[dundee] Script Kiddie attack: in which our intrepid heroes nearly die of laughter

Sun Nov 1 14:29:26 UTC 2009

Kris,

Perhaps his machine was infected and targeting his Outlook/Express contracts? I'm only guessing as I see hundreds upon thousands of those URLs in my logs all part of an automated scan - it hits several IPs in our subnets too.

It just seems unlikely anyone on here would be so silly as to do that. If he did, it was a very funny read.

Regards,
Sean McRobbie

----- Original Message -----
From: "Kris Davidson" <davidson.kris at gmail.com>
To: "LUG" <dundee at lists.lug.org.uk>
Sent: Sunday, 1 November, 2009 2:06:07 PM
Subject: [dundee] Script Kiddie attack: in which our intrepid heroes nearly	die of laughter

An open letter to the guy from Perth on 92.238.142.83, running Windows
Vista, with Internet Explorer 8, using Media Center 5.0, Google Toolbar
6, Microsoft-Windows-Security-Licensing, .NET 2.0.50727 and .NET
3.5.30729 (cheap trick I know, I'm going to stop at this point as I
can't be bothered listing local IP, plugins, resolution, etc)

Hi,

While my VPS gets attacked frequently; 5847 port scans with 1293
confirmed attacks from 478 sources for the 30th and that doesn't include
web based attacks. It was the shear ineptitude of your attack, the fact
you're local and the ability of myself and Arron to track you down that
prompted this message - don't worry I stopped any automatic reporting
and I'm not going to name and shame, just stop dirtying my logs.

It began for me at around 20:45, I was waiting for a download to finish,
listening to some music, then while Johnny Cash stated he would be what
he is, a solitary man - I get an alert. It seems someone was trying to
brute force the business e-mail address Arron uses, either that or he
got the password wrong ten times and triggered an alert.

It turns out its not Arron, I do some checking, seems the attacker
started doing some recon at 20:09 he then proceeds to click through my
site and the eight others I host (I conveniently gave these to him, as
using the VPS IP as an address lists everything I host, but that was by
design). So hes trying to access stuff like:

/w00tw00t.at.ISC.SANS.DFind:)
/pma/scripts/setup.php
/phpmyadmin/scripts/setup.php
/roundcube/
/squrrelmail/

some other stuff and various variations, he gets bored and starts
reading my CV, now he must be fascinated by it as nothing else happens
for a while; perhaps hes checking to see if I've hidden some user
details in it. When his attacks resume he tries to do some spamming with
a contact script, no success I mean he manages to send an e-mail to the
contact address but, um... well the script is designed to do that, still
he made some progress.

So in a last ditch attempt he tries to brute force the e-mail, he gives
up pretty quickly - I'm guessing he was probably using the most common
passwords as mentioned in that hackers movie. Then I have an idea, I
check the linux society logs (sites dead but its good for something) and
I'm 80-90% certain I've worked out who it is. I compile my findings and
finish as Bob Dylan asks 'who killed Davey Moore?'. The next day I check
with Arron, confirm a few things and he agrees.

I was going to rip into the attacker, his logic, assumptions and
methodology but, well I'm lazy.

PROTIP: Don't try to attack someone you know, from your own connection
using Vista.

Kris

_______________________________________________
dundee GNU/Linux Users Group mailing list
dundee at lists.lug.org.uk  http://dundeelug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/dundee
Chat on IRC, #tlug on irc.lug.org.uk