<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;">hmm.. that's an interesting question, how do you determine and automated\scripted<br><div style="margin-left: 40px;">attack/bot to a human at the controls.. I feel a project coming on. ;-)<br><br>well, to give you an old mantra (i forget who said it), it's not the cracker<br>that appears on my logs i'm worred about, it's the ones that don't.<br><br>a classic case of i'm (your) in your servers, checking out your haxzors.<br><br>if is someone you, it's rather rude, what out for those vista users,<br><br><br></div> <br><br><br>--- On <b>Sun, 1/11/09, Kris Davidson <i><davidson.kris@gmail.com></i></b> wrote:<br><blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"><br>From: Kris Davidson <davidson.kris@gmail.com><br>Subject: Re: [dundee] Script Kiddie attack: in which our intrepid heroes nearly die
of laughter<br>To: "Sean McRobbie" <lug@seany.us><br>Cc: "Tayside Linux User Group" <dundee@lists.lug.org.uk><br>Date: Sunday, 1 November, 2009, 3:14 PM<br><br><div class="plainMail">Yeah I mean I assumed a bot or zombie at first, it just didn't really<br>behave like one.<br><br>2009/11/1 Sean McRobbie <<a ymailto="mailto:lug@seany.us" href="/mc/compose?to=lug@seany.us">lug@seany.us</a>>:<br>> Kris,<br>><br>> Perhaps his machine was infected and targeting his Outlook/Express contracts? I'm only guessing as I see hundreds upon thousands of those URLs in my logs all part of an automated scan - it hits several IPs in our subnets too.<br>><br>> It just seems unlikely anyone on here would be so silly as to do that. If he did, it was a very funny read.<br>><br>> Regards,<br>> Sean McRobbie<br>><br>> ----- Original Message -----<br>> From: "Kris Davidson" <<a ymailto="mailto:davidson.kris@gmail.com"
href="/mc/compose?to=davidson.kris@gmail.com">davidson.kris@gmail.com</a>><br>> To: "LUG" <<a ymailto="mailto:dundee@lists.lug.org.uk" href="/mc/compose?to=dundee@lists.lug.org.uk">dundee@lists.lug.org.uk</a>><br>> Sent: Sunday, 1 November, 2009 2:06:07 PM<br>> Subject: [dundee] Script Kiddie attack: in which our intrepid heroes nearly die of laughter<br>><br>> An open letter to the guy from Perth on 92.238.142.83, running Windows<br>> Vista, with Internet Explorer 8, using Media Center 5.0, Google Toolbar<br>> 6, Microsoft-Windows-Security-Licensing, .NET 2.0.50727 and .NET<br>> 3.5.30729 (cheap trick I know, I'm going to stop at this point as I<br>> can't be bothered listing local IP, plugins, resolution, etc)<br>><br>> Hi,<br>><br>> While my VPS gets attacked frequently; 5847 port scans with 1293<br>> confirmed attacks from 478 sources for the 30th and that doesn't include<br>> web
based attacks. It was the shear ineptitude of your attack, the fact<br>> you're local and the ability of myself and Arron to track you down that<br>> prompted this message - don't worry I stopped any automatic reporting<br>> and I'm not going to name and shame, just stop dirtying my logs.<br>><br>> It began for me at around 20:45, I was waiting for a download to finish,<br>> listening to some music, then while Johnny Cash stated he would be what<br>> he is, a solitary man - I get an alert. It seems someone was trying to<br>> brute force the business e-mail address Arron uses, either that or he<br>> got the password wrong ten times and triggered an alert.<br>><br>> It turns out its not Arron, I do some checking, seems the attacker<br>> started doing some recon at 20:09 he then proceeds to click through my<br>> site and the eight others I host (I conveniently gave these to him, as<br>> using the VPS IP as an
address lists everything I host, but that was by<br>> design). So hes trying to access stuff like:<br>><br>> /w00tw00t.at.ISC.SANS.DFind:)<br>> /pma/scripts/setup.php<br>> /phpmyadmin/scripts/setup.php<br>> /roundcube/<br>> /squrrelmail/<br>><br>> some other stuff and various variations, he gets bored and starts<br>> reading my CV, now he must be fascinated by it as nothing else happens<br>> for a while; perhaps hes checking to see if I've hidden some user<br>> details in it. When his attacks resume he tries to do some spamming with<br>> a contact script, no success I mean he manages to send an e-mail to the<br>> contact address but, um... well the script is designed to do that, still<br>> he made some progress.<br>><br>> So in a last ditch attempt he tries to brute force the e-mail, he gives<br>> up pretty quickly - I'm guessing he was probably using the most common<br>> passwords as mentioned in
that hackers movie. Then I have an idea, I<br>> check the linux society logs (sites dead but its good for something) and<br>> I'm 80-90% certain I've worked out who it is. I compile my findings and<br>> finish as Bob Dylan asks 'who killed Davey Moore?'. The next day I check<br>> with Arron, confirm a few things and he agrees.<br>><br>> I was going to rip into the attacker, his logic, assumptions and<br>> methodology but, well I'm lazy.<br>><br>> PROTIP: Don't try to attack someone you know, from your own connection<br>> using Vista.<br>><br>> Kris<br>><br>> _______________________________________________<br>> dundee GNU/Linux Users Group mailing list<br>> <a ymailto="mailto:dundee@lists.lug.org.uk" href="/mc/compose?to=dundee@lists.lug.org.uk">dundee@lists.lug.org.uk</a> <a href="http://dundeelug.org.uk" target="_blank">http://dundeelug.org.uk</a><br>> <a
href="https://mailman.lug.org.uk/mailman/listinfo/dundee" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/dundee</a><br>> Chat on IRC, #tlug on irc.lug.org.uk<br>><br><br>_______________________________________________<br>dundee GNU/Linux Users Group mailing list<br><a ymailto="mailto:dundee@lists.lug.org.uk" href="/mc/compose?to=dundee@lists.lug.org.uk">dundee@lists.lug.org.uk</a> <a href="http://dundeelug.org.uk" target="_blank">http://dundeelug.org.uk</a><br><a href="https://mailman.lug.org.uk/mailman/listinfo/dundee" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/dundee</a><br>Chat on IRC, #tlug on irc.lug.org.uk<br></div></blockquote></td></tr></table><br>