[dundee] Script Kiddie attack: in which our intrepid heroes nearly die of laughter

[Kris Davidson]

Yeah I mean I assumed a bot or zombie at first, it just didn't really
behave like one.

2009/11/1 Sean McRobbie <lug at seany.us>:
> Kris,
>
> Perhaps his machine was infected and targeting his Outlook/Express contracts? I'm only guessing as I see hundreds upon thousands of those URLs in my logs all part of an automated scan - it hits several IPs in our subnets too.
>
> It just seems unlikely anyone on here would be so silly as to do that. If he did, it was a very funny read.
>
> Regards,
> Sean McRobbie
>
> ----- Original Message -----
> From: "Kris Davidson" <davidson.kris at gmail.com>
> To: "LUG" <dundee at lists.lug.org.uk>
> Sent: Sunday, 1 November, 2009 2:06:07 PM
> Subject: [dundee] Script Kiddie attack: in which our intrepid heroes nearly     die of laughter
>
> An open letter to the guy from Perth on 92.238.142.83, running Windows
> Vista, with Internet Explorer 8, using Media Center 5.0, Google Toolbar
> 6, Microsoft-Windows-Security-Licensing, .NET 2.0.50727 and .NET
> 3.5.30729 (cheap trick I know, I'm going to stop at this point as I
> can't be bothered listing local IP, plugins, resolution, etc)
>
> Hi,
>
> While my VPS gets attacked frequently; 5847 port scans with 1293
> confirmed attacks from 478 sources for the 30th and that doesn't include
> web based attacks. It was the shear ineptitude of your attack, the fact
> you're local and the ability of myself and Arron to track you down that
> prompted this message - don't worry I stopped any automatic reporting
> and I'm not going to name and shame, just stop dirtying my logs.
>
> It began for me at around 20:45, I was waiting for a download to finish,
> listening to some music, then while Johnny Cash stated he would be what
> he is, a solitary man - I get an alert. It seems someone was trying to
> brute force the business e-mail address Arron uses, either that or he
> got the password wrong ten times and triggered an alert.
>
> It turns out its not Arron, I do some checking, seems the attacker
> started doing some recon at 20:09 he then proceeds to click through my
> site and the eight others I host (I conveniently gave these to him, as
> using the VPS IP as an address lists everything I host, but that was by
> design). So hes trying to access stuff like:
>
> /w00tw00t.at.ISC.SANS.DFind:)
> /pma/scripts/setup.php
> /phpmyadmin/scripts/setup.php
> /roundcube/
> /squrrelmail/
>
> some other stuff and various variations, he gets bored and starts
> reading my CV, now he must be fascinated by it as nothing else happens
> for a while; perhaps hes checking to see if I've hidden some user
> details in it. When his attacks resume he tries to do some spamming with
> a contact script, no success I mean he manages to send an e-mail to the
> contact address but, um... well the script is designed to do that, still
> he made some progress.
>
> So in a last ditch attempt he tries to brute force the e-mail, he gives
> up pretty quickly - I'm guessing he was probably using the most common
> passwords as mentioned in that hackers movie. Then I have an idea, I
> check the linux society logs (sites dead but its good for something) and
> I'm 80-90% certain I've worked out who it is. I compile my findings and
> finish as Bob Dylan asks 'who killed Davey Moore?'. The next day I check
> with Arron, confirm a few things and he agrees.
>
> I was going to rip into the attacker, his logic, assumptions and
> methodology but, well I'm lazy.
>
> PROTIP: Don't try to attack someone you know, from your own connection
> using Vista.
>
> Kris
>
> _______________________________________________
> dundee GNU/Linux Users Group mailing list
> dundee at lists.lug.org.uk  http://dundeelug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/dundee
> Chat on IRC, #tlug on irc.lug.org.uk
>