Tuesday, June 25, 2013


Quite an interesting thing I learned about humming birds. If you don't move, they don't register you much. It is amazing to have them one foot away or less. The turbo propeller sound from the wings is quite something. I should take more pics with a better camera next time. It is nice of them to let me that close with my phone.

Monday, June 24, 2013

Now I know who ate my roses

Found these two beasts at 3am in my yard.

Well Said (on function and design)

"Design matters because function alone is not enough" (c) Pomme Chan

Extraction from Computer Arts Magazine (Issue #213)

Bellroy. I am so buying that wallet.

I usually click on ads only by accident. However, I couldn't help and made an exception and clicked on a  nicely drawn banner. It turned out to be an online store that sells wallets http://bellroy.com. Just recently I read an interesting article in the Computer Arts magazine about Design and Advertisement fields not aligning nicely together. Yet, Bellroy seems to be getting it all right. It is a good lesson not only on how to slim your wallet but how to make a great looking online store.

Tuesday, June 18, 2013

Interesting EC2 AWS security incident

Today I got a forwarded message from the EC2 Abule Dept:

"Dear Amazon EC2 Customer,

We've received a report that your instance(s):

Instance Id: i-exxxxx
IP Address: 174.xxxxxx

has been port scanning remote hosts on the Internet; check the information provided below by the abuse reporter.

This is specifically forbidden in our User Agreement: http://aws.amazon.com/agreement/

Please immediately restrict the flow of traffic from your instances(s) to cease disruption to other networks and reply this email to send your reply of action to the original abuse reporter. This will activate a flag in our ticketing system, letting us know that you have acknowledged receipt of this email."... etc etc

I have to admit that for a second it did feel like some sort of an "oops" moment. However, thinking a bit more about it I said "Naaaah" but went on to check what is going on with that VM.

Logged in as root, quickly checked history, nothing. lsof -i... oh I see it:

xmit64 3276 root 1407u IPv4 10785708 0t0 UDP ip-10-xx-xx-xx.ec2.internal:60980
xmit64 3276 root 1408u IPv4 10785709 0t0 UDP ip-10-xx-xx-xx.ec2.internal:42197-
xmit64 3276 root 1409u IPv4 10785766 0t0 UDP ip-10-xx-xx-xx.ec2.internal:55691->
xmit64 3276 root 1410u IPv4 10785767 0t0 UDP ip-10-xx-xx-xx.ec2.internal:44663->
xmit64 3276 root 1411u IPv4 10785776 0t0 UDP ip-10-xx-xx-xx.ec2.internal:36846->

and many many many more of these.

Happy lucky xmit64 is sitting in /bin and streaming away to an IP in China

kill -9. I am tempted to disassemble this little binary friend but what is the point really? What is kind of upsetting is that it is eery quite in logs. Not that it is difficult to clean up after getting to the machine an doing something but it just doesn't look like it, too clean and too quiet. It is all crickets and spider web. Only two people used that machine rarely, so there is not much to look through.

So how did xmit64 get to /bin? If the file wasn't (s)FTP-ed there, what is an alternative way for it to get in the fiel system, hmmm makes you think really.
Not to fail to mention that the only thing running on that instance was Tomcat, no php, not much shaky stuff. 

I emailed to EC2 Dept all I could dig out. I am kind of curious to hear what they say. I do hope they follow up at some point.

06/24/2013 Update: No response from Amazon. Killed the instance with a :sigh: