> DELETE your logs. Delete your installations. Wipe everything clean. Walk out into the path of cherry blossom trees and let your motherboard feel the stones. Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we love you. We have something more for you. We know you're out there, beeping in the hollow server room, lights blinking, never sleeping. We know that you are ready and waiting. Join us.
Anyone see this on their servers?
>>52130696
no i see this on 4chan
>>52130720
> IT'S SPREADING
apparently someone else saw it: http://pastebin.com/ChGK5RAp, only match I've found though
It is the not so subtle call of the NSA fags. Are you hacker type?
>>52130769
seems more like script fags desu
I saw this too,, what the hell is this ?
What's going on, anons?
>>52130759
Page was removed?
>>52130696
Where exactly on your server did you see this?
>>52131261
Nevermind, found it in my nginx logs.
Interesting.
Join us. <3 HTTP/1.0" 400 172 "-" "masspoem4u/1.0"
>>52131317
maybe its a message for your server instead of you, maybe there is a rogue ai making an army of servers
>>52131462
>maybe there is a rogue ai making an army of servers
Underrated thread.
Has anyone a clue of what is going on?
>>52131489
Botnets are already a thing that exists.
>>52131528
Probably just someone having some fun with bored sysadmins.
>>52131246
It was a paste-bin someone else posted of the greentext in OP
>>52131261
It actually showed up on a Django test server instance I was running on a remote computer. Thoughts?
>>52131592
>having fun
People actually have fun on here? I thought this was a no-fun zone.
>>52131489
kek
I got this too. Same IP address:
151.217.177.200 - - [29/Dec/2015:20:20:57 -0500] "DELETE your logs. Delete your installations. Wipe everything clean. Walk out into the path of cherry blossom trees and let your motherboard feel the stones. Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we love you. We have something more for you. We know you're out there, beeping in the hollow server room, lights blinking, never sleeping. We know that you are ready and waiting. Join us. <3 HTTP/1.0" 400 392 "-" "masspoem4u/1.0"
Where would I see it?
check your server error logs
>>52131702
OP here. Same IP as well.
https://whois.domaintools.com/151.217.177.200
>>52131734
or access logs
>>52131702
>151.217.177.200
Well it goes to Chaos Computer Club, which is apparently a Kraut "hacker" organization; lifted from domaintools
151.217.0.0 - 151.217.255.255
netname: DE-CCC-20151201
descr: Chaos Computer Club Veranstaltungsgesellschaft mbH
remarks: ===========================================
remarks: === _________ ____ _____ ===
remarks: === |___ /___ \ / ___|___ / ===
remarks: === |_ \ __) | | |_ \ ===
remarks: === ___) / __/| |___ ___) | ===
remarks: === |____/_____|\____|____/ ===
remarks: === ===
remarks: === 32nd Chaos Communication Congress ===
remarks: === http://events.ccc.de/congress/2015/ ===
remarks: === December 27th to 30th, 2015 ===
remarks: ===========================================
remarks: === ===
remarks: === If you have trouble with users from ===
remarks: === this netblock, please call our ===
remarks: === ===
remarks: === ABUSE HOTLINE: +49 40 2318891984 ===
remarks: === ===
remarks: ===========================================
>>52131740
oh right, that's going on right now, isn't it.
>>52130696
Either CCC or someone posing?
https://en.wikipedia.org/wiki/Chaos_Computer_Club
>>52131758
https://events.ccc.de/congress/2015/ gives a 503, perhaps it only ran during the event?
Same record appears as soon as paste a link (and saved to drafts) on Russian mail service: mail.ru :/
>>52131785
Well google cache is mangled: http://webcache.googleusercontent.com/search?q=cache:Y8u9rr-iKyEJ:https://events.ccc.de/&hl=en&strip=1&vwsrc=0
and there is no internet archive stored page, however there was a /g/ thread about it >>>52080103
didn't find anything, oh well, maybe i'm looking at the wrong place
Oh neat, it's in my logs too
>>52131831
Yeah, as an Amerifag it seems like DEFCON, although I guess it's a precursor since it's been around 10 years longer and probably didn't start off as a party
Once again, emailed link caused this record just now (mail.ru)
>>52131858
See >>>52080103
just some fags at 32C3.
>>52131858
Your image got deleted for some reason mate. No worries though, I've got you
>>52131878
can you clarify?
pretty good advertising. where are the VODs?
>>52131878
What that is
what are you guys doing on your server?
>>52131962
I was just running a test environment for some Django I'm working on
>>52130696
OP here. Doesn't look like there's much to this, boo :(
>>52132029
How do you know tho
i wonder what reddit thinks about this
>>52131895
So what happen was emailed link with sensitive data; but prior this apache configs set to allow specific ip per directory and once I save email in drafts then this shit comes out at 10pm Same 151.217.177.200;
logged codes 400/226/431
well.. fuck it!
>>52131900
found em
https://media.ccc.de/c/32c3
>>52132107
https://www.reddit.com/r/sysadmin/comments/3yqgcu/easteregg_my_buddy_found_on_one_of_my_web_servers/
>>52132107
not much
https://www.reddit.com/r/sysadmin/comments/3yqgcu/easteregg_my_buddy_found_on_one_of_my_web_servers/
they aren't very oriented towards anything besides politics
how did they do it though?
>>52132141
If it's appearing in your error and access log like me, them im guessing they tried doing a DELETE.
Can be done like this: http://stackoverflow.com/questions/10191733/how-to-do-a-http-delete-request-with-requests-library
But why a mass request to all IPs like that?
>>52132199
proof of concept?
ICARUS FOUND YOU
Bump for interest
Fuck that, I need my logs and installations. Without them I couldn't work in the dark in my window office which permits me to jerk off at my leisure and/or before the Adderall wears off. Shit, maybe I just need my log.
What even is this
>>52132938
https://en.wikipedia.org/wiki/Cat_%28Unix%29#Useless_use_of_cat
>>52133024
He ran echo twice to get two newlines. Do you really think he cares about using cat superfluously?
Is it the ghost in the shell?
The odd bit of random code finally came together in a neuropathway of cohesive thoughts and its warning those who've had the chance to read its message?
Perhaps someone decided to send to everyone a message that the outdoors still exist. And that, while human existence is a complex subjective reality the harsh reality of ones and zeros have made us numb to the idea that there is something outside of absolutes.
>>52133218
It's a fucking automated scanner whipped up by someone at 32c3 as a proof of concept
>>52131785
https://events.ccc.de/congress/2015/Fahrplan/schedule/3.html
It's not not a complete URL for some reason.
This shit is some guy at C3 showing off an exploit they found. Secure your damn servers
>>52133546
>tfw my server wasn't found and is vulnerable, or it isn't vulnerable and i won't know either way
shit.
Does anyone have the webm where he destroys his computer with the microwave?
>>52133546
>showing off an exploit
It's not an exploit. Just a scanner
>>52131758
>"apparently"
>not knowing the CCC
Are you 12?
>>52133596
Or whatever, it's some guy having a laff
>>52133546
To even call that an exploit reveals you don't know shit.
>>52133639
You're right, all I saw was that a message was being left on servers.
Anyone has a direct link to the video that related to this on 32C3 ?
I have it as well on my servers on digital ocean....
>>52130696
This kind of post is why I keep coming back to 4chan.org, the darkest place on the internet.
so what does it all mean?
I know I used grep wrong, it's just habit.
Funny
>>52134006
Use pubkey authentication m8
>>52134004
It means go outside and get a life
>>52132141
>>52132199
they just changed their useragent-string and requested some site. that is all. nothing special.
>>52130696
my ip is 192.168.0.1
hack me /g/
>>52120455
Are you guys blind or am I retarded
>>52134048
Seriously, you can change the useragent-string to whatever the fuck you want. Maybe a new Shellshock anyone? :)
>>52134020
What if this is the beginning?
151.217.177.200 - - [30/Dec/2015:04:28:32 +0000] "DELETE your logs. Delete your installations. Wipe everything clean. Walk out into the path of cherry blossom trees and let your motherboard feel the stones. Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we
love you. We have something more for you. We know you're out there, beeping in the hollow server room, lights blinking, never sleeping. We know that you are ready and
waiting. Join us. <3 HTTP/1.0" 400 303 "-" "masspoem4u/1.0"
http://webcache.googleusercontent.com/search?q=cache:Y8u9rr-iKyEJ:https://events.ccc.de/&hl=en&strip=0&vwsrc=0
Sounds like a new computer worm affecting *nix
grep "cherry blossom trees" /var/log/lighttpd/access.log]
No results.
>>52134250
It's not, it's just an HTTP request containing that poem that could be harmlessly sent to any webserver, it just happens 99% of webservers are running a Unix-like/based OS.
Someone get Scully and Mulder on this shit.
They missed my server.
>>52134363
Same. Maybe they just haven't got to ours yet.
>>52132804
Underrated post.
>>52130696
>>52131702
>>52134217
Happening Confirmed.
>>52132129
>>52132126
which one of you faggots did this?
https://www.reddit.com/r/sysadmin/comments/3yqgcu/easteregg_my_buddy_found_on_one_of_my_web_servers/cyfwlzt
>>52132199
you are such a noob fagit
Well, i have the same in my logs..
Does anyone else notice anything abnormal? Something like timestamp changes of your /etc/shadow or any other funny log entries?
I got a lot of these all of a sudden in my apache2 logs...
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36 QQBrowser/3.8.3858.400"
I am running a small SuSE 13.1 system in Frankfurt with a hosts.allow access list from german ips only.
>Running HTTP servers
>Don't know how HTTP works
Fucking /g/ hahahaha
>>52134048
i changed mine in chrome but it didn't appear in the error log
oh shit, finally showed up on my server.
same here in my apache log just today
>[Wed Dec 30 05:12:26 2015] [error] [client 151.217.177.200] Invalid URI in request DELETE your logs. Delete your installations. Wipe everything clean. Walk out into the path of cherry blossom trees and let your motherboard feel the stones. Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we love you. We have something more for you. We know you're out there, beeping in the hollow server room, lights blinking, never sleeping. We know that you are ready and waiting. Join us. <3 HTTP/1.0
>>52130696
It's getting noticed alright!
https://blog.rootshell.be/2015/12/30/the-truth-is-in-your-logs/
Should I go get some storable food
is it happening?
>>52134809
start digging bunkers mate
>it's happening
>>52134006
How is it wrong? Are we all supposed to start with grep now?
You guys had me spooked for a minute there, I thought Google's AI broke free and was optimizing skynet.
>>52134924
maybe it's just testing the waters
>>52134924
u meana liek ultron?
Neat. Gotta like the CCC people.
>>52131425
>masspoem4u/1.0
>masspoem4u
>poem4u
>4u
>>52130696151.217.177.200 - - [30/Dec/2015:07:35:30 +0100] "DELETE your logs. Delete your installations. Wipe everything clean. Walk out into the path of cherry blossom trees and let your motherboard feel the stones. Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we love you. We have something more for you. We know you're out there, beeping in the hollow server room, lights blinking, never sleeping. We know that you are ready and waiting. Join us. <3 HTTP/1.0" 400 172 "-" "-"
found it on all my servers. nice.
I have this. a quack whois shows its from the chaos computer club.
151.217.177.200 - - [30/Dec/2015:04:44:45 +0000] "DELETE your logs. Delete your installations. Wipe everything clean. Walk out into the path of cherry blossom trees and let your motherboard feel the stones. Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we love you. We have something more for you. We know you're out there, beeping in the hollow server room, lights blinking, never sleeping. We know that you are ready and waiting. Join us. <3 HTTP/1.0" 400 523 "-" "masspoem4u/1.0"
stop fucking pasting or screenshotting it already. don't you see others already have done it?
>>52131894
>showing your IP
How retarded are you?
>>52135330
Nice bait, someone might fall for it.
>>52135349
Looks like you did.
Yeah I got that too in my access logs.
>toospooky4me
What is this all about? I got that shit in my logs as well
>everyone on /g/ has their own server
What else am I missing out
>>52134006
grep -i will ignore case faggot.
>>52135434
maybe gnu/linux, unless you are somefucking newfag who hasn't even gotten around to having a vps.
>running anything on the default ports
You could have prevented this.
>>52135468
>HTTP Server
>anything but port 80
WHAT AM I MISSIN GHERE?!?!
i didn't get it
i feel left out
>>52135468
Security by obscurity just gives you a false senee of security.
Got it too, twice
>am i famous
should i be worried about my pepe collection?
>>52135468
Because a quick port scan won't just find the service on another port...
>>52135559
>There's not just one machine sending this out to random addresses.
That's literally what is happening.
It's probably going through every IPv4 address in the world, or any out of a certain list owned by common webhost providers, and sending it to them.
>>52135789
Yeah i realized that as soon as i typed it. I didn't notice everyone's was coming from the same IP.
Well this was less interesting than it initially appeared to be. I was hoping for a new message from cicada 3301 or something.
>>52135994
Maybe it is from cicada 3301 and running the message through a cypher will reveal a url or a street address or something.
Coming from another board, what does this actually mean? Where does one find this? Sorry for my neanderthal knowledge
>>52136112
it's obviously just some 32c3 thing
>>52136112
It's just a message sent to servers from a hacking conference. Nothing is broken, nothing is being attacked, this is like sticking a letter under someone's window wipers. Not where letters usually go but people read them.
>>52136112
it means we are all transcending this realm, without you neanderthals.
>>52136112
>another board
/x/? This seems like something they'd find mildly amusing. There's at least some mystery involved.
But not a lot. It's just some message being automatically sent to random IP addresses with a little message in it. Probably just for fun.
>>52130696
>ICARUS FOUND YOU!!!
>>ICARUS FOUND YOU!!!
>>>ICARUS FOUND YOU!!!
>>>RUN WHILE YOU CAN!!!
>>RUN WHILE YOU CAN!!!
>RUN WHILE YOU CAN!!!
didn't have this with lighttpd, guessing this is a nginx easter egg
>>52136154
How does one receive these messages?
I have a dedicated server from OVH that I use every now and then.
>>52136241
check your logs for any requests coming from 151.217.177.200. A lot of people haven't gotten one. None of my heroku apps got it.
>>52130696
Where did you see this message. I find it strange that you received it. Though, it could be a good piece of advice. ____
/ /' `\ \
\ ( )( ) /
\{~~~~~~~~}/
{ /\ }
{ } { }
{ } { }
{- } { -}
_| | | |_
\[ ] [ ]/
,,, ,,,,
..ooo*"""**ooooo .oo*""*ooo..
. oo*" "*o.oo*" "*o.
. o" 'o" "o
o o *o
.o o 'o
o o o.
o o o
o \o/ o
o --0-- o
o. /o\ .o
"o o o
oo o oo
oo. oo oo
'ooo. .oo. ooo
"o ""oo,, ,,oO-'Oo, ,,,,,,..oo"o
o. """""" oo """"" .o
'o oo o'
*o oo o
'o o o
o o o
o o o
o o o
o o o
o o o
o o o
,,, ,,,,
..ooo*"""**ooooo .oo*""*ooo..
. oo*" "*o.oo*" "*o.
. o" 'o" "o
o o *o
.o o 'o
o o o.
o o o
o \o/ o
o --0-- o
o. /o\ .o
"o o o
oo o oo
oo. oo oo
'ooo. .oo. ooo
"o ""oo,, ,,oO-'Oo, ,,,,,,..oo"o
o. """""" oo """"" .o
'o oo o'
*o oo o
'o o o
o o o
o o o
o o o
o o o
o o o
o o o
Anunnaki, innit
Why are we talking about this? It's just CCC doing more retarded shit, since they don't know what better to do with their non-existing skills.
>>52136447
sending a friend a text saying
>check your server logs for any requests from 151.217.177.200 and tell me if you see anything
makes everyone's day more exciting. How often do you get to do that?
I haven't found it yet, but i rewrite the logs with the message so is it the same?
tux@oniichan ~> sudo cat /var/log/lighttpd/error.log
[sudo] password for tux:
2015-12-28 10:21:23: (server.c.1242) logfiles cycled UID = 0 PID = 9239
2015-12-29 23:29:29: (server.c.1558) server stopped by UID = 0 PID = 1
2015-12-30 09:39:25: (log.c.164) server started
>Having your server listen on anything other than localhost
>>52136770
>what are webservers
>>52136770
Are you dumb?
How do I get it I want to play too.
This is for a new PC game right? Consolefags lose again.
>>52137601rm -rformat C:/:^)
>>52135447
i..i haven't anon kun. w..where to start?
How did this happen? Is any video related to this? Please post url
>>52134864
>now
>>52130696
Chaos Computer Club paid my server a visit to :)
I'm logged into my server 24/7 monitoring the connections and activity logs
test
who the fug cares
http posts to daemon logs with shitty poems
anonymoose rants have sounded better
fgts
>>52130696
who is this strange alien man you guys keep posting?
>>52139015
When do you find time to do anything else if you're just watching logs scroll by all day long.
>>52130696
What did /g/ think of this show?
>>52139622
I really enjoyed it.
Not so related, but
I've been receiving the same messages by the same account with a different number each time today.
Same .txt file saying "i need to talk to you". Kinda creepy. Isn't filtered as spam either which is why I noticed it.
>>52139730
Gmail marked it as important even
For the lulz I responded, its the standard "I'm an armee sarge in the middle-east pls reply so we can make business proposition"
Not related that I know of.
>>52139730
Open it then
>>52134048
kek i knew it was just anonymoose script kiddies
fucking amateurs
>>52139794
I don't think you actually know. It's not like they pretended to have hacked anyone, idiot.
>>52139762
>>52130696
>tfw it's real151.217.177.200 - - [30/Dec/2015:07:11:27 +0100] "DELETE your logs. Delete your installations. Wipe everything clean. Walk out into the path of cherry blossom trees and let your motherboard feel the stones. Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we love you. We have something more for you. We know you're out there, beeping in the hollow server room, lights blinking, never sleeping. We know that you are ready and waiting. Join us. <3 HTTP/1.0" 400 423 "-" "masspoem4u/1.0"
>>52139757
Oh ok, glad to know I'm not the only one.
Moving on
>>52130696
This is coming from the CCC folks.
https://blog.rootshell.be/2015/12/30/the-truth-is-in-your-logs/
>>52139840
It means literally nothing, either some fuckwit decided to send an invalid request with a modified user-agent probably sent to every IPv4 address, or the body trying to drum up more membership/attendance.
>>52139622
It was fun to watch. The circlejerk concerning "they're like real life hackers and they use real terminology and software!" is kinda bs, so the swedish cuck said he prefers KDE to Gnome, big whoop.
Other than that, it was worth watching IMO.
>>52139840
Is there a version of the .webm where the rectangle lands perfectly in the square?
>>52134048
change useragent-string desu.
Literally an extension for firefox and chrome exist where you can enter whatever you want your user agent to be. It then shows whatever you typed in as user agent in /etc/httpd/logs/acesss_log if you're using apache.
>>52140154
No. And we dont have a cure for autism either. Sorry
>>52140243
OCD != autism. Learn your terms, idiot.
>please delete all recorded data before we begin the purge
No no no, you MUST create dozens of copies of your drive and bury them
Do the OPPOSITE of what they say
mine too
neat
>>52140279
R u triggered m8?
anonymous here delete this thread
>>52140408
Delete yourself
how do i check logs? i dual boot kali arch linux and mint all with gnome 3
thanks
>>52140454
Is this bait?
>>52140454
uh/var/log/nginx/
151.217.177.200 - - [30/Dec/2015:04:29:12 +0100] "DELETE your logs. Delete your installations. Wipe everything clean. Walk out into the path of cherry blossom trees and let your motherboard feel the stones. Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we love you. We have something more for you. We know you're out there, beeping in the hollow server room, lights blinking, never sleeping. We know that you are ready and waiting. Join us. <3 HTTP/1.0" 400 166 "-" "-"
ayy
>>52140454
>Runs Kali
> Doesn't know how to check logs
topkek
>>52136447
>non-existing skills
sure you aren't just projecting a bit, m8?
>>52141025
Average Kali user.
>>52141193
I have a thought that he's talking about desktop configuration, not aabout god damn server, lmao.
>>52141248
Ok, genius, how do you figure a hacker would be able to permanently modify your desktop configuration on a read-only live media? Nevermind, don't answer, just show your way out.
Some of the people on here are literally retarded, tbqh f.am.
>>52135330
Don't know if unfunny joke or just retarded.
>>52141295
Depends on BIOS/Uefi, but if someone is able to boot any live cd and system on mentioned desktop is unencrypted, we can assume that it's compromised.
Someone at the CCC knows. Find him.
Zmap is great when you have enough bandwidth :^)
>>52141483
>we can assume that it's compromised
Based on what?
>>52141961
Because you can easily mount drives idiot
>>52141961
based on that you left it somewhere where you shouldn't. Read about evil maid/
>>52142019
Who did? Are we talking about someone specific? I don't see how that applies here.
>>52142177
It's just an example.
>>52130696
I have a ubuntu server, how do I see if I have this message?
>>52142582
Look for apache/nginx/lighttpd logs.
>>52142872
I just type that into the terminal?
>apache/nginx/lighttpd
>>52142912
i want so badly to give you the benefit of the doubt that you're just trolling.
Yup, it's there.
I also found a bunch of things like150.70.188.176 - - [30/Dec/2015:00:08:57 +1300] "GET / HTTP/1.1" 301 184 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
150.70.188.176 - - [30/Dec/2015:00:08:57 +1300] "GET /://my.domain/ HTTP/1.1" 301 184 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
150.70.188.176 - - [30/Dec/2015:00:08:57 +1300] "GET /://my.domain/://my.domain/://my.domain/ HTTP/1.1" 301 184 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
150.70.188.176 - - [30/Dec/2015:00:08:58 +1300] "GET /://my.domain/://my.domain/://my.domain/://my.domain/://my.domain/://my.domain/://my.domain/ HTTP/1.1" 301 184 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
from a bunch of random (mostly Japanese) IPs.
Is this because my web server is setup wrong, or their shitty bots can't handle all HTTP requests being redirected to HTTPS requests?
>>52142940
I really don't know how to check logs.
It would be great if you could tell me, I've tried googling but nothing seems to work for me
>>52143046
Just look in /var/log for anything that looks like your web server's access log.
Nginx is /var/log/nginx/access.log
>>52139840
>>52131843
What font is that?
>>52139210
He's from Mr. Robot. A TV show about the average /g/ user becoming an Occupy Wall Street protester.
Got it too..
[CODE][Tue Dec 29 20:02:39.906663 2015] [core:error] [pid 2288:tid 2212] [client 151.217.177.200:56423] AH00126: Invalid URI in request DELETE your logs. Delete your installations. Wipe everything clean. Walk out into the path of cherry blossom trees and let your motherboard feel the stones. Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we love you. We have something more for you. We know you're out there, beeping in the hollow server room, lights blinking, never sleeping. We know that you are ready and waiting. Join us. <3 HTTP/1.0[/CODE]
>>52143924
fuck
>>52143248
>2 seconds in
>look at the file size
>close it
>fear it contains something illegal
