what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Monday, August 17, 2009

Hacking in EA just grew bigger


Recently, after the last few posts in sec forums, though the hate and the mail list trolling, i realized a sudden increase of attacks on some of the servers i man security-wise. The attacker was going mostly for the webserver keeping me awake on Friday, through Saturday and i had to get a little of sleep on Sunday.

One crazy initiative is that the guy was trying to look for links which he can use to gain access to one of the sites.

41.223.57.73 - - [16/Aug/2009:16:01:57 +0300] "GET /www2/admin HTTP/1.1" 404 275 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
41.223.57.76 - - [16/Aug/2009:16:02:16 +0300] "GET /www2/admin.html HTTP/1.1" 404 280 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"

41.223.57.74 - - [16/Aug/2009:16:03:13 +0300] "GET /admin.html HTTP/1.1" 404 275 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
41.223.57.75 - - [16/Aug/2009:16:03:43 +0300] "GET /administrator HTTP/1.1" 404 278 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
41.223.57.74 - - [16/Aug/2009:16:03:55 +0300] "GET /administrator/backup HTTP/1.1" 404 285 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
41.223.57.78 - - [16/Aug/2009:16:04:07 +0300] "GET /administrator/login.php HTTP/1.1" 404 288 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"

41.223.57.76 - - [16/Aug/2009:16:04:28 +0300] "GET /admin.php HTTP/1.1" 404 274 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"

41.223.57.75 - - [16/Aug/2009:16:05:29 +0300] "GET /vpn_administration HTTP/1.1" 404 283 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"

41.223.57.77 - - [16/Aug/2009:16:06:06 +0300] "GET /vpn_administrator HTTP/1.1" 404 282 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"

41.223.57.73 - - [16/Aug/2009:16:10:13 +0300] "GET /www2/administrator HTTP/1.1" 404 283 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13


This was not even as bad as sshd attack which took 47 to 50 hours of straight bruteforce. He was trying usernames like admin, admin_companyname and companyname and all these are not on default sshd port. A snipet here.

Aug 15 01:10:01 xxxxx sshd[3834]: pam_unix(sshd:auth): authentication failure; logname= uid=0 e uid=0 tty=ssh ruser= rhost=41.223.57.74
Aug 15 01:10:01 xxxxx sshd[3834]: pam_succeed_if(sshd:auth): error retrieving information about user admin
Aug 15 01:10:02 xxxxx sshd[3834]: Failed password for invalid user admin from 41.223.57.74 port
48129 ssh2
Aug 15 01:10:17 xxxxx sshd[3834]: pam_unix(sshd:auth): check pass; user unknown
Aug 15 01:10:17 xxxxx sshd[3834]: pam_succeed_if(sshd:auth): error retrieving information about user admin
Aug 15 01:10:19 xxxxx sshd[3834]: Failed password for invalid user admin from 41.223.57.74 port
48129 ssh2

The bruteforce goes on through Saturday to Sunday......
Aug 16 00:03:03 xxxxx sshd[7758]: Failed password for invalid user admin_xxxxx from 41.223. 57.72 port 57217 ssh2
Aug 16 00:03:09 xxxxx sshd[7758]: pam_unix(sshd:auth): check pass; user unknown

Aug 16 00:03:09 xxxxx sshd[7758]: pam_succeed_if(sshd:auth): error retrieving information about user admin_xxxxx
Aug 16 00:03:11 xxxxx sshd[7758]: Failed password for invalid user admin_xxxxx from 41.223.
57.72 port 57217 ssh2
Aug 16 00:04:52 xxxxx sshd[7768]: Invalid user admin_xxxxx from 41.223.57.72

This is just to warn the hacker upto this mischief, just know i am watching you alot and if you have never seen such crazy logs in your perimeter machines, please check again.

All the above IPs are from Zain Modems.

./Chuks

No comments: