Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: Under Attack! Uber 1337, (bored?), skiddie..

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    Under Attack! Uber 1337, (bored?), skiddie..

    Excuse me while I pick myself up of the floor and stop laughing........

    I was just about to go to lunch when I glimpsed at my real time IDS display to find some 600 events in the past few minutes, (I normally show < 100/hour). Looking a bit harder I see they are all attempts to connect to my FTP server.... I connect to the server and look at the connections... They are just flashing by..... I took a quick look at the logs and started to giggle..... Some skiddie was attempting to brute force a username/password combo..... A quick look at the usenames he was trying burst out laughing and went to lunch.... Which was a bad idea..... I should have put a packet dump on it too so I could see the passwords he was trying. I came back from lunch to find the silly bastige still trying......

    He finally gave up but I thought some people might be interested in the "results".....

    The "attack" lasted 2:12:04, (4324 seconds), during which time my friend had 10746 "cracks" at the server, (2.4 per second).

    Now he wasn't entirely without resources. The attacks came simultaneously from nine IPs. I won't divulge the IPs themselves because these are clearly hacked boxes but the domains were as follows:-

    w81-51.abo.wanadoo.fr
    dclient.hispeed.ch
    speed.planet.nl
    w80-13.abo.wanadoo.fr
    bb.netvision.net.il
    dip.t-dialin.net
    cust.bluewin.ch
    wp.shawcable.net
    w80-13.abo.wanadoo.fr

    S/He attempted brute forcing the following list of usernames:-

    ftp
    anonymous
    anonymous@ftp.microsoft.com:21
    root
    admin
    demo
    anonymous@ftp.microsoft.com 21
    test
    guest
    webmaster
    web
    www
    server
    data
    account
    backup
    access
    sysadm
    sysadmin
    manager
    Administrator
    Administrador
    Amministratore
    Administrateur
    Administratör
    Beheerder

    The log file itself is a little large, like 2 meg, but going through it this was a tool that he manually sets off. The different IP's would rotate these names and three or four IP's would be firing at once. When they reached the end of their run they would reappear a short time later trying a different name. It seems like he points the tool at an IP, gives it a short dictionary of popular passwords, (that's why I wished I wasn't laughing so hard and had thought to put Ethereal on it..... ), and then gives it a username to run the passwords against. As each run finished he would check the results, recycle the attack with a different username and unleash it again.

    I don't think he did a lot of recon, (but I will be digging through the logs a bit more if he comes back), because he would clearly have seen I was in the USA so trying the logins at the bottom of the list indicates he either didn't know where I was or that he was getting a little frustrated.....

    What makes me laugh though is his "stealthy" approach..... He might as well have called me to tell me what he was doing.... And how bored was he to sit there for over two hours trying to break my ftp server????

    Interestingly enough, it started just after European schoolkids would have got home from school......

    Does anyone think I should worry?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Beheerder
    WTF is a beheerder? Someone who herds bees? Sounds like he found the "ultimate" hacking tool and is playing with it. Why not file a complaint with one of his ISPs and sees if that scares him to stop?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    beheerder is Dutch for administrator

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Ah... So admins in the Netherlands herd bees eh?? Weirdos..
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867


    Originally posted here by Tiger Shark
    Does anyone think I should worry?
    Be afraid, be very afraid.

    I get scanned & IIS attemps from "abo.wanadoo.fr" almost daily, but this takes the cake.

    Cheers:
    DjM

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I HAVE FINALLY MADE IT!!!!!!!!

    WTF is a beheerder
    I knew something Ms. M. doesn't......

    Ms. M: I agree with you about the Wierdo's bit though..... Those Dutch and Belgians are all a little odd......

    Mathgirl's Slave: LOL.... Love it.... I think I'd rather be her slave than a supreme being....

    DjM: Yeah I see a lot too but tomorrows compiled logs are going to be out of this world....LOL
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    No offense to MathGirl but I wouldn't want to be her slave. Maybe my SO's...
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  8. #8
    () \/V |\| 3 |) |3\/ |\|3G47|\/3
    Join Date
    Sep 2002
    Posts
    744
    Come on MsMittens...

    Go Finland!
    Deviant Gallery

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    No offense to MathGirl but I wouldn't want to be her slave
    Yeah, I can see that since I'm pretty sure there is a gender difference between the two of us that might make being Mathgirls slave all too uncomfortable for you.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Oh LMAO!!!!! Everybody is here and watching, how funny.

    Anyway, i wouldn't mind being MG32 slave but since the position is already filled (no pun intended, Neg.) I'll digress to the point.

    TS, I've seen almost exactly this type of attack except it was from down south.... Computadora seems to be a generic anon. login for down there. Anyway I just contacted the ISP and hounded them once a week until finally they did something about it. I'm sure you'll get a better response from the Belgians and Dutch but I'd stay on their collective butt too, you and I both know how they can drag their feet...
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •