/\//                     __       __  
 //\/_____   _____  ____  / /____  / /__
   / ___/ | / / _ \/ __ \/ __/ _ \/ //_/
  (__  )| |/ /  __/ / / / /_/  __/  <   
 /____/ |___/\___/_/ /_/\__/\___/_/|_|  

Episode 1: [A completely impractical approach to: spying on foreign hackers]

(That I'm gonna do anyway)



So, hear me out: Visit the /var/log/auth.log of any typical linux box with an open port 22 and you'll likely find droves of IPs failing to authenticate under Linux user names like "root", "forum", "vncuser", and "user1".

All super generic, right? That much is purposeful.

These IP addresses, coming largely from China, are using a sort of brute-force attack, doing what is essentially the equivalent of jiggling on every doorknob down the block until they find an unlocked door.

90% of these failed attempts fall into two categories. 1) "root", which, as most of you know, is absolutely the worst account(but one of the most common) to leave unprotected, and 2) generic accounts like "forum" and "vncuser" which are usually daemon users set up with the installation of certain software and are locked, but can sometimes be logged into when incorrectly configured later on by the end-user.

They're not usually privileged, but from there a hacker could collect some information on the system and its users or even run a privilege-escalation exploit.

I'd venture a guess that even tilde.club suffers these failed attacks, or at least did at some point in its history(there are ways to outright reject certain IPs by tendency, chunk, or geolocation after all.)

So, woot. I'm guessing the twisty-doorknob strategy works on enough computers to make it worthwhile, since they've been at it for years over there. That leaves me asking just one question:

What happens if you let them in?

I understand this is a cliffhanger, sorry. Sventek is sleeping.