by shubla » Tue Feb 08, 2022 4:30 am Then few hours pass, I log in back into the server to check how the program is doing, re-attach to the screen session.
And then, in middle of the screen there is a text "We have logged in as Sprucecap #2384".
Now, I have made a discord bot which sends a message whenever devs post announcement on a forum, which is called Sprucecap. And in discord there is additional number tag for each user, so that name is basically the bots name.
Still in tinfoil hat mode from setting up the network connections and upgrading packages, my brains quickly interpret the text as some hackers message, that he has now, logged into, my bot account, and gained control of my system. Which seemed like the most reasonable explanation, because its not possible to have such text appear in middle of your screen session from nowhere, right? And its not like I would have made such setup in the past.
I decided to forcibly shut down the server from console, pull plug from all of my computers, including my modem. As I couldn't recall what kinds of things I have installed in the server over time, maybe there was a way to break into my other computers as well.
I then dug my laptop, which had been shut down and surely not infected (yet), connected to my phones wifi and started going over all my accounts, squatting in slavic style, laptop in front of me in a stool, gitlab, google apis, all the systems where I may have put my ssh keys in or generated some access tokens. As they would all surely be lost by now. I also wondered why would any hacker do such a thing, "we have logged into your discord bot" what a stupid thing to say when you have such a juicy target! But I couldn't come up with any alternative explanations so that had to be it.
Next few hours I spent going over logs and files on rescue mode, trying to find traces, but couldn't find any at all. Maybe the hacker was some genius who hid all his traces, its possible to do after all. I regret that I had not really prepared for such thing before, I didn't have many ideas where I should even look. Maybe he just used some other program to get access so there wouldn't be any logs that he'd even have to remove, like the one suspicious which I had just installed.
After many hours of desperation I finally started doing the thing that one perhaps should've done in the first place. Grepping files for words "Sprucecap", maybe there was some script that left the message for me, or some log somewhere. I only found some crontab logs of the sprucecap bot itself. However soon I tried other combinations such as "We have logged in" and then I found it.
Discord messages sent by webhook are not announced, so I made a bot that announces all the messages sent into announcement channel by the webhook. For some reason, the bot is started into a screen session, and it then prints this "We have logged in as (user)" text. So I wrote the threatening message myself few months back and then forgot about it. No hacker exists, other than the genius past me of course writing such debug messages into screen.
Its a bit over 5 am now. I think I'm going to go sleep now.
Tomorrow I will reinstall everything everywhere and make sure that I'm confident enough to not having to resort into doing something like this the next time when I forget what kinds of threatening scripts I set up in the past.
