Not to say that Huthos are innocent, but I don't see any concrete proof that they are behind this attack. The fact that they are hosting a server provisioning script is hardly crazy, given that they are a hosting provider. What's to say that the ACTUAL attacker didn't just come across the provisioning script and decide to use it for themselves? The script URL is listed publicly online: http://yandicunk.blogspot.co.uk/2015/03/cara-setting-dan-ins... & http://huthos.com/tutorial/autoscripthuthos.html
"It also appears that the hackers attack machine may be hosting an unauthenticated web proxy" makes it sound like the attacker owns the machine they were connecting from. IMO, chances are that "49.213.23.171" is just another compromised box.
Hi, thanks for your comment. It wasn't really my objective to find the smoking gun and bring Huthos' operation crumbling to the ground. Like you, I don't definitively know that the operators of the website are the same people that broke into my honeypot without permission. It seems more likely than another totally-unrelated bad guy knowing where the file paths are to the Huthos provisioning scripts when directory listing isn't enabled, as well as other small nuances that I gathered while investigating this attack (the operators of the website posting videos of them exploiting Shellshock on their youtube channel, etc).
Your article definitively implies Huthos is behind this. If you're serious about not bringing them down, you should change the title and put a disclaimer at the top explaining the uncertainty.
Agreed - after doing a little more digging myself, it does seem likely that they are selling access to hacked machines - however, I'm sure there are other cases of attackers using legitimate scripts to provision their servers!
Also - has anyone seen how cheaply access is being sold for!? It's pennies!
I agree - if that's what the script was doing, then it would be dodgy. But that's not what the script does. `screenfetch` prints out system info in a pretty, ASCII-arty way, like this: http://i.imgur.com/TgaPHqa.png
echo "screenfetch" >> .bashrc
just causes system info to be printed to the screen with every new bash session.
I guess if they were really doing this and you wanted to fuck with them, you could honeypot until a few clients are on, then start putting up illegal-in-Indonesia content (shouldn't be too hard). Might make them think twice.
All of this is outside my experience, so I have to ask - how does the attack, as described, prove HutHos is the perpetrator?
The poster was able to find the HutHos site owner's full information "in a few minutes", due to "poor operational security practices." Doesn't this raise the possibility that the HutHos server was compromised by the malware's true owner?
It's because the script appears to be taking control of servers for hosting purposes.
In other words, the simplest explanation is that Huthos is taking control of machines so that they can sell them to customers as their own VPS service.
A VPS provider having a server provisioning script available doesn't seem to be such a crazy thing to me - it still doesn't prove that Huthos are behind the attacks.
This was amusing. I like imagining new attackers taking over the infected machines and running their own VPS service on top of the hacked VPS accounts. You could have poorly secured turtles all the way down.
There are three 'knobs' to the cloud today: compute, storage and networking. A new emergent 'knob' for the cloud is trust. Trust affects three primary features of the cloud: how it's paid for (credit vs. capital expenditure), how it works (standards vs. custom solutions) and who I am (identity management vs. anonymous use). I won't go into it much here, but cryptocurrencies play a part in this knob, big time.
In Huthos case, they 'hack' the credit part by simply taking a machine with poor identity management in place (honeypot) and then provide a high level of anonymization for their customers (the 'who I am' above) and providing it as a standard way for extending a VPS offering (which itself provides 'who I am' services).
It's all about trust, and what's the most irritating part about it is that the violate it first before they get to selling it to others. Crazy.
Looks like the owner of Huthos doesn't even bother hiding the nature of his operations. The author mentions he has "poor operational security practices" which is rather charitable given that the "buy a vps" links on the website simply link directly to his Facebook profile.
The domain name could have been hijacked, yes. The whole sales page and the "Vision Phreak" setup seens like a one-man operation so far though. (E.g. the facebook group has over 10k members but it seems like the owner just added them all by himself). And their Google+ profile is all about "phreaking" and posts from wannabe hackers.
So yeah, not sure about Huthos but Vision Phreak is definitely shady.
Absolutely fascinating. I've been "in and around" the security community (not a part of) for years now, and never heard of a company offering a service like this.
I love how he gives advise to the company at the end. I mean c'mon you get root access via dictionary attack within a quick timeframe and you don't think it is a honeypot?
That provisioning script seems to install a screenshot utility that fires at every login. That definitely doesn't seem like a standard feature for a hosting provider to offer.
What I suspect you can't see is an attempt to use TAB to autocomplete the execution of the local script; when it fails the script kiddie tries to +x the script again. I suspect you'll also find that the script doesn't execute because bash isn't installed; only dash and/or busybox.
On a slightly unrelated note, I like how the author referred to the attacker with she/her, a small detail I can appreciate since they normally refer to them with he/him.
But they is plural, so wouldn't the author technically need to say "he or she" for each occurrence? Sadly, English has no singular gender neutral pronoun.
Oh yeah. Also Byron ("Every body does and says what they please"), Austen ("Nobody thinks of that when they fall in love"), Thackeray ("A person can't help their birth"), Wilde ("Experience is the name everyone gives to their mistakes"), Shaw ("It's enough to drive anyone out of their senses"),
Lewis Carroll: "'Whoever lives there,' thought Alice, 'it'll never do to come upon them this size: why, I should frighten them out of their wits!'"
C. S. Lewis: "She kept her head and kicked her shoes off, as everybody ought to do who falls into deep water in their clothes."
Doris Lessing: "And how easy the way a man or woman would come in here, glance around, find smiles and pleasant looks waiting for them, then wave and sit down by themselves."
This is settled. Singular 'they' is good English and always has been.
The rule against it was just made up by 18th century grammarians (including
the fascinating Ann Fisher [4], who surely would regret it now) and
they even got a law passed in 1850 prohibiting it, which only goes to
show how widely used it was.
"Singular they is the use of they, or its inflected or derivative forms, such as them, their, or themselves, to refer to a single person or an antecedent that is grammatically singular. It typically occurs with an antecedent of indeterminate gender"
"One" works in some cases. Unfortunately, not when referring to something directly. I'd love to see "onesie" used for that, but it's not going to happen.
If nothing else, one could use "one" to establish singularity when they use "they" later on.
I agree "they"/"them" sounds cleaner than "he or she"/"him or her" but isn't it officially incorrect? I do like that Facebook has started using "they"/"them".
I like "they". It's especially suitable in this case, because we don't even know if it is a single person, or a group, or maybe even an automated attack (allthough that sounds unlikely). "They" leaves it open to the reader to imagine their stereotypical hacker.
At the same time the author referred to the attacker as a "guy", so that just proves how difficult it can be to get rid of the gender bias (assuming this was the author's intent).
Partly it was a showy gesture, but after writing that way for a few days, I came to like how the distinct pronouns made it easy to track "attacker" and "defender" in the narrative, too.
I'm the author of this post. You mention a tough philosophical quandary that I struggle with every time I share information with the rest of the world.
As much as I hate giving attackers anything, I am very dedicated to information sharing so that people can learn as much as possible from my posts. The truth is always out there one way or another. I would rather everybody be as educated as possible. Hopefully that makes sense.
"It also appears that the hackers attack machine may be hosting an unauthenticated web proxy" makes it sound like the attacker owns the machine they were connecting from. IMO, chances are that "49.213.23.171" is just another compromised box.