Jump to content
SubSpace Forum Network

SSGN Attacked

PoLiX

By PoLiX
in General Discussion

 Share

Recommended Posts

PoLiX Rookie

PoLiX

Posted
Posted

Well, tbh, not even a clue how they got in. The password for SSGN (ssgn.net domain and subdomains, and no that is not the actual username) is used NOWHERE else, and had numbers, chars, and special chars. Made the pass 10x harder now, and a lot longer. But brute force was on, so I dunno how they got in yet. Root reported no logins, server reported no brute force attempts, etc.

 

But it seemed to be a bot moving through the ftp editing all index.* and login.*/auth.* type files. It'd add an iframe line, and knew the difference between html and php in how it added it and where it added it.

 

The ip was 67.61.120.63 and located in Texarkana Arkansas. Soon as I changed the pass, the server locked it out for "brute force attempts" for having incorrect login.

 

All should be good for now. Will keep you updated on what I find.

 

Edit: I still haven't fixed Smong's site (toktok) or Quotes site. Will work on those tomorrow. FTP log shows they were only other subdomains hit besides Forums, Files, and Ticket sites.

JoWie Newbie

JoWie

Posted
Posted

Maybe they used an exploit in an old software package.

I like to give every domain / subdomain different users to lessen such attacks. I use suPHP for this when they need to run php scripts.

hallucination Newbie

hallucination

Posted
Posted

iFrame attack can be used for many purposes, but probably financial ones:

http://www.networkworld.com/news/2008/031308-hackers-launch-massive-iframe.html

I would not trust that IP location.

 

FTP is a good question -- also there are exploits that look for commonly used FTP progs that store the pw and look there:

http://www.thepicky.com/internet/how-hackers-viruses-steal-ftp-passwords/

 

 

That pw in a cookie somewhere?

 

pw was obtained either by your machine being compromised in some way or by the pw being intercepted (e.g. clear text through a compromised router [ftp] or a man in the middle attack) or by password storage location being compromised (doubtful) -- other thoughts?

 

--hallu

PoLiX Rookie

PoLiX

Posted
  • Author
Posted

FTP sends passwords unencrypted. Do you use FTP at all, Polix? If so, then that could be the source of the problem.

 

Started thinkin that was possible. It had been a while since I last logged in (Feb 09th according to log). Searching through the log though, noone else but me had logged in through that account until this. So wasn't even a "lets see if this works".

 

edit: Scannin the hell out of my computer right now, and changing 1 other ftp login I had used in the past months.

PoLiX Rookie

PoLiX

Posted
  • Author
Posted

After all the scans, nothing really turned up. Ran a couple different virus scanners (1 normal, and 1 deep scan), and an adaware scan. Then had Microsoft's program go over it again for the hell of it and the worst that turned up was 1 popup ad. Otherwise all that was ever detected was a few "trojans" in the update files from a recent java update.

 

Trying to remember if anyone else ever had the password to the ftp. It used that user, though I deleted 2 other ftp accounts I setup for Sama and Mav to be safe.

 

Baffeling... :unknw:

 

 

 

Stop using PHP. :p

 

How was php a cause of this?

 

 

edit: Guess I didn't state this was all done through ftp, so assuming you thought it was a php injection exploit.

L.C. Newbie

L.C.

Posted
Posted

After all the scans, nothing really turned up. Ran a couple different virus scanners (1 normal, and 1 deep scan), and an adaware scan. Then had Microsoft's program go over it again for the hell of it and the worst that turned up was 1 popup ad. Otherwise all that was ever detected was a few "trojans" in the update files from a recent java update.

 

Trying to remember if anyone else ever had the password to the ftp. It used that user, though I deleted 2 other ftp accounts I setup for Sama and Mav to be safe.

 

Baffeling... :unknw:

 

 

 

Stop using PHP. :p

 

How was php a cause of this?

 

 

edit: Guess I didn't state this was all done through ftp, so assuming you thought it was a php injection exploit.

http://technet.microsoft.com/en-us/sysinternals/bb897445

 

Does anything show up in the list?

Cheese Newbie

Cheese

Posted
Posted

edit: Guess I didn't state this was all done through ftp, so assuming you thought it was a php injection exploit.

 

 

with the other one, that was the first thing i thought it was

then i looked, and it appeared on pages where that was impossible

its almost 100% probable through ftp

PoLiX Rookie

PoLiX

Posted
  • Author
Posted

Yeah. It used ftp to download, edit, and reupload the files.

 

Gotta go through Quotes and TokTok still as I was 2x checking all the ssgn files I found in the ftp log to make sure none got missed.

Samapico Newbie

Samapico

Posted
Posted

Sup everyone, just came back from a weekend away with my buddies...

 

That sucks... Last time I used the FTP, it was on my old PC, which was reformatted since then :p

  • 2 weeks later...
PoLiX Rookie

PoLiX

Posted
  • Author
Posted
Sounds reasonable. For how much scanning I did, it just seemed odd to turn up nothing. That and the directories it skipped on the webserver. Also the fact it was including an iframe in many index files.
Xog Newbie

»Xog

Posted
Posted (edited)

Well, tbh, not even a clue how they got in. The password for SSGN (ssgn.net domain and subdomains, and no that is not the actual username) is used NOWHERE else, and had numbers, chars, and special chars. Made the pass 10x harder now, and a lot longer. But brute force was on, so I dunno how they got in yet. Root reported no logins, server reported no brute force attempts, etc.

 

But it seemed to be a bot moving through the ftp editing all index.* and login.*/auth.* type files. It'd add an iframe line, and knew the difference between html and php in how it added it and where it added it.

 

The ip was 67.61.120.63 and located in Texarkana Arkansas. Soon as I changed the pass, the server locked it out for "brute force attempts" for having incorrect login.

 

All should be good for now. Will keep you updated on what I find.

 

Edit: I still haven't fixed Smong's site (toktok) or Quotes site. Will work on those tomorrow. FTP log shows they were only other subdomains hit besides Forums, Files, and Ticket sites.

 

It looks like Cable One has had this net range for quite a few years now.

 

 

whois report:

 

NetRange: 67.60.0.0 - 67.61.255.255CIDR: 67.60.0.0/15

OriginAS: AS11492

NetName: CABLEONE

NetHandle: NET-67-60-0-0-1

Parent: NET-67-0-0-0-0

NetType: Direct Allocation

RegDate: 2005-08-24

Updated: 2007-12-10

Ref: http://whois.arin.ne...NET-67-60-0-0-1

 

OrgName: CABLE ONE, INC.

OrgId: CBL1

Address: 1314 N THIRD ST

Address: FIRST FLOOR

City: PHOENIX

StateProv: AZ

PostalCode: 85004

Country: US

RegDate: 1996-09-25

Updated: 2008-10-29

Ref: http://whois.arin.net/rest/org/CBL1

----------------------------------------------------

 

 

whatismyip report:

 

 

Hostname:67-61-120-63.cpe.cableone.net

ISP:CABLE ONE

Organization:CABLE ONE

Proxy:None detected

Type:Broadband

Assignment:Static IP

Blacklist:

Geolocation Information

Country:United States http://whatismyipaddress.com/images/flags/us.png

State/Region:Arkansas

City:Texarkana

Latitude:33.423

Longitude:-93.8691

Area Code:870

Postal Code:71854

You should file a complaint with Cable One.

 

Will likely only take a minute or two out of your day.

 

their abuse email is abuse@cableone.net and their phone for abuse reporting is 1-877-692-2253

http://whois.arin.net/rest/poc/COAD-ARIN.html

Edited by Xog

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing
×
×
  • Create New...