For the past two weeks (as of the day I am writing this document), there's been an actor attempting to attack ~horse through various means. Whether its through failed network DDoS attempts, spamming my sign-up form with over 4,000 fake registrations, email bombing me, pathetic attempts at hacking the service or fear-mongering me personally with scraped webpages, they have been hard at work.
On this day, I accepted a registration from a user by the name of obsidia, who has a presence, or lack thereof, on envs.net. They registered with the following reason:
"I enjoy discovering old websites and services, and connecting with people who share my tech interests"
I didn't think anything of it, but I do some basic recon whenever I get registrations, and I didn't see anything out of the ordinary with this guy, so I let him in.
Let's fast forward to maybe 10 hours later. Shortly after I setup the new Gemini proxy, all my services are mysteriously offline. I checked the node my server is on at my hosting provider, and there weren't any issues with it. So I immediately thought two things: Someone has a fancy new exploit, or someone is abusing resources on the server. Turns out it was just the latter.
Kyun.host, the amazing free-speech hosting provider, provides VNC and serial console access via their web interface. I (very slowly) investigate via VNC and see that this newly registered user has spawned a shit ton of processes from a compiled binary in /home/obsidia/.autostart, which then spawn 16 child processes of their own. The name ".autostart" is there to trick me, because this fella thinks I'm retarded. Here's a snippet of the logs he generated.
Jan 23 04:10:30 tilde auth.info sshd-session[26157]: Accepted publickey for obsidia from 212.38.189.186 port 52628 ssh2: ED25519 SHA256:vYqPdTd9zfsmLW27ftwUjwJM/ljuWLov81QCc7tIvaw
Jan 23 04:10:41 tilde authpriv.info userdel[26167]: delete user 'obsidia'
Jan 23 04:10:41 tilde authpriv.info userdel[26167]: delete 'obsidia' from group 'mail'
Jan 23 04:10:41 tilde authpriv.info userdel[26167]: removed group 'obsidia' owned by 'obsidia'
Jan 23 04:11:08 tilde auth.crit sshd-session[26157]: fatal: login_init_entry: Cannot find user "obsidia"
Jan 23 04:11:08 tilde auth.crit sshd-session[26157]: fatal: login_init_entry: Cannot find user "obsidia"
Jan 23 04:11:08 tilde auth.info sshd-session[26160]: Disconnected from user obsidia 212.38.189.186 port 52628
Jan 23 04:11:14 tilde auth.info sshd-session[26176]: Invalid user obsidia from 192.42.116.22 port 54366
Jan 23 04:11:15 tilde auth.info sshd-session[26176]: Connection closed by invalid user obsidia 192.42.116.22 port 54366 [preauth]
Jan 23 04:11:19 tilde auth.info sshd-session[26179]: Invalid user obsidia from 192.42.116.179 port 35589
Jan 23 04:11:20 tilde auth.info sshd-session[26179]: Connection closed by invalid user obsidia 192.42.116.179 port 35589 [preauth]
Jan 23 04:11:25 tilde auth.info sshd-session[26183]: Invalid user obsidia from 45.138.16.231 port 45106
Jan 23 04:11:26 tilde auth.info sshd-session[26183]: Connection closed by invalid user obsidia 45.138.16.231 port 45106 [preauth]
Jan 23 04:11:35 tilde auth.info sshd-session[26185]: Invalid user obsidia from 80.67.167.81 port 57504
Jan 23 04:11:36 tilde auth.info sshd-session[26185]: Connection closed by invalid user obsidia 80.67.167.81 port 57504 [preauth]
Jan 23 04:11:48 tilde auth.info sshd-session[26187]: Invalid user obsidia from 192.42.116.217 port 47165
Jan 23 04:11:49 tilde auth.info sshd-session[26187]: Connection closed by invalid user obsidia 192.42.116.217 port 47165 [preauth]
Jan 23 04:12:40 tilde auth.info sshd-session[3415]: Invalid user obsidia from 88.80.26.4 port 44430
Jan 23 04:12:41 tilde auth.info sshd-session[3415]: Connection closed by invalid user obsidia 88.80.26.4 port 44430 [preauth]
Jan 23 04:12:52 tilde auth.info sshd-session[3425]: Invalid user obsidia from 185.241.208.206 port 17544
Jan 23 04:12:53 tilde auth.info sshd-session[3425]: Connection closed by invalid user obsidia 185.241.208.206 port 17544 [preauth]
Jan 23 04:12:56 tilde auth.info sshd-session[3427]: Invalid user obsidia from 185.246.188.74 port 42108
Jan 23 04:12:57 tilde auth.info sshd-session[3427]: Connection closed by invalid user obsidia 185.246.188.74 port 42108 [preauth]
Jan 23 04:13:02 tilde auth.info sshd-session[3432]: Invalid user obsidia from 192.42.116.210 port 17720
Jan 23 04:13:03 tilde auth.info sshd-session[3432]: Connection closed by invalid user obsidia 192.42.116.210 port 17720 [preauth]
Jan 23 04:13:19 tilde auth.info sshd-session[3434]: Invalid user obsidia from 185.220.101.97 port 20839
Jan 23 04:13:20 tilde auth.info sshd-session[3434]: Connection closed by invalid user obsidia 185.220.101.97 port 20839 [preauth]
Jan 23 04:13:42 tilde auth.info sshd-session[3451]: Invalid user obsidia from 5.255.109.236 port 44488
Jan 23 04:13:42 tilde auth.info sshd-session[3451]: Connection closed by invalid user obsidia 5.255.109.236 port 44488 [preauth]
Jan 23 04:14:41 tilde auth.info sshd-session[3473]: Invalid user obsidia from 185.241.208.206 port 55082
Jan 23 04:14:42 tilde auth.info sshd-session[3473]: Connection closed by invalid user obsidia 185.241.208.206 port 55082 [preauth]
Based on these logs, I am led to believe this person ran a script to remotely execute this binary over SSH multiple times, with connections from different proxy IPs. As you can see, I deleted his user, and login requests still came flooding in, but my server finally started working. Since they were so nice to leave behind their email address in the registration, I sent them a funny message.
From: nameless <nameless@tilde.horse>
To: <obsidia@envs.net>
I'd like to give you a warm thank you, but also go fuck yourself.
I never sleep so I have time to mitigate an attack on my service.
https://i.imgur.com/fgrcojN.png
Shortly after sending this, I received a very sp00ky email in response.
From: <obsidia@envs.net>
To: <nameless@tilde.horse>
Discord: @nameless.best
Github: n-ameless
https://web.archive.org/web/20210623205049/https://twitter.com/S8X
We're cooking and will be ;). We've dumped all your server, all your logs, everything. Wait for us, meanwhile we're seeing you, laughing about you and most importantly documenting everything about you. Greeting from KiwiFarms.
Team G0ld50n
Because I am blessed with divine intellect, passed down to me by the spirit of Terry A. Davis himself, I know better than to think this is anyone other than the person who previously sent me an email weeks ago, which also contained Internet Archive links that are very easily retrievable if you put the URL to my personal website into Internet Archive, so there's no need to share that here. With that said, there is zero indication that data from the entire server was exfiltrated, I have external monitoring at my disposal to verify such a claim. There's a chance your home folders were dumped, but if you were storing anything sensitive in your home folders on a pubnix without setting the proper permissions, politely speaking, that is your blunder, and not mine.
Now I leave a message to the threat actor and anyone else trying to pull a stunt like this. You will not scare me nor will you ever fool me. If you try to OSINT dox me, you will be running around in circles until you give up and move on with your pathetic life. I can guarantee that with full certainty, I am simply more intelligent than you.
Until further notice, registrations are closed. To verify my identity and provide reassurance in the security of this service, I am attaching a plaintext message signed with my PGP key which briefly explains the incident. You can verify it with my PGP key on my personal website, nameless.best.