Just had to harden my server some more. I have now set up an account with an easily guessable username and password who’s login shell is a script which:

A. Sends me an email with the IP the attacker is from
B. Drops the attacker into a chrooted shell.

Anyway, a recent script kiddie left behind some files, most of which were long lists of usernames and passwords, while others were lists of IPs which had been portscanned on port 22. A few files were executables, which were apparently used to hack more machines. One of them was called “ssh”, and when I ran ./ssh, I got this:

./ssh <cate pizde sa incerc…>

I thought this must be some internationalized version of SSH. But when I tried to run ./ssh localhost, I got this:

Toata dragostea mea pentru diavola!!!!!!

I had seen this message before, in my apache logs:

72.252.209.134 – - [10/Jan/2009:04:27:44 -0800] “GET HTTP/1.1 HTTP/1.1″ 400 344 “-” “Toata dragostea mea pentru diavola”
72.252.209.134 – - [10/Jan/2009:04:27:45 -0800] “GET /roundcube//bin/msgimport HTTP/1.1″ 404 340 “-” “Toata dragostea mea pentru diavola”

And this:

147.83.113.228 – - [13/Jan/2009:23:50:47 -0800] “GET HTTP/1.1 HTTP/1.1″ 400 344 “-” “Toata dragostea mea pentru diavola”
147.83.113.228 – - [13/Jan/2009:23:50:48 -0800] “GET /mantisbt/login_page.php HTTP/1.1″ 404 339 “-” “Toata dragostea mea pentru diavola”
147.83.113.228 – - [13/Jan/2009:23:50:48 -0800] “GET /tracker/login_page.php HTTP/1.1″ 404 338 “-” “Toata dragostea mea pentru diavola”
147.83.113.228 – - [13/Jan/2009:23:50:49 -0800] “GET /bugtracker/login_page.php HTTP/1.1″ 404 341 “-” “Toata dragostea mea pentru diavola”
147.83.113.228 – - [13/Jan/2009:23:50:49 -0800] “GET /bugtrack/login_page.php HTTP/1.1″ 404 339 “-” “Toata dragostea mea pentru diavola”
147.83.113.228 – - [13/Jan/2009:23:50:50 -0800] “GET /support/login_page.php HTTP/1.1″ 404 338 “-” “Toata dragostea mea pentru diavola”
147.83.113.228 – - [13/Jan/2009:23:50:50 -0800] “GET /bug/login_page.php HTTP/1.1″ 404 334 “-” “Toata dragostea mea pentru diavola”
147.83.113.228 – - [13/Jan/2009:23:50:50 -0800] “GET /bugs/login_page.php HTTP/1.1″ 404 335 “-” “Toata dragostea mea pentru diavola”
147.83.113.228 – - [13/Jan/2009:23:50:51 -0800] “GET /mantis/login_page.php HTTP/1.1″ 404 337 “-” “Toata dragostea mea pentru diavola”
147.83.113.228 – - [13/Jan/2009:23:50:51 -0800] “GET /login_page.php HTTP/1.1″ 404 330 “-” “Toata dragostea mea pentru diavola”

Great. Now I have script kiddies trying to crack things that I don’t have installed, and they are using my server to portscan and hack other servers. Seriously, script kiddies, I know you’re not reading this, but GTFO my server.

Update: to see how script kiddies operate, I recommend you read this.