  (00:01)
reboot   system boot  2.6.18-53.1.14.e Fri Jul 25 23:19          (07:00)
root     tty1                          Fri Jul 25 22:14 - down   (01:03)
reboot   system boot  2.6.18-53.1.14.e Fri Jul 25 21:58          (01:19)

I admit it, putting a machine on the open net, with a root password of 123456 and open root access to SSH – that’s kind of a honey pot the size of the grand canyon. But what amazed me here was not the speed, but actually the locations of the hacks:, and One hacker is in China, the other in Romania and the third in the UK. What is this? a real hacker? maybe 3 different robots scanning? – I can’t really tell here. However, the traces they left were interesting enough – which lead me to believe we’re talking about robot hacking.

First off, a look at /var/log/audit/audit.log immediately showed the logins – the hacker didn’t even remove the log file – marking of a script kiddie running an automated script. So, what did they leave on my box, let’s take a look. Running ‘netstat -apn | less’ would show me open ports, unless netstat was replaced. However, lets start with this:

tcp        0      0           ESTABLISHED 2940/crond
tcp        0      1           SYN_SENT    2940/crond
tcp        0      1         SYN_SENT    2940/crond

Ok, so this is most probably an IRC bot waiting for instructions from the hacker – till now nothing special. The script tries to masquerade the bot with a legitimate process name: crond. Well, that may fool a beginner Linux Sysadmin, however, seeing crond connecting to 3 other hosts at TCP 6667 – ok, that’s kind’a lame – no?

I wonder where he hid the script? maybe he replaced crond?

root@pbx:~ $ find / -name "crond"
root@pbx:~ $

Hmm… /var/tmp/.www/crond looks promising, let’s see what’s in there:

root@pbx:~ $ ls -la /var/tmp/
total 24
drwxrwxrwt  4 root root 4096 Jul 26  2008 .
drwxr-xr-x 25 root root 4096 Jul 25  2008 ..
drwxr-xr-x  2 root root 4096 Jun 27 17:03 .spd
drwxr-xr-x  4  501  502 4096 Jul 26  2008 .www

Yummy! Let’s check it out:

root@pbx:/var/tmp $ ll .spd/
total 1316
-rwxr-xr-x 1 root root    265 Nov 19  2005 gen-pass.sh
-rwxr-xr-x 1 root root     72 Jun 26 19:43 pass_file
-rwxr-xr-x 1 root root  21407 Nov 19  2005 pscan2
-rwxr-xr-x 1 root root    218 Jun 27 16:59 s
-rwxr-xr-x 1 root root 453972 Nov 19  2005 ss
-rwxr-xr-x 1 root root 842736 Jun 26 19:20 ssh-scan
-rwxr-xr-x 1 root root    312 Jun 27 17:02 x
root@pbx:/var/tmp $ ll .www/
total 888
-rwxr-xr-x 1  501  502    353 Jul 26  2008 1.user
-rwxr-xr-x 1  501  502    349 Jul 26  2008 2.user
-rwxr-xr-x 1  501  502    353 Mar 14  2009 3.user
-rwxr-xr-x 1  501  502    317 Nov  6  2007 autorun
-rw-r--r-- 1 root root      0 Jul 26  2008 belgian.seen
-rwxr-xr-x 1  501  502    942 May 15  2003 checkmech
-rwxr-xr-x 1  501  502  23237 May 15  2003 configure
-rwxr-xr-x 1  501  502 492135 Mar  4  2005 crond
-rwxr-xr-x 1  501  502     48 Jul 26  2008 cron.d
-rwxr-xr-x 1  501  502    171 Jul 26  2008 cutitas
-rwxr-xr-x 1  501  502   4147 May 15  2003 genuser
-rwxr-xr-x 1  501  502    157 Jul 25 17:36 LinkEvents
-rwxr-xr-x 1  501  502      0 Oct 15  2007 lucifer.seen
-rwxr-xr-x 1  501  502   2154 May 15  2003 Makefile
-rwxr-xr-x 1  501  502     14 Jul 26  2008 m.dir
-rwxr-xr-x 1  501  502  22882 May 15  2003 m.help
-rwxr-xr-x 1  501  502    748 May 15  2003 mkindex
-rwxr-xr-x 1  501  502   1043 Jul 26  2008 m.lev
-rwxr-xr-x 1  501  502      5 Jul 25 17:35 m.pid
-rwxr-xr-x 1  501  502   1068 Jul 26  2008 m.ses
-rwxr-xr-x 1  501  502   1675 Mar 25  2009 m.set
-rwxr-xr-x 1  501  502 167964 Mar 16  2001 pico
-rwxr-xr-x 1  501  502  84476 Jun 23  2006 pico.tgz
drwxr-xr-x 2  501  502   4096 Jul 23 15:48 r
-rwxr-xr-x 1  501  502    661 Jul 12 22:00 shadow}{700.seen
-rwxr-xr-x 1  501  502    661 Jul 12 22:00 shadow}{800.seen
-rwxr-xr-x 1  501  502    715 Jul 12 22:00 shadow}{900.seen
drwxr-xr-x 2  501  502   4096 Jul 23 15:51 src
-rw-r--r-- 1 root root   1842 Jul 26  2008 zak.seen

Looks like .spd is the SSH scanner and the .www directory contains the actual bot binary – ok, I can respect that. The contents of the cron.d file suggested that the script utilizes crontab to verify that the bot is always up and running – and examination of its code assured me of that.

So, what have we learned from the above: just one thing! When installing a server for the first time, DON’T USE A SILLY PASSWORD LIKE 123456 – EVEN NOT FOR THE INSTALLATION PHASE! Scanning robots appear to be scanning the entire Internet over and over and over again, doing so in seconds – so by the time you install your server, set it up completely, there is a good chance it will already be compromised.