SSGN Attacked

[🜲 PoLiX]

Well, tbh, not even a clue how they got in. The password for SSGN (ssgn.net domain and subdomains, and no that is not the actual username) is used NOWHERE else, and had numbers, chars, and special chars. Made the pass 10x harder now, and a lot longer. But brute force was on, so I dunno how they got in yet. Root reported no logins, server reported no brute force attempts, etc.

 

But it seemed to be a bot moving through the ftp editing all index.* and login.*/auth.* type files. It'd add an iframe line, and knew the difference between html and php in how it added it and where it added it.

 

The ip was 67.61.120.63 and located in Texarkana Arkansas. Soon as I changed the pass, the server locked it out for "brute force attempts" for having incorrect login.

 

All should be good for now. Will keep you updated on what I find.

 

Edit: I still haven't fixed Smong's site (toktok) or Quotes site. Will work on those tomorrow. FTP log shows they were only other subdomains hit besides Forums, Files, and Ticket sites.

[Cheese]

if it added an iframe at the very end of the file, trenchwars.org also got hit by the same thing recently

[JoWie]

Maybe they used an exploit in an old software package.

I like to give every domain / subdomain different users to lessen such attacks. I use suPHP for this when they need to run php scripts.

[Dr Brain]

FTP sends passwords unencrypted. Do you use FTP at all, Polix? If so, then that could be the source of the problem.

[hallucination]

iFrame attack can be used for many purposes, but probably financial ones:

http://www.networkworld.com/news/2008/031308-hackers-launch-massive-iframe.html

I would not trust that IP location.

 

FTP is a good question -- also there are exploits that look for commonly used FTP progs that store the pw and look there:

http://www.thepicky.com/internet/how-hackers-viruses-steal-ftp-passwords/

 

 

That pw in a cookie somewhere?

 

pw was obtained either by your machine being compromised in some way or by the pw being intercepted (e.g. clear text through a compromised router [ftp] or a man in the middle attack) or by password storage location being compromised (doubtful) -- other thoughts?

 

--hallu

[🜲 PoLiX]

FTP sends passwords unencrypted. Do you use FTP at all, Polix? If so, then that could be the source of the problem.

 

Started thinkin that was possible. It had been a while since I last logged in (Feb 09th according to log). Searching through the log though, noone else but me had logged in through that account until this. So wasn't even a "lets see if this works".

 

edit: Scannin the hell out of my computer right now, and changing 1 other ftp login I had used in the past months.

[Yupa]

Stop using PHP.

[🜲 PoLiX]

After all the scans, nothing really turned up. Ran a couple different virus scanners (1 normal, and 1 deep scan), and an adaware scan. Then had Microsoft's program go over it again for the hell of it and the worst that turned up was 1 popup ad. Otherwise all that was ever detected was a few "trojans" in the update files from a recent java update.

 

Trying to remember if anyone else ever had the password to the ftp. It used that user, though I deleted 2 other ftp accounts I setup for Sama and Mav to be safe.

 

Baffeling...

 

 

 

Stop using PHP.

 

How was php a cause of this?

 

 

edit: Guess I didn't state this was all done through ftp, so assuming you thought it was a php injection exploit.

[L.C.]

After all the scans, nothing really turned up. Ran a couple different virus scanners (1 normal, and 1 deep scan), and an adaware scan. Then had Microsoft's program go over it again for the hell of it and the worst that turned up was 1 popup ad. Otherwise all that was ever detected was a few "trojans" in the update files from a recent java update.

 

Trying to remember if anyone else ever had the password to the ftp. It used that user, though I deleted 2 other ftp accounts I setup for Sama and Mav to be safe.

 

Baffeling...

 

 

 

Stop using PHP.

 

How was php a cause of this?

 

 

edit: Guess I didn't state this was all done through ftp, so assuming you thought it was a php injection exploit.

http://technet.microsoft.com/en-us/sysinternals/bb897445

 

Does anything show up in the list?

[🜲 PoLiX]

32bit...

 

Might of found a 64bit one.

[🜲 PoLiX]

Just Continuum.exe, few setup files from ssdl. Lol.

[Cheese]

edit: Guess I didn't state this was all done through ftp, so assuming you thought it was a php injection exploit.

 

 

with the other one, that was the first thing i thought it was

then i looked, and it appeared on pages where that was impossible

its almost 100% probable through ftp

[🜲 PoLiX]

Yeah. It used ftp to download, edit, and reupload the files.

 

Gotta go through Quotes and TokTok still as I was 2x checking all the ssgn files I found in the ftp log to make sure none got missed.

[🜲 Samapico]

Sup everyone, just came back from a weekend away with my buddies...

 

That sucks... Last time I used the FTP, it was on my old PC, which was reformatted since then

[Resol]

Hey!! Thats my IP! ahhaha

[Ninja Cat]

Lizamoon perhaps?

 

http://www.ibtimes.com/articles/129843/20110402/lizamoon-websense-apple-itunes-security-trojan-malware-scareware-script-sql-injection-four-million-w.htm

[🜲 PoLiX]

Sounds reasonable. For how much scanning I did, it just seemed odd to turn up nothing. That and the directories it skipped on the webserver. Also the fact it was including an iframe in many index files.

[★ Xog]

Well, tbh, not even a clue how they got in. The password for SSGN (ssgn.net domain and subdomains, and no that is not the actual username) is used NOWHERE else, and had numbers, chars, and special chars. Made the pass 10x harder now, and a lot longer. But brute force was on, so I dunno how they got in yet. Root reported no logins, server reported no brute force attempts, etc.

 

But it seemed to be a bot moving through the ftp editing all index.* and login.*/auth.* type files. It'd add an iframe line, and knew the difference between html and php in how it added it and where it added it.

 

The ip was 67.61.120.63 and located in Texarkana Arkansas. Soon as I changed the pass, the server locked it out for "brute force attempts" for having incorrect login.

 

All should be good for now. Will keep you updated on what I find.

 

Edit: I still haven't fixed Smong's site (toktok) or Quotes site. Will work on those tomorrow. FTP log shows they were only other subdomains hit besides Forums, Files, and Ticket sites.

 

It looks like Cable One has had this net range for quite a few years now.

 

 

whois report:

 

NetRange: 67.60.0.0 - 67.61.255.255CIDR: 67.60.0.0/15

OriginAS: AS11492

NetName: CABLEONE

NetHandle: NET-67-60-0-0-1

Parent: NET-67-0-0-0-0

NetType: Direct Allocation

RegDate: 2005-08-24

Updated: 2007-12-10

Ref: http://whois.arin.ne...NET-67-60-0-0-1

 

OrgName: CABLE ONE, INC.

OrgId: CBL1

Address: 1314 N THIRD ST

Address: FIRST FLOOR

City: PHOENIX

StateProv: AZ

PostalCode: 85004

Country: US

RegDate: 1996-09-25

Updated: 2008-10-29

Ref: http://whois.arin.net/rest/org/CBL1

----------------------------------------------------

 

 

whatismyip report:

 

 

Hostname:67-61-120-63.cpe.cableone.net

ISP:CABLE ONE

Organization:CABLE ONE

Proxy:None detected

Type:Broadband

Assignment:Static IP

Blacklist:

Geolocation Information

Country:United States http://whatismyipaddress.com/images/flags/us.png

State/Region:Arkansas

City:Texarkana

Latitude:33.423

Longitude:-93.8691

Area Code:870

Postal Code:71854

You should file a complaint with Cable One.

 

Will likely only take a minute or two out of your day.

 

their abuse email is abuse@cableone.net and their phone for abuse reporting is 1-877-692-2253

http://whois.arin.net/rest/poc/COAD-ARIN.html

Edited April 10, 2011 by Xog

[Cheese]

you should note that the isp is based at that location and state, but the user may be somewhere else

[🜲 PoLiX]

^^^