I’m posting this here to hopefully warn other people who are running mythtv on a home server. Here is what happened:
NOTE: Unless you know Linux a little, this won’t make sense.
On my home server, I was running a web server (apache2) on port 80 and sshd on port 22. I had both of them open to the world so that I could access my home server from anywhere with an Internet connection. The only problem with the setup I know of is that when I installed mythtv, it created a user called mythtv and gave that user shell access.
(If you have any standard users on your linux system, make sure they are using non-standard passwords!)
So, this fellow from IP 18.104.22.168 logged into my computer via ssh as mythtv and I’m guessing the default password. Once in, he created a public_html directory in the mythtv home directory. All files in that directory would be accessible by the url http://[MY_IP]/~mythtv. (By the way, I got his IP address from my access logs, and I got his email address from his php scripts. His email is firstname.lastname@example.org.)
Then, he copied two phishing sites into that directory (ebay and paypal) along with an instance of PHP-Mailer. I’m guessing that he sent out the scam emails from PHP-Mailer on December 10 (while I was in Chicago) and my access log shows people falling for the scam by December 11. I haven’t yet figured out how many people were scammed, but I got a LOT of hits on my server.
Then, someone told ebay, ebay told Insight, and yesterday, my modem was blocked. I didn’t hear any details until I called them this morning and they told me there was a phishing server running on my IP address.
Well, I’m pretty irritated at myself for leaving my system so open, glad that the hacker wasn’t able to compromise my own system, but mad that many people got scammed.
I’ve closed down my system for now, and I don’t know if I’ll open up the ports again.
I hope no one loses any money on this.