masspoem4u

Chaos Communication Congress Hackers Invaded Millions of Servers With a Poem

"We attempted connections to the entire public IPv4 space (excluding private/reserved ranges and other blocks excluded in the default masscan exclude list), meaning that we reached out to almost 4 billion servers (though many of these packets may have been filtered by a firewall before reaching their intended destination)," Masspoem4u said.

The actual number of systems reached would be lower. "There appear to be approximately 55 million servers open to connections on port 80 (the standard port for HTTP)," the group continued -- these servers could have recognised the communication being sent. Of those, around 30 million returned "non-empty responses" and therefore "would be likely to have logged our poem."

I got two of them, but only on home.mcom.com and mosaic.mcom.com: they didn't probe jwz.org or dnalounge.com or any of my other domains. Should I feel snubbed?

151.217.177.200 - - [29/Dec/2015:17:28:51 -0800] "DELETE your logs. Delete your installations. Wipe everything clean. Walk out into the path of cherry blossom trees and let your motherboard feel the stones. Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we love you. We have something more for you. We know you're out there, beeping in the hollow server room, lights blinking, never sleeping. We know that you are ready and waiting. Join us. <3 HTTP/1.0" 400 2593 "-" "masspoem4u/1.0"
151.217.177.200 - - [29/Dec/2015:22:05:04 -0800]
[...same...]
Tags: , , ,

7 Responses:

  1. John Adams says:

    Well they seem to like burlesque...

    hubbarevue.com-access.log.1:151.217.177.200 - - [30/Dec/2015:02:54:11 +0000] "DELETE your logs. Delete your installations. Wipe everything clean. Walk out into the path of cherry blossom trees and let your motherboard feel the stones. Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we love you. We have something more for you. We know you're out there, beeping in the hollow server room, lights blinking, never sleeping. We know that you are ready and waiting. Join us. <3 HTTP/1.0" 400 166 "-" "-" "-" 0.255

  2. Ronald Pottol says:

    Well, if you have multiple domains on one ip, only the default will log the probe, right?

  3. Jeremy Wilson says:

    I got it!

    /var/log/httpd/access_log-20160103:151.217.177.200 - - [29/Dec/2015:22:20:22 -0500] "DELETE your logs. Delete your installations. Wipe everything clean. Walk out into the path of cherry blossom trees and let your motherboard feel the stones. Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we love you. We have something more for you. We know you're out there, beeping in the hollow server room, lights blinking, never sleeping. We know that you are ready and waiting. Join us. <3 HTTP/1.0" 400 317 "-" "masspoem4u/1.0"

  4. dzm says:

    Evidently my server helpfully trims all that extra cruft from the request:

    151.217.177.200 - - [29/Dec/2015:19:27:28 -0800] "DELETE y" 400 147 "-" "-" -