The password cracker script kiddies can't resist my picnic basket...
Today an attacker with a SSH brute force script accidentally "showed his hand" by connecting to my honeypot from his own system shortly after stopping his scan from his compromised system.
Unlike my previous, um, visitor, this attacker seems to have very few tricks up his sleeve. He attempted to upload something to my honeypot through sftp. Unsuccessful, he abandoned his attempts.
Today's "guest" is from Romania, and seems to prefer to scan using compromised systems in Germany to prevent his IP from being immediately reported for conducting port scans.
Much like other attackers, he shows that he is using his Windows system through the client version string "PuTTY-Release-0.53b".
A notification email has been sent to both ISPs to report the attacker, as well as his compromised system being used for scanning.
Original Log: Kippo-Mon 10172011.log
▼
A look at the various advance fee fraud methods...
As part of my continuing "To Catch a Scammer" project, I've decided to begin analyzing various advance fee frauds.
Covered in this post:
Lottery/Contest Scam
Money Laundering Scam
Inheritance Donation Scam
Covered in this post:
Lottery/Contest Scam
Money Laundering Scam
Inheritance Donation Scam
Mystery Malware Examined
In a previous post, I looked inside a hacker's toolkit, and found two "mystery files", "i" and "f".
Analysis of these files has revealed that these files were both Linux executables.
In addition to forwarding these files to AV vendors, I am analyzing these files myself.
Using decompile-it.com, I was able to retrieve source code for "i", and limited source for "f".
Analysis of these files has revealed that these files were both Linux executables.
In addition to forwarding these files to AV vendors, I am analyzing these files myself.
Using decompile-it.com, I was able to retrieve source code for "i", and limited source for "f".
Netscape 8? Really?
I was browsing my demographics for target audience, and was VERY shocked by seeing Netscape 8 as one of the browsers someone was using to read this security blog.
The last update for Netscape 8 was in 2007...
I hate to imagine how many vulnerabilities that browser has. I counted over 20 unpatched vulnerabilities at the SecurityFocus Vulnerability Database
If you're the person visiting my blog using Netscape...please...upgrade.
The last update for Netscape 8 was in 2007...
I hate to imagine how many vulnerabilities that browser has. I counted over 20 unpatched vulnerabilities at the SecurityFocus Vulnerability Database
If you're the person visiting my blog using Netscape...please...upgrade.
What's in a hacker's toolkit?
An attacker recently gained access to my honeypot, and began uploading hack tools using wget.
While his hack tools did not actually infect anything, I retained a copy for evaluation, and even gained access to his FTP server which contained all of his tools.
The available tools in this attacker's bag of tricks is quite interesting.
While his hack tools did not actually infect anything, I retained a copy for evaluation, and even gained access to his FTP server which contained all of his tools.
The available tools in this attacker's bag of tricks is quite interesting.
A look at a simple SSH probe and password crack
Here's an annotated look at how an attacker using a SSH password cracker compromises servers.
First the attacker probes to see if SSH is accepting connections. Most likely the scanner also attempted to fingerprint the IP address to identify the operating system. This is most likely an automated process on a compromised system.
2011-10-05 05:08:56-0400 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 221.176.11.13:35868 (192.168.1.165:22) [session: 0]
2011-10-05 05:08:56-0400 [HoneyPotTransport,0,221.176.11.13] connection lost
Next the attacker begins attempting to crack the SSH password for the root user. Once again these attempts are automated, and use a cracking tool which is based upon SSH-2.0-libssh-0.11.
Flash Drives: Helping Spread Malware since Y2K
Flash drives are an ever growing threat in the computer industry. They are quickly becoming one of the most targeted infection methods for malware.
Does your organization have a policy to address the vulnerabilities associated with USB Flash Drives?
In this case, Dilbert says it best.
See Also: ENISA USB Flash Drive Whitepaper hosted by Sandisk
Does your organization have a policy to address the vulnerabilities associated with USB Flash Drives?
In this case, Dilbert says it best.
See Also: ENISA USB Flash Drive Whitepaper hosted by Sandisk