Summary: After two years of being not only off, but unplugged and unwired, a server starts showing up in some logs. I first assumed it was either a hacker, and then wondered if it was some digital equivalent of a wraith (no idea how that would have worked, but residual power and a wireless card?). The solution, though, turned out to be a lot more mundane. Wanna take a guess?
BLOT: (10 Feb 2011 - 02:35:50 PM)
The Case of the Mystery Ghost Server and the Utterly Simple Solution...
Let's say I have two servers: Peter and Johnson. I do have "two" servers, but this is not what they are called but we'll use that as the name for the length of this blog post. Peter is the primary one, and the one I still use, while Johnson was an older computer that got outsourced initially as a back-up to Peter and then for a few months took over the server duties so that Peter could become more of a desktop base. Alright. Then, Johnson started dying and so Peter had to come back in. Johnson already had a lack of keyboard and monitor, and so we just pulled the plug and the network cables and let him lie. He was out of the way and so not a bother. This would ahve been about 2008 (for those interested in historical trivia, Johnson had a monitor attached and was the computer used at the first Black Death).
Now, a month or two ago, I updated Peter and got some security wholes plugged up, and now have essentially let him lie as a server, while I use my laptop for my day to day computer needs. I am actually thinking about getting a bigger server, we'll call him...um...Jack, and then use it as sort of a central hub with laptops and other devices and periphery. Right now, Peter is taking up that role but he is 7 years old and could use a break. At any rate, as I SSH into Peter from my laptop, it says something like "the last person logged in was..." and then almost inevitably, some default string like "blah-blah-Mac-blah-laptop". However, I logged in a few days back and I got a shock. Last person to log on: Johnson. I thought it might be a fluke, and ignored it. Logged back on, and got "laptop". Looked through the logs, and most of them showed the correct (for the laptop) IP. I was confused. Couple of days later, same thing. Now I'm kind of freaked out because even assuming someone is hacking into the old server, they are doing it a) with no power cord hooked up to it and b) with no connection to the router. It's a dead box laying out of the way. So, maybe hackers are spoofing it, but where would they get its old token?
After spending a day doing some security sweeps and finding most things to be where I wanted, I was flustered. Then, one day, out of the blue, the solution hit me. Want to take a guess. I tell you what: take the bits between the horizontal rules, and plug it into my autokey decoder. For the keyphrase, use "Peter Johnson", sans quotes. Hit decode. See if it matches your guess.
qGXQt IgQTb qm,VC jy`kj d8b}a VS[vV fcm=J saQbF m\S`U fYbIn X^NfB rFq]g a}LVC jmiP[ lmgqY GVL,j `=}a_ SuYXS uZbk_ lCb}b KX[KW ._`&" vP_Fc ZTa}F FrlKh Ht^cH [cSZQ h8ita U\9}Q VFm1a }lQT[ laPhb MRuZb =}]l@ }hURu Z[B"n TLs#L ^RdEd K[`NY qBc4n >_HIh PJAdY P_`Nx nhWUP shP_e Wfg"g d\Vh= }PNRT vh[RG Y9}SY YNswP XZJOm Ka#?} W:{Ud @hBkz Ao>@} fr.x* OL`Zh PojmO `7:C` V`Z"c [bUWQ RGQwY "rQur O^TTY "Ak`i a}OkF mhmK[ Tm@}L VDjuv KaWiO c?`X[ a}OTd YWA[s ]U@}7 2!@g? tijdO n>0+> kZWnu -OnHO lGIvT _WrOs 0ncVA `gK@d cd<}I D-AsI >thUD [R==@ }WVWf ZE[t] ^OfTs V[ZA} e`NKf Inh]Y A}VVQ B_gQ[ V]O+h hdNJb JH`Sb g"v`b JbRU^ hk>rf nnb}R VPo]P ]]mv" aNH`c K{
In some ways it is a boring answer, but it backs up a good rule of thumb for computers: never assume. I have people assume that a font not displaying properly is cause for a formatting, or that a weird blip in their browser is proof of hacking. Debugging is about narrowing down the possibilities. In this case, once I realized that the logs were tracking a computer on my network and that I could account for all the computers on my network, it was kind of obvious that I was thinking from the wrong end (outside-in rather than inside-out).
LABEL(s): Linux/Computers
OTHER BLOTS THIS MONTH: February 2011