My home server was hacked!

Front Page Geekery Home Media System

I’m posting this here to hopefully warn other people who are running mythtv on a home server. Here is what happened:

NOTE: Unless you know Linux a little, this won’t make sense.

On my home server, I was running a web server (apache2) on port 80 and sshd on port 22. I had both of them open to the world so that I could access my home server from anywhere with an Internet connection. The only problem with the setup I know of is that when I installed mythtv, it created a user called mythtv and gave that user shell access.

(If you have any standard users on your linux system, make sure they are using non-standard passwords!)

So, this fellow from IP 86.122.48.37 logged into my computer via ssh as mythtv and I’m guessing the default password. Once in, he created a public_html directory in the mythtv home directory. All files in that directory would be accessible by the url http://[MY_IP]/~mythtv. (By the way, I got his IP address from my access logs, and I got his email address from his php scripts. His email is delablow@yahoo.com.)

Then, he copied two phishing sites into that directory (ebay and paypal) along with an instance of PHP-Mailer. I’m guessing that he sent out the scam emails from PHP-Mailer on December 10 (while I was in Chicago) and my access log shows people falling for the scam by December 11. I haven’t yet figured out how many people were scammed, but I got a LOT of hits on my server.

Then, someone told ebay, ebay told Insight, and yesterday, my modem was blocked. I didn’t hear any details until I called them this morning and they told me there was a phishing server running on my IP address.

Well, I’m pretty irritated at myself for leaving my system so open, glad that the hacker wasn’t able to compromise my own system, but mad that many people got scammed.

I’ve closed down my system for now, and I don’t know if I’ll open up the ports again.

I hope no one loses any money on this.

3 comments

  1. Mary Martin

    I don’t know much about linux but I do know about paypal and ebay. On my work email I constantly get messages from both wanting me to click and update information because of something I did and my accounts are blocked. Is this the same thing as getting an email from a bank asking to update your account info because of a problem?

  2. Jeff Post author

    It may be the same thing, Mary.

    Here are a couple of tips to make sure you don’t get scammed:

    When you have a link in your email program, don’t just click on it unless you are certain you know where it will take you. Instead, if you get an email from ebay or paypal or some bank, go to that company’s home page and log in to your account normally. If the email was telling you the truth, your account page should also give you the same information as was in the email. If it doesn’t, then ignore the email, or better yet, report it to ebay, paypal, the bank or whatever company it was claiming to be.

Leave a Reply

Your email address will not be published. Required fields are marked *