Trends from the trenches of Internet traffic. Hackers, spammers and Internet abuse. IP address database. DNS sightings. Views and opinions expressed are my own. ~ Teri Radichel @teriradichel
Saturday, March 31, 2007
Favorstar.com
We keep getting hits from favorstar.com. I boldly and probably riskily went to this site and it's a Chinese site with some video and half naked women on it in bras, etc. Whatever this site is up to, it can't be any good. I also noticed they are advertising a t-shirt site in direct competition with one of ours. I can't imagine this site is up to anything good.
Wednesday, March 28, 2007
U.S. Malware Capital?
This article form Network World claims that San Jose found the most malware was hosted in the US "contrary to the belief that it was coming from other countries" not in so many words.
http://www.networkworld.com/news/2007/032607-more-evidence-of-us-as.html?nlhtsec=0326securityalert3&company=MessageGate
They almost downplay the issue that most of this malware is probably weaseled onto servers via hacking or on servers paid for by people of origin outside the U.S. Yes, there are probably a lot of US hackers - we did invent the computer after all.
It is important to keep all factors in mind while analyzing this topic. It has also been reported that many hacker and terrorist organizations buy computer networking from the US because it is more cost effective (or was) than in other countries. That may be changing with China and India in the game, I'm not sure.
Hacked servers are also a huge source of this malware and I would be interested to know the % of this 80% of malware that is on hacked servers and how much of the malware actually got onto the US computers via a hack from someone originating from another country. A person I spoke to from the FBI says about 15% of the world's computers are thought to be "command and control bots," meaning they are either set up intentionally or hacked to run code for someone who is using a command server to control a bunch of other machines to carry out their dirty work.
The author did mention the money changing hands here - and why the US is a target, but also consider that the UK is second on the list. The US, the UK. Hmmm.
Also to take into consideration would be the size of the US and the amount of computers in the US relative to other countries. I'm not sure but I'd guess there are a relatively larger number of computers here than in some other countries at this time.
But perhaps the author just meant that this is where most of the malware is running - that the U.S. is the target and our security is totally lacking, rather than highlighting the US as a source of creating and distributing malware. If you consider the malware is running on machines that can affect people all over the world it is a problem - but the cause of that problem still may be mainly coming from outside the US. Security lacking? A wake up call? With that I would have to agree.
Personally I find plenty of hacker looking traffic from all over the world. I haven't done the numbers to compare by country but there are a load of hackers in Ontario, Alaska, throughout Europe, and a ton coming out of Asia - especially China and Taiwan. There is some that comes out of Brazil and occasionally Mexico - I was bombed by France the other day (see a recent post).
The interesting thing is that probably one of the biggest hacks on credit cards at Card Service International (I believe that is correct) in Arizona a couple years ago was attributed to the Russian Mafia by the news in Australia when I was down there. People in the US said they didn't hear that - I am not sure what was reported in the US.
But I get very little hacker like traffic from Russia. Does that mean there are no hackers in Russia? No, it means they are pretty damn smart. They do their dirty work from hacked servers in other parts of the world so they are not discovered. A recent piece of malware running on tons of US servers included a built in virus checker - Kapersky - Russian by origin though they since tried to appear as they are headquartered in the US. I also think there may be some Russian hackers up in Alaska using some network - Hideout.net
So the point the author is making about most of the hacks not coming from Russia or China like everyone thinks - is twisting the facts.
http://www.networkworld.com/news/2007/032607-more-evidence-of-us-as.html?nlhtsec=0326securityalert3&company=MessageGate
They almost downplay the issue that most of this malware is probably weaseled onto servers via hacking or on servers paid for by people of origin outside the U.S. Yes, there are probably a lot of US hackers - we did invent the computer after all.
It is important to keep all factors in mind while analyzing this topic. It has also been reported that many hacker and terrorist organizations buy computer networking from the US because it is more cost effective (or was) than in other countries. That may be changing with China and India in the game, I'm not sure.
Hacked servers are also a huge source of this malware and I would be interested to know the % of this 80% of malware that is on hacked servers and how much of the malware actually got onto the US computers via a hack from someone originating from another country. A person I spoke to from the FBI says about 15% of the world's computers are thought to be "command and control bots," meaning they are either set up intentionally or hacked to run code for someone who is using a command server to control a bunch of other machines to carry out their dirty work.
The author did mention the money changing hands here - and why the US is a target, but also consider that the UK is second on the list. The US, the UK. Hmmm.
Also to take into consideration would be the size of the US and the amount of computers in the US relative to other countries. I'm not sure but I'd guess there are a relatively larger number of computers here than in some other countries at this time.
But perhaps the author just meant that this is where most of the malware is running - that the U.S. is the target and our security is totally lacking, rather than highlighting the US as a source of creating and distributing malware. If you consider the malware is running on machines that can affect people all over the world it is a problem - but the cause of that problem still may be mainly coming from outside the US. Security lacking? A wake up call? With that I would have to agree.
Personally I find plenty of hacker looking traffic from all over the world. I haven't done the numbers to compare by country but there are a load of hackers in Ontario, Alaska, throughout Europe, and a ton coming out of Asia - especially China and Taiwan. There is some that comes out of Brazil and occasionally Mexico - I was bombed by France the other day (see a recent post).
The interesting thing is that probably one of the biggest hacks on credit cards at Card Service International (I believe that is correct) in Arizona a couple years ago was attributed to the Russian Mafia by the news in Australia when I was down there. People in the US said they didn't hear that - I am not sure what was reported in the US.
But I get very little hacker like traffic from Russia. Does that mean there are no hackers in Russia? No, it means they are pretty damn smart. They do their dirty work from hacked servers in other parts of the world so they are not discovered. A recent piece of malware running on tons of US servers included a built in virus checker - Kapersky - Russian by origin though they since tried to appear as they are headquartered in the US. I also think there may be some Russian hackers up in Alaska using some network - Hideout.net
So the point the author is making about most of the hacks not coming from Russia or China like everyone thinks - is twisting the facts.
RufusBot is a Dufus. 64.124.122.228
The so-called "rufus bot" is hitting us repeatedly again from this IP address: 64.124.122.228 and the stupid thing is, it is requesting pages that do not exist on our server over and over again and getting Page Not Found errors and still continues to request the pages.
Either the person that wrote the RufusBot is a dufus, or as I suggested before there is an error related to 404 errors that present a security or hacker problem. I am not sure why else these bots would try to hit pages that do not exist repeatedly. I guess they could be that stupid, but I kind of doubt it.
Either the person that wrote the RufusBot is a dufus, or as I suggested before there is an error related to 404 errors that present a security or hacker problem. I am not sure why else these bots would try to hit pages that do not exist repeatedly. I guess they could be that stupid, but I kind of doubt it.
Saturday, March 24, 2007
Hackers - Ontario
I am still convinced there are hackers in Ontario - probably on Rogers Cable but also coming from Shaw and other networks. I think they move around.
After implementing a new filter we just got a bunch of hits in a row on pages without referrers from Toronto IPs.
After implementing a new filter we just got a bunch of hits in a row on pages without referrers from Toronto IPs.
Tuesday, March 20, 2007
Ask Jeeves Spoofer?
We've been getting a lot of hits supposedly from AskJeeves such as this:
57 hits this month
Ask Jeeves User Agent
65.214.44.166
Last Visit: 3/20/2007 4:20:54 PM
However this IP does not belong to any of the Ask Jeeves IP ranges as far as I can see:
Ask Jeeves ASKJEEVES-66-09 (NET-4-19-66-0-1) 4.19.66.0 - 4.19.66.255
Ask Jeeves HTW-06853 (NET-64-55-148-1-1) 64.55.148.1 - 64.55.149.254
ASK JEEVES Q0518-63-145-26-32 (NET-63-145-26-32-1) 63.145.26.32 - 63.145.26.63
ASK JEEVES TWTC-SNFO-C-ASKJEEVES-0 (NET-206-80-1-0-1) 206.80.1.0 - 206.80.1.255
ASK JEEVES Q0426-63-236-237-72 (NET-63-236-237-72-1) 63.236.237.72 - 63.236.237.79
ASK JEEVES Q0213-72-165-191-64 (NET-72-165-191-64-1) 72.165.191.64 - 72.165.191.95
ASK JEEVES ASK-JEEV33-211 (NET-12-193-211-0-1) 12.193.211.0 - 12.193.211.255
ASK JEEVES INC Q0321-65-119-214-0 (NET-65-119-214-0-1) 65.119.214.0 - 65.119.214.255
Ask Jeeves PBI-CUSTNET-6751 (NET-216-103-72-40-1) 216.103.72.40 - 216.103.72.47
Ask Jeeves SBCIS-101412-175559 (NET-64-174-153-192-1) 64.174.153.192 - 64.174.153.199
Ask Jeeves SBC067114171064020215 (NET-67-114-171-64-1) 67.114.171.64 - 67.114.171.71
ASK JEEVES MFN-B370-209-249-69-0-29 (NET-209-249-69-0-1) 209.249.69.0 - 209.249.69.7
ASK JEEVES MFN-B370-208-184-139-0-29 (NET-208-184-139-0-1) 208.184.139.0 - 208.184.139.7
ASK JEEVES MFN-B370-208-185-161-0-28 (NET-208-185-161-0-1) 208.185.161.0 - 208.185.161.15
ASK JEEVES MFN-B370-208-185-160-0-24 (NET-208-185-160-0-1) 208.185.160.0 - 208.185.160.255
ASK JEEVES MFN-B370-208-185-182-128-28 (NET-208-185-182-128-1) 208.185.182.128 - 208.185.182.143
ASK JEEVES MFN-B370-216-200-130-0-24 (NET-216-200-130-0-1) 216.200.130.0 - 216.200.130.255
ASK JEEVES MFN-B370-208-185-219-224-27 (NET-208-185-219-224-1) 208.185.219.224 - 208.185.219.255
ASK JEEVES MFN-B370-64-124-141-0-24 (NET-64-124-141-0-1) 64.124.141.0 - 64.124.141.255
ASK JEEVES MFN-B370-209-249-88-48-28 (NET-209-249-88-48-1) 209.249.88.48 - 209.249.88.63
ASK JEEVES MFN-B370-64-124-56-0-24 (NET-64-124-56-0-1) 64.124.56.0 - 64.124.56.255
ASK JEEVES BRW-11672-ASK (NET-216-143-191-128-1) 216.143.191.128 - 216.143.191.191
Ask Jeeves MFN-B370-209-66-103-0-24 (NET-209-66-103-0-1) 209.66.103.0 - 209.66.103.255
57 hits this month
Ask Jeeves User Agent
65.214.44.166
Last Visit: 3/20/2007 4:20:54 PM
However this IP does not belong to any of the Ask Jeeves IP ranges as far as I can see:
Ask Jeeves ASKJEEVES-66-09 (NET-4-19-66-0-1) 4.19.66.0 - 4.19.66.255
Ask Jeeves HTW-06853 (NET-64-55-148-1-1) 64.55.148.1 - 64.55.149.254
ASK JEEVES Q0518-63-145-26-32 (NET-63-145-26-32-1) 63.145.26.32 - 63.145.26.63
ASK JEEVES TWTC-SNFO-C-ASKJEEVES-0 (NET-206-80-1-0-1) 206.80.1.0 - 206.80.1.255
ASK JEEVES Q0426-63-236-237-72 (NET-63-236-237-72-1) 63.236.237.72 - 63.236.237.79
ASK JEEVES Q0213-72-165-191-64 (NET-72-165-191-64-1) 72.165.191.64 - 72.165.191.95
ASK JEEVES ASK-JEEV33-211 (NET-12-193-211-0-1) 12.193.211.0 - 12.193.211.255
ASK JEEVES INC Q0321-65-119-214-0 (NET-65-119-214-0-1) 65.119.214.0 - 65.119.214.255
Ask Jeeves PBI-CUSTNET-6751 (NET-216-103-72-40-1) 216.103.72.40 - 216.103.72.47
Ask Jeeves SBCIS-101412-175559 (NET-64-174-153-192-1) 64.174.153.192 - 64.174.153.199
Ask Jeeves SBC067114171064020215 (NET-67-114-171-64-1) 67.114.171.64 - 67.114.171.71
ASK JEEVES MFN-B370-209-249-69-0-29 (NET-209-249-69-0-1) 209.249.69.0 - 209.249.69.7
ASK JEEVES MFN-B370-208-184-139-0-29 (NET-208-184-139-0-1) 208.184.139.0 - 208.184.139.7
ASK JEEVES MFN-B370-208-185-161-0-28 (NET-208-185-161-0-1) 208.185.161.0 - 208.185.161.15
ASK JEEVES MFN-B370-208-185-160-0-24 (NET-208-185-160-0-1) 208.185.160.0 - 208.185.160.255
ASK JEEVES MFN-B370-208-185-182-128-28 (NET-208-185-182-128-1) 208.185.182.128 - 208.185.182.143
ASK JEEVES MFN-B370-216-200-130-0-24 (NET-216-200-130-0-1) 216.200.130.0 - 216.200.130.255
ASK JEEVES MFN-B370-208-185-219-224-27 (NET-208-185-219-224-1) 208.185.219.224 - 208.185.219.255
ASK JEEVES MFN-B370-64-124-141-0-24 (NET-64-124-141-0-1) 64.124.141.0 - 64.124.141.255
ASK JEEVES MFN-B370-209-249-88-48-28 (NET-209-249-88-48-1) 209.249.88.48 - 209.249.88.63
ASK JEEVES MFN-B370-64-124-56-0-24 (NET-64-124-56-0-1) 64.124.56.0 - 64.124.56.255
ASK JEEVES BRW-11672-ASK (NET-216-143-191-128-1) 216.143.191.128 - 216.143.191.191
Ask Jeeves MFN-B370-209-66-103-0-24 (NET-209-66-103-0-1) 209.66.103.0 - 209.66.103.255
Tuesday, March 13, 2007
Stock Price Manipulation
A while back I posed the idea of manipulating stocks somehow using Internet technologies to affect prices and make a profit. Some people scoffed at me and told me how difficult this would be based on how many people would need to be involved to make this happen.
Here's proof that it can be done and something to watch out for:
Internet stock scam
Recently Real Networks has claimed that their stock price was manipulated possibly by hackers or Internet scam artists in China.
So call it a silly idea but there's a reason you've seen all that stock spam in your inbox.
I haven't done the math to see what it would take to get enough people to buy in to affect the price of a stock. I'm sure it depends on the stock and a lot of other factors. Just pondering the possibility.
Here's proof that it can be done and something to watch out for:
Internet stock scam
Recently Real Networks has claimed that their stock price was manipulated possibly by hackers or Internet scam artists in China.
So call it a silly idea but there's a reason you've seen all that stock spam in your inbox.
I haven't done the math to see what it would take to get enough people to buy in to affect the price of a stock. I'm sure it depends on the stock and a lot of other factors. Just pondering the possibility.
Tuesday, March 06, 2007
Ebay vs. Romanian Hacker
Ebay has been plagued by a Romanian hacker lately per this article:
http://www.eweek.com/article2/0,1895,2100808,00.asp?kc=EWSTEEMNL030607EOAD
Of interest are the various tactics ebay is using to thwart this criminal which go beyond simple tactics to more complete analysis of hacker activity ...a trend in the industry which has long been needed over an above simple firewall rules and was the reason I started writing this hacker / Internet security / Internet service blog.
More analysis of specific hacker activity by humans, not machines, will help determine traffic and activity patterns to block out attacks better than any firewall rules. It is a constant, on-going effort at mutliple layers from network to firewall to OS to application - it is not a simple one time fix.
http://www.eweek.com/article2/0,1895,2100808,00.asp?kc=EWSTEEMNL030607EOAD
Of interest are the various tactics ebay is using to thwart this criminal which go beyond simple tactics to more complete analysis of hacker activity ...a trend in the industry which has long been needed over an above simple firewall rules and was the reason I started writing this hacker / Internet security / Internet service blog.
More analysis of specific hacker activity by humans, not machines, will help determine traffic and activity patterns to block out attacks better than any firewall rules. It is a constant, on-going effort at mutliple layers from network to firewall to OS to application - it is not a simple one time fix.
Sunday, March 04, 2007
Hacker in Japan
Japan scanning IP addresses for security flaws:
203943 BLOCKED a2ge8iqi9mcec Sun Mar 04 09:24:51 PST 2007 203.143.125.226 //ads/adxmlrpc.php Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) /ads/adxmlrpc.php 3/4/2007 9:24:51 AM 3/4/2007 9:24:51 AM
203942 BLOCKED 1trlwusqdgvg5 Sun Mar 04 09:24:51 PST 2007 203.143.125.226 //Ads/adxmlrpc.php Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) /Ads/adxmlrpc.php 3/4/2007 9:24:51 AM 3/4/2007 9:24:51 AM
203941 BLOCKED 4tnft3pc3kubt Sun Mar 04 09:24:50 PST 2007 203.143.125.226 //phpads/adxmlrpc.php Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) /phpads/adxmlrpc.php 3/4/2007 9:24:51 AM 3/4/2007 9:24:51 AM
..repeat about 50 times
203943 BLOCKED a2ge8iqi9mcec Sun Mar 04 09:24:51 PST 2007 203.143.125.226 //ads/adxmlrpc.php Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) /ads/adxmlrpc.php 3/4/2007 9:24:51 AM 3/4/2007 9:24:51 AM
203942 BLOCKED 1trlwusqdgvg5 Sun Mar 04 09:24:51 PST 2007 203.143.125.226 //Ads/adxmlrpc.php Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) /Ads/adxmlrpc.php 3/4/2007 9:24:51 AM 3/4/2007 9:24:51 AM
203941 BLOCKED 4tnft3pc3kubt Sun Mar 04 09:24:50 PST 2007 203.143.125.226 //phpads/adxmlrpc.php Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) /phpads/adxmlrpc.php 3/4/2007 9:24:51 AM 3/4/2007 9:24:51 AM
..repeat about 50 times
A bunch of IPs requesting stuff we don't host
The following are related hacker IPs probably controlled by a command and control bot:
74.118.71.252
124.50.43.214
60.217.227.135
210.191.147.120
203.165.129.2
210.6.97.244
They all hit our site at the same time requesting things our server does not host.
Here's another set shortly before doing something similar, probably also related to the above:
195.49.188.202
71.63.100.55
210.245.147.241
218.233.57.23272.145.6.47
218.48.127.177
71.63.100.55
210.245.147.241
218.233.57.232
Perhaps someone pointed a domain to the wrong IP since they were all hitting the same domain.
These IPs are all requesting php files -- the favorite language of the hacked and hackers as far as I can tell by the percentage of hacks in the logs on various types of web programming and scripting languages.
74.118.71.252
124.50.43.214
60.217.227.135
210.191.147.120
203.165.129.2
210.6.97.244
They all hit our site at the same time requesting things our server does not host.
Here's another set shortly before doing something similar, probably also related to the above:
195.49.188.202
71.63.100.55
210.245.147.241
218.233.57.23272.145.6.47
218.48.127.177
71.63.100.55
210.245.147.241
218.233.57.232
Perhaps someone pointed a domain to the wrong IP since they were all hitting the same domain.
These IPs are all requesting php files -- the favorite language of the hacked and hackers as far as I can tell by the percentage of hacks in the logs on various types of web programming and scripting languages.
Subscribe to:
Posts (Atom)