“The internet is ours, and it is adorable,” said hackers going by the name of masspoem4u who managed to insert a poem into millions of web servers’ logs shortly before the new year.
The poem spelled out a loving invitation to soggy existential doom, but in a very sweet, Zen-like manner.
Here’s how it starts:
DELETE your logs. Delete your installations. Wipe everything clean, Walk out into the path of cherry blossom trees and let your motherboard feel the stones.
The hackers were able to insert the message because the poem is actually an HTTP request – a command in the language used by web browsers to browse the web.
Web servers are generally configured to record the commands they receive and in this case, as far as the servers were concerned, they got a command asking them to DELETE a very long URL (the URL is everything from your logs… onwards).
According to Motherboard’s Joseph Cox, who managed to communicate over encrypted email with whomever’s behind the stunt, masspoem4u claims that the poem potentially reached tens of millions of machines.
Its origination was an IP address associated with the 32nd Chaos Communication Congress, an annual arts, politics and security festival held in Hamburg, Germany.
I woke up this morning and found this lovely message from a CCC IP address in my server logs. pic.twitter.com/ceHJS1MqGb
— Nex ~ Claudio (@botherder) December 30, 2015
masspoem4u reportedly showered the public internet with the poem as the poet jinksters tried to hit all possible IP addresses.
Motherboard quotes masspoem4u:
One of our goals was to place something beautiful in an unexpected place, nestling a little poetic message amongst repetitive server access logs. We were very happy to hear that many people got a smile out of it!
The poem continues:
Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we love you. We have something more for you.
We know you're out there, beeping in the hollow server room, lights blinking, never sleeping.
We know that you are ready and waiting. Join us.
Masspoem4u credited the Chaos Computer Congress’s NOC (network operations centre) team for “providing such great connectivity” for the mass, bandwidth-intensive prank and for “encouraging playful experimentation.”
They told Motherboard that they’re long-time fans, first-time participants of the Congress this year.
To flood the internet with the poem, masspoem4u used a tool called “masscan” that one of its creators, Robert Graham, demonstrated at Defcon in 2014.
Masscan is a TCP port scanner that can scan the entire internet in under 5 minutes.
According to Motherboard, Graham suggested including a friendly message along with scans, to prevent spooking system administrators with what might look like a malicious attack.
Masspoem4u’s friendly message was the poem. They would have made it even more cuddly if possible, they told Motherboard:
If we could have covered our message in cute animal stickers, we probably would have, but sadly the HTTP standard does not support this feature.
All these “tiny postcards flying across the net,” without the benefit of centralized services such as Twitter, are one example of why the internet should be “free and decentralized,” the hackers said.
We laughed, but we wouldn’t be doing our job if we didn’t do some finger wagging too because this particular “tiny postcard” was delivered on the back of a DELETE command and that got us tutting.
The senders would have known that most servers wouldn’t honour a DELETE command and any that did would only go as far as trying to delete a file with a name that matched the entire contents of their poem.
Assuming the servers that received the postcards were all correctly configured (and that’s a big assumption if you’re trying to talk to many millions of servers) there’s no harm done.
It is extremely unlikely that this particular DELETE command would have done any damage at all but it’s still a misuse of a potentially destructive operation.
We suggest you don’t GET, POST, PUT or DELETE unless you mean it.
Keith
I’m conflicted by this. I think it’s amusing but I don’t think people should be sending random commands to millions of servers. I liked the poem but I really hate it when my log files have stuff in them that shouldn’t be there.
Paul Ducklin
+1.
I laughed (OL, if the truth be told) but then I stopped myself for a moment and figured, “This is definitely an unacceptable joke.” As far as I can see, they issued HTTP/1.0 requests, and HTTP 1.0 doesn’t have DELETE, so this *ought* to be harmless and safe. But DELETE means, well, delete, and that’s that.
It feels as much like a “joke” as dry-firing a revolver at your friend’s cat to freak them out, knowing that it’s not loaded (the weapon, not the cat), and then expecting them to enjoy the relief they feel when the hammer drops on an empty.
David Pottage
I disagree. I think that this joke is basically harmless
If you are running a web server that will go wrong just from getting a DELETE command for a non existent resource then you have MUCH bigger problems.
For the rest of us, who have reasonably well configured servers, the only way this sort of thing could cause even a minor problem, is if the volume of requests is so high that it becomes a DDOS, but no one is suggesting that masspoem4u did that.
Mark Stockley
Anyone with a web server that misbehaves in that way has serious questions to answer but I don’t buy the argument that says if you poke a system and it breaks that it’s all the fault of the system owner.
Did the poets need to do this? And assuming they had a good reason to, did they need to do it with DELETE, a command that’s inherently, intentionally, destructive in a way that say, GET, is not?
Paul Ducklin
I think you could have used the word “idempotent” in your comment :-)
Paul Ducklin
We put quite a bit of effort into trying to advise newcomers to the security research scene not to mess around with other people’s stuff without permission, no matter how {mild, lighthearted, well-intentioned, droll, insert-self-justification-of-choice here} their actions might be.
My logs aren’t there for your comedic urges, and you know that. You aren’t authorised to delete files on my server by name, and you know that. And because you know it, I shouldn’t have to ask you not to do it.
So, yes, it’s basically harmless, but it sets a poor standard…the best place for self-indulgence is your *own* logfile, not everyone else’s. (Though, as I said, I did laugh. At first.)
Steve
Indeed. All in all, it was a tremendous waste of resources.
Josh
The people that did this literally didn’t have better things to do at the time. They were essentially “playing” in their spare time. You may go to comic con and get a picture taken with someone, these people go to Chaos Computer Congress and send a message to a few million computers.
it all depends on your definition of “Fun”.
So in the end no resources wasted just people having fun.
Paul Ducklin
There’s a bit of a difference – taking selfies with other people at Comic Con (or anywhere else) is consensual and one-at-a-time. Log-slamming 10,000,000 servers is a bit more like walking systematically through a convention sticking your camera in everyone’s faces in turn and taking photos…I reckon you would find yourself “talking to security” pretty quickly.