Wednesday, February 28, 2007

253-719-0012

AHA...

I figured out what this number is. I got an electronically placed and recorded call from Comcast.

When you put this number in Google however you get a ton of nasty hacker information.

Interesting.

Tuesday, February 20, 2007

Defender Technologies, DefenderHost.com - Hacker Source

Hackers have also been pinging our sites from this IP range:

OrgName: Defender Technologies Group, LLC
OrgID: DTGL
Address: 44470 Chilum Place, Building 1
Address: Suite 1197
City: Ashburn
StateProv: VA
PostalCode: 20147
Country: US
NetRange: 69.65.96.0 - 69.65.127.255

Inhoster - bad bot source

This is the latest blatant abusing network:

inetnum: 85.255.112.0 - 85.255.127.255
netname: inhoster
descr: Inhoster hosting company
descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
country: UA

Saturday, February 17, 2007

Related Hacker IPs

Here's a group of related hacker IPs that hit our web sites all at once. All the IPs hit the same web site and it is an odd site for site for these IPs to be hitting:

Time of hack attempt: 2/17/07 21:42:33
65.184.191.13
211.213.118.32
75.34.23.14
212.119.45.138
71.83.46.82
12.206.187.108
59.95.212.177

In addition this IP was in the middle of this looking at another site:
89.150.197.192

Friday, February 16, 2007

Message Guard - Network Solutions

Been writing about trying out Identity Based Encryption - specificall the Message Guard service from Network Solutions provided by Voltage Security.

This is the typical message I get from other people when I try to use Network Solutions Message Guard to send them emails:
_______________

I do not have time to go do all of these steps to read the email. It takes over 5 minutes to complete this. I am the only one here in my department and this is very time consuming. Can you please just send me a regular email.
_______________

Until this is fixed, this is not a viable solution for every day use between two parties that are not both using the same service. I thought the idea was that the person only has to go through the steps one time...

I also asked Voltage Security how they guarantee that someone at their location is not able to decrypt and read the email - what policies and auditing do they have in place - and as of yet no response.

Monday, February 12, 2007

Catepillar, Inc. really Interested in Australia?

It could be legit but this past month alone we've had a huge number of hits from Catepillar, Inc. to a site for an Australian hotel booking system...maybe someone wants to take a trip, or perhaps their server is being used for monitoring unbenknownst to them?

12.2.142.7

Arrival Communications - Hacker

There appears to be a hacker at arrival communications on this IP 69.84.207.35 targeting one of our real estate web sites.
They hit our contact request form about 70 times in one day.
Shortly thereafter the publishing of the site was altered, but we were able to easily republish.

OrgName: Arrival Communication, Inc
OrgID: ARRV
Address: 5100 California Ave Suite 104
City: Bakersfield
StateProv: CA
PostalCode: 93309
Country: US

NetRange: 69.84.192.0 - 69.84.207.255

Identity Based Encryption - Update

As noted in previous posts I'm trying out Identity Based Encryption and having lots of problems with it. A lawyer on comcast can't use it, a customer couldn't access it, people I work with in Australia aren't replying so I am not sure what that meants, someone on AOL couldn't read it. It's a toss up who will be able to read it and who won't. Someone on Yahoo gets it just fine as does someone on SpeakEasy. One mail provider - ElectricMail.com - refuses to let their support staff use it.

The latest is that I just had to re-authenticate to send a message and I'm not sure why. Is this an on-going thing where you have to re-authenticate on a weekly basis?

The other thing to note is that I bought the service from Network Solutions and it is authenticating on the Voltage Security system.

Wednesday, February 07, 2007

Reverse Load Testing

In this article which talks about an attack on the root servers that support the Internet:
http://www.networkworld.com/news/2007/020707-hackers-slow-internet-root-servers.html?nlhtsec=0205securityalert3&company=

The engineers are "scratching their heads" wondering why the attack was performed.

I can think of a few reasons.

1. Reverse load testing. Hackers are trying to calculate what it will take to bring down the Internet. Bringing down the Internet could cause a myriad of disruptions that might be beneficial to a myriad of sneaky, slimy people.

2. Bringing down the Internet at a particular time when a certain crime is being committed may prevent certain communications which may then alert the authorities or warning systems to the crime underway.

3. Someone wants attention.

4. Some really flawed programming.

5. Mischief.

Tuesday, February 06, 2007

Identity Based Encryption (IBE) - Trial

So far IBE has been mildly usable. Most people were able to get it and login and read the message without any problem.

As supsected a few people were skeptical of the email and didn't want to open it until I called them since it doesn't look like your typical email.

I also had a few people have problems with it including:

#1 my boss couldn't open it on his cell phone - didn't work at all. Also he didn't want to "sign up for an account" even though I explained that's not what it is.

#2 Someone on AOL couldn't open it at all.

#3 One of my customers using Electric Mail and also I think another provider could not open the message. She tried a few different times today...going to have to call tomorrow and see if we can figure this out.

#4 Couldn't respond to tickets to my data center which is a pretty big hosting company. They have an automated system and the message came as an attachment which was then not included in their automated messaging system.

#5 I was told after asking if I could use it on a web server to send messages that it only works in Outlook - after I told them I was using Outlook already so obviously I know that. So you can't sign up for this and then send secure messages in an automated fashion to potential clients, for instance, or email receipts from an e-commerce web site or links to file downloads, etc.

A few things to resolve here...it's not quite as simple as normal email and obviously doesn't work for all scenarios.

Monday, February 05, 2007

PHP: Most Requested URLs by Hackers

Per our records, PHP is far and away the most attacked language - and we don't even host it.

These are the URLS various hackers have been scanning our boxes for in the past few months:

/phpAdsNew/adxmlrpc.php
/index.php
/profile.php
/cmd.php
/Ads/adxmlrpc.php
/register.php
/thisdoesnotexistahaha.php
/stats/cmd.php
/portal/cmd.php
/adserver/adxmlrpc.php
/adxmlrpc.php
/a1b2c3d4e5f6g7h8i9/nonexistentfile.php
/phpads/adxmlrpc.php
/web/e-commerce/database/index.php/administration/module/module/index.php
/portal/cacti/cmd.php
/xmlrpc.php
/xmlrpc/xmlrpc.php
/xmlsrv/xmlrpc.php
/blog/xmlrpc.php
/cacti/cmd.php
/drupal/xmlrpc.php
/web/phpMyAdmin/main.php
/web/phpMyAdmin/main.phpmain.php
/w3c/p3p.xml
/_vti_bin/_vti_aut/author.dll
/admin/login/index.php
/admin/pages/index.php
/admin/pages/settings.php
/admin/start/index.php
/public.php
/web/.../work/index.php
/web//work/index.php

And here are the IPs that have been up to this mischeif along with number of hits:


39 213.186.50.160
25 62.39.119.241
24 208.72.168.27
16 64.208.172.181
12 216.218.196.210
7 206.169.110.66
4 203.121.69.154
3 212.145.93.63
3 81.196.150.45
2 89.110.131.89
2 74.6.74.225
2 72.10.45.38
2 212.8.197.79
2 212.138.64.171
2 125.248.244.131
1 195.175.37.6
1 195.175.37.71
1 200.88.125.9
1 200.88.223.98
1 212.138.64.172
1 212.138.64.175
1 212.138.64.179
1 125.244.164.69
1 62.150.130.26
1 216.129.105.149
1 72.3.139.176
1 72.30.252.98
1 74.6.71.59
1 74.6.72.189
1 74.6.72.225
1 80.95.160.188
1 64.28.23.49
1 82.114.68.194
1 85.214.45.212
1 86.145.147.223

Friday, February 02, 2007

Identity Based Encryption - mail forwarding

This is interesting - I set up an IBE on an email account to test out Identity Based Encryption.

I have one account set up to forward to the other.

I sent from account A to account B.

Then account B forwarded the IBE message to create a key back to account A.

I was able to create the private key on my computer by creating a login - using a different email address than the one the email was sent to. (I was in account A - the one that sent the message).

When I went back to the email in my webmail based email account B I had the key on my machine and was able to read it even though the email address I entered when I created the key for was not the email address the mail was sent to...

Also about 5 minutes later I was forwarded the test message from account B back to account A and was able to read it without doing anything else.

Seems a bit odd. Not sure the implications of this on secure email. I will have to think this one through a bit more.