My media box that runs XMBC has been breached. It’s a recent Debian testing install. I didn’t bother securing this box since it has no access to anything, but more importantly, I also made a couple of incredibly simple mistakes while setting it up.
First of all, I allowed root login via SSH using password authentication. This meant that anybody who knows the password and can reach the box can log in. This was supposed to be just while setting up the box, but I forgot to turn it off after I was done doing setup.
Second, I used a simple password. This was supposed to be disabled after I set up authentication via SSH keys, but I got distracted and didn’t complete the process.
Third, I connected the box to a public-facing VPN and downloaded some torrents. Doing this gave the world direct access to the box, unmediated by my network’s normal firewall and NAT infrastructure.
And I think those mistakes were enough. My guess (it’s not clear from the logs) is that somebody, or most likely some bot, probed the box, guessed the root password (I’m embarrassed about that most of all), installed a custom version of atd as well as some daemons I’ve never heard of (ksapd, kysapd, sksapd, and skysapd). It put these binaries in /etc, which is odd and was an early red flag in telling me this stuff wasn’t Debian-approved. The malware also overwrote root’s crontab and fiddled with /etc/rc.local. None of these changes showed up via rkhunter or debsums.
The attacker made some mistakes that made the malware fairly easy to find and disable, which was as simple as killing some processes, removing the root crontab (/var/spool/crontab/root) and looking at /etc/rc.local. Still, of course I don’t know if there are things I missed, so I’ll be reinstalling this box from scratch.
A cursory check of the other important boxes on my LAN shows no evidence that they have been probed or entered. I need to do a more thorough check asap, especially of the Macintosh laptop which for all I know is running software that hasn’t gotten a security update in a while.
A few weeks ago, somebody else seems to have encountered similar (or at least similarly-named) malware. Their conclusion is similar to mine:
It looks like a weak password. I lectured some 8 to 11 y/o kids on passwords, then created a user called word with password called word. 2 days later I saw things by accident, luckily they only were in for a short while.
I made a series of bad, easily-avoided mistakes with this install. Mostly, the mistakes were mental errors. I was thinking of this box as insecure and not worth attacking. I took a lot of shortcuts and then failed to clean them up. I was cavalier with connections and letting the box talk to the seedier corners of the Internet.
All of this is highly embarrassing. I’m supposed to be a person that knows the basics of locking the doors. I’m publishing this report precisely because embarrassment usually prevents people from talking about their security failures. So here it is. Feel free to mock me.
Next steps for me are to snapshot the install and to start looking at the binaries left on the system. If there’s anything more to report, I’ll do another post and perhaps update this one.