Thursday, April 26, 2007

Keyloggers in Keyboards

Looks like keyloggers can be implanted in keyboards. Is that why my toshiba laptop keeps croaking? It somehow wants to always type extra letters.

http://www.networkworld.com/news/2006/080806-keyboard.html?nwwpkg=alphadoggs

For Starbucks and Tmobile - Hotspot Hacks

I don't think this is all that new. I typically am on a VPN at a hotpsot (though there have been times when I wondered if someone could still access my machine).

Anyway when will the day come that someone gets hacked at Starbucks and turns around and sues them. I don't know how that would work out. I don't know if there is anything Starbucks or Tmobile can do about this (just naming the big guys here) but they certainly should try.

http://www.networkworld.com/news/2007/042507-infosec-evil-twin-wi-fi-access.html?nlhtsec=0423securityalert4&company=HP

DNS Server Hacks

I don't know how many times I suggested that potentially DNS was hacked to various companies where weird things were happening....and they blew me off like I was nuts. Like there's no way DNS can be hacked. Right.

http://www.networkworld.com/news/2007/041307-dns-vulnerability.html?nlhtsec=0416securityalert1&company=Mu%20Security

The question is, what's the fastest way to pinpoint if your DNS server is hosed?

Tuesday, April 24, 2007

Related PHP hacker IPs

The following are related hacker hits trying to access PHP pages. These IPs are related as the hits all came at the same time.

"inetnum: 59.88.0.0 - 59.99.255.255
netname: BSNLNET
descr: NIB (National Internet Backbone)
descr: Bharat Sanchar Nigam Limited
descr: Sanchar Bhawan,20, Ashoka Road, New Delhi-110001
country: IN
" 299391 BLOCKED 9jdq30c0otrp Tue Apr 24 04:59:02 PDT 2007 59.94.208.172 /index.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /index.php act=Reg&CODE=00 83 7 1 4/24/2007 4:59:03 AM 24 4 4/24/2007 4:59:03 AM
"inetnum: 59.88.0.0 - 59.99.255.255
netname: BSNLNET
descr: NIB (National Internet Backbone)
descr: Bharat Sanchar Nigam Limited
descr: Sanchar Bhawan,20, Ashoka Road, New Delhi-110001
country: IN
" 299391 BLOCKED 9jdq30c0otrp Tue Apr 24 04:59:02 PDT 2007 59.94.208.172 /index.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /index.php act=Reg&CODE=00 83 7 1 4/24/2007 4:59:03 AM 24 4 4/24/2007 4:59:03 AM
"Comcast Cable Communications, Inc. ATT-COMCAST (NET-71-192-0-0-1)
71.192.0.0 - 71.207.255.255
Comcast Cable Communications, IP Services WASHINGTON-16 (NET-71-197-128-0-1)
71.197.128.0 - 71.197.255.255
" 299389 BLOCKED 3bghs2pqv3ms4 Tue Apr 24 04:58:56 PDT 2007 71.200.172.74 /index.php /index.php act=Reg&CODE=00 83 7 1 4/24/2007 4:58:56 AM 24 4 4/24/2007 4:58:56 AM
299388 BLOCKED 1cabokzq2eon9 Tue Apr 24 04:58:55 PDT 2007 200.140.12.1 /register.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /register.php action=signup&who=adult 83 7 1 4/24/2007 4:58:56 AM 24 4 4/24/2007 4:58:56 AM
299387 BLOCKED 5bntk8b5n6k1t Tue Apr 24 04:58:52 PDT 2007 58.142.79.54 /register.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /register.php action=signup&who=adult 83 7 1 4/24/2007 4:58:52 AM 24 4 4/24/2007 4:58:52 AM
299386 BLOCKED b2idleeknprcn Tue Apr 24 04:58:51 PDT 2007 201.12.150.239 /profile.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /profile.php mode=register 83 7 1 4/24/2007 4:58:51 AM 24 4 4/24/2007 4:58:51 AM
299385 BLOCKED 5k5ov71rsp1qd Tue Apr 24 04:58:47 PDT 2007 203.223.150.95 /profile.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /profile.php mode=register 83 7 1 4/24/2007 4:58:48 AM 24 4 4/24/2007 4:58:48 AM

University of Minnesota bot

We just got a whole slew of hits much too fast for a normal user from this network and IP:

134.29.227.130

OrgName: Minnesota State University System OrgID: MSUSAddress: Wells Fargo PlaceAddress: 30 7th Street East, Suite 350City: St. PaulStateProv: MNPostalCode: 55101-7804Country: USNetRange: 134.29.0.0 - 134.29.255.255

This was in the user agent - not sure if related: knst2007

I can find no references to this on Google except that it's showing up on web stats reports - specifically for a lot of Univerisities.

Monday, April 23, 2007

nflplayers.com surfing the web

This web server is visiting our web sites:

66.208.26.98 resolves to"nflplayers.com"
Top Level Domain: "nflplayers.com"

iibee.com browsing web sites

This IP address points to iibee.com and seems to be a computer used to surf the web. Is this a web server or someone trying to host a site from their basement? Why is it surfing the web?

216.194.68.120 resolves to"iibee.com"Top Level Domain: "iibee.com"

ap-art.com surging the web

Here's a web server that is being used to surf our web sites:

207.234.208.96 resolves to"ap-art.com"Top Level Domain: "ap-art.com"

liggins.plus.com - surfing the web?

Hmm, should this IP address be surging the web? Seems to have an interest in our web sites.

212.159.42.175 resolves to"liggins.plus.com"
Top Level Domain: "plus.com"

turbinegenerator.com surfing the web

This ip resolves to turbinegenerator.com - seems a web server is surfing the web.

209.34.233.62 resolves to"turbinegenerator.com"
Top Level Domain: "turbinegenerator.com"

proxyout.utah.gov

Why is this proxy server for the utah government surfing our web sites? Is this a typical configuration? It could be I'm not sure.

204.113.19.8 resolves to"proxyout.utah.gov"Top Level Domain: "utah.gov"

proxy2.xter.net

Proxy server surfing our web sites?

83.217.229.147 resolves to"proxy2.xter.net"
Top Level Domain: "xter.net"

knsk.de

Here's a web server surfing our web sites...

212.1.49.129 resolves to"knsk.de"
Top Level Domain: "knsk.de"

F5 wants to secure your apps with their network hardware

Here's an interesting approach to application security from F5 Networks using their Big IP device (which was insanely expensive last time I checked):

http://www.f5.com/solutions/technology/securing_enterprise_wp.html?CMP=KNC-GoogSiteNtwk&gclid=CLuEguDO2IsCFQQRYwodll4haw

The only issue I see here is more complicated application testing and debugging. It will be harder to pinpoint errors.

I haven't thought it totally through and it's late but seems like this is a network device and should focus on network issues.

The concept of what they are doing should be done by every application however and perhaps and application framework is best suited for these things. Perhaps you could use a combination but I worry about the maintenance consequences of this.

A web server surfing the web

63.144.222.2 resolves to"www.hardeecounty.net"
Top Level Domain: "hardeecounty.net"

Sunday, April 22, 2007

Inquent = hacked?

Working away here suddenly my printer started making noise for no apparent reason. I'm guessing someone got on my network or my machine here and they are snooping around and hit the device on that port / local IP.

I looked at IPs my machine is connected to and for no apparent reason it is connected to this IP:

205.178.145.1

InQuent Technologies Inc. INQUENT-2 (NET-205-178-128-0-1) 205.178.128.0 - 205.178.191.255Network Solutions, LLC NSLLC01 (NET-205-178-145-0-1) 205.178.145.0 - 205.178.145.255

Hmmm....hacked or?

Thursday, April 19, 2007

Microsoft DNS + RPC vulnerability

And if you didn't believe me that DNS can be hacked and send you to the wrong place (as suggested in the last post about an ebay web site issue) read this:

http://securitywatch.eweek.com/exploits_and_attacks/microsoft_urges_workaround_as_worm_hits_unpatched_dns_flaw.html?kc=EWEWEMNL041807EP38A

A flaw in or explotation of the implementation of the Microsoft DNS service plus RPC (remote procedure call) service is being abused.

JavaScript hacks

Here's an interesting article on JavaScript hacks. This would apply to people going to web sites that have the attacks in the code when you download the page and the inability of various virus, malware and spybot type software figuring out that the code is actually malicious.

http://www.eweek.com/article2/0,1895,2115638,00.asp?kc=EWEWEMNL041907EP38A

Ebay site problem

Ebay has a page where you can enter a whole bunch of information if you forget your password.

There is a whole host of sensitive information you have to enter on that page to get your password.

The page is only accessible via http.

Oh but they probably submit it via https you say.

So what. Let's say their DNS gets hacked someone and people set up a fake page at that address on the servers that are being rerouted to when you think you're at ebay. The only way to know you are really at ebay is hitting the page via https because the certificate applies to a specific server. Without that you can be rerouted and when you hit submit on this bogus link you just gave a hacker your secret question/answer (which you probably used in multiple places, right?), your birth date, place of birth, etc. etc.

Scary.

Wednesday, April 18, 2007

Encoding vs. Encryption

I was working on a site that encodes cookies today and I was wondering why they did that. I was thinking that "hey, encoding is not the same as encrypting...are they doing this for security reasons?" Then I started thinking about it a little more - the distinction between encrypting and encoding. I did a quick search which provided a nice document that I am giving kudos to for backing up my thoughts on the technically correct purposes of encode and encrypt.

http://www.di-mgt.com.au/encode_encrypt.html

Friday, April 13, 2007

195.10.45.155

Here's an interesting dns resolution. Hide? Hmm.

195.10.45.155 resolves to"hide-155.nhs.uk"
Top Level Domain: "nhs.uk"

Tuesday, April 10, 2007

A surfing hosting proxy server

This IP was surfing our web sites. Looks like something good to block.

203.97.46.29 resolves to"proxy.hosting.co.nz"
Top Level Domain: "co.nz"

Websherpas.com hacked?

Hmm, websherpas.com needs to consult a higher power to prevent their server from surfing the web. This server was sniffing around our web sites:

209.102.67.2 resolves to"www.websherpas.com"
Top Level Domain: "websherpas.com"

Romania, China, Russia...

Hmm, suddenly I am getting loads of hits from Romania, China and Russia. This after a recent article I posted suggested the US as the malware capital of the world and my suggestion that the actual source of this hacking is elsewhere. I also suggested segmenting your servers for different parts of the world and known hacker countries so that hacker sources are limited to hacking their own boxes and not the rest of the boxes used by countries in the world that are not such a high percentage of Internet theives, crooks, criminals and spies (though we all have some black sheep in our family).

212.20.253.212 resolves to"euro-hostels.co.uk"

This is another web server surfing our web site. Probably hackers or hacked.

212.20.253.212 resolves to"euro-hostels.co.uk"
Top Level Domain: "co.uk"

wmanet.org surfing our web site

Hmm. Another web server surfing our web site.

216.195.194.210 resolves to"wmanet.org"
Top Level Domain: "wmanet.org"

Saturday, April 07, 2007

209.51.147.66 - Monitoring will not stop

This Ip continues to monitor our site and will not stop. Hopefully Global Net Access will look into the activities coming from this IP Address.

IPs used by same hacker(s)

Just a hunch but these IPs are probably all used by the same hacker and/or hacked servers:

221.147.153.67
203.162.3.15674.52.245.146
220.123.254.200

Friday, April 06, 2007

209.51.147.66 - HACKER

This IP either belongs to a hacker or is being used by a hacker. They bombed our site today.

Check your logs for this one...especially those in the travel industry.

Korean Hackers Are Stepping Up

In the past few days we got a number of hacker scans from Korea. We block a lot of bad ranges but suddenly they are picking up again.

Here are a few of the IP ranges:

inetnum: 125.176.0.0 - 125.191.255.255netname: XPEEDcountry: KR

inetnum: 211.104.0.0 - 211.119.255.255netname: KRNIC-KRdescr: KRNICdescr: Korea Network Information Centercountry: KR

inetnum: 211.104.0.0 - 211.119.255.255netname: KRNIC-KRdescr: KRNICdescr: Korea Network Information Centercountry: KR

inetnum: 220.88.0.0 - 220.95.255.255netname: KORNETdescr: KOREA TELECOMdescr: Network Management Centercountry: KR

inetnum: 211.104.0.0 - 211.119.255.255netname: KRNIC-KRdescr: KRNICdescr: Korea Network Information Centercountry: KR

inetnum: 211.104.0.0 - 211.119.255.255netname: KRNIC-KRdescr: KRNICdescr: Korea Network Information Centercountry: KR

inetnum: 218.144.0.0 - 218.159.255.255netname: KORNETdescr: KOREA TELECOM

inetnum: 218.234.0.0 - 218.239.255.255netname: HANANETdescr: Hanaro Telecom Co.descr: Kukje Electornics Cneter Bldg. 1445-3 Seocho-Dong Seocho-Kucountry: KR

inetnum: 222.96.0.0 - 222.122.255.255netname: KORNETdescr: KOREA TELECOMdescr: Network Management Centercountry: KR

inetnum: 58.224.0.0 - 58.239.255.255netname: HANANETcountry: KR

A string of related PHP hacker IPs

Here are a string of hits in a row from IPs in different parts of the world requesting things that are not on our server. They are requesting a specific URL, not an IP address so this is not a DNS problem where someone pointed a domain to our IP by mistake. I believe our DNS servers are set up correctly as I just double checked everything but my hosting company has a propensity for screwing up DNS records so will have to check that again. However given what they are requesting I assume these are a bunch of related hacked IPs, probably controlled by a command and control bot somewhere.

"inetnum: 220.0.0.0 - 220.63.255.255
netname: BBTECH
descr: Japan nation-wide Network of SOFTBANK BB CORP
descr: Tokyo, Japan
country: JP
" 269236 BLOCKED 7i1768n6s9ky Thu Apr 05 07:10:31 PDT 2007 220.125.98.46 /index.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /index.php act=Reg&CODE=00 83 7 1 4/5/2007 7:10:31 AM 5 4 4/5/2007 7:10:31 AM
"inetnum: 218.144.0.0 - 218.159.255.255
netname: KORNET
descr: KOREA TELECOM
" 269235 BLOCKED 1n2q7vj1sj66u Thu Apr 05 07:10:28 PDT 2007 218.144.144.230 /index.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /index.php act=Reg&CODE=00 83 7 1 4/5/2007 7:10:29 AM 5 4 4/5/2007 7:10:29 AM
269234 BLOCKED 17fot0jc7s1g6 Thu Apr 05 07:10:26 PDT 2007 218.239.91.102 /register.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /register.php action=signup&who=adult 83 7 1 4/5/2007 7:10:27 AM 5 4 4/5/2007 7:10:27 AM
269233 BLOCKED 884p8rgc0r4b Thu Apr 05 07:10:24 PDT 2007 222.99.104.139 /register.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /register.php action=signup&who=adult 83 7 1 4/5/2007 7:10:25 AM 5 4 4/5/2007 7:10:25 AM
269232 BLOCKED g6t4qf5acgdc9 Thu Apr 05 07:10:22 PDT 2007 58.226.121.105 /profile.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /profile.php mode=register 83 7 1 4/5/2007 7:10:23 AM 5 4 4/5/2007 7:10:23 AM
"inetnum: 59.88.0.0 - 59.99.255.255
netname: BSNLNET
descr: NIB (National Internet Backbone)
descr: Bharat Sanchar Nigam Limited
descr: Sanchar Bhawan,20, Ashoka Road, New Delhi-110001
country: IN
" 269231 BLOCKED 1q0g62wvk2a4 Thu Apr 05 07:10:18 PDT 2007 59.93.209.25 /profile.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /profile.php mode=register 83 7 1 4/5/2007 7:10:18 AM 5 4 4/5/2007 7:10:18 AM
"inetnum: 59.88.0.0 - 59.99.255.255
netname: BSNLNET
descr: NIB (National Internet Backbone)
descr: Bharat Sanchar Nigam Limited
descr: Sanchar Bhawan,20, Ashoka Road, New Delhi-110001
country: IN
" 269231 BLOCKED 1q0g62wvk2a4 Thu Apr 05 07:10:18 PDT 2007 59.93.209.25 /profile.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /profile.php mode=register 83 7 1 4/5/2007 7:10:18 AM 5 4 4/5/2007 7:10:18 AM

Another php attack - XMLRPC.PHP etc.

If you are running php and using any of the files below beware - there is probably some sort of hack in them. This attack comes from 61.62.83.165

Surprise, surprise - Taiwan.

inetnum: 61.62.0.0 - 61.62.255.255netname: SONET-NETcountry: TW

Taiwan is a big hacker source. If you're not doing business there you may want to consider blocking out IPs from this country. If you're not getting any money from Taiwan the only thing you will get is a bunch of problems.

269083 BLOCKED 5dmervkrad0bs Thu Apr 05 00:29:54 PDT 2007 61.62.83.165 /phpgroupware/xmlrpc.php /phpgroupware/xmlrpc.php 83 7 1 4/5/2007 12:29:54 AM 5 4 4/5/2007 12:29:54 AM
269082 BLOCKED 1gpe1xqetqxi1 Thu Apr 05 00:29:54 PDT 2007 61.62.83.165 /phpgroupware/xmlrpc.php /phpgroupware/xmlrpc.php 83 7 1 4/5/2007 12:29:54 AM 5 4 4/5/2007 12:29:54 AM
269081 BLOCKED 4famei5pnqlkj Thu Apr 05 00:29:53 PDT 2007 61.62.83.165 /wordpress/xmlrpc.php /wordpress/xmlrpc.php 83 7 1 4/5/2007 12:29:54 AM 5 4 4/5/2007 12:29:54 AM
269080 BLOCKED 48978s37c7mpo Thu Apr 05 00:29:53 PDT 2007 61.62.83.165 /wordpress/xmlrpc.php /wordpress/xmlrpc.php 83 7 1 4/5/2007 12:29:54 AM 5 4 4/5/2007 12:29:54 AM
269079 BLOCKED 9ur4s0tv5oqc Thu Apr 05 00:29:53 PDT 2007 61.62.83.165 /b2evo/xmlsrv/xmlrpc.php /b2evo/xmlsrv/xmlrpc.php 83 7 1 4/5/2007 12:29:53 AM 5 4 4/5/2007 12:29:53 AM
269078 BLOCKED 2rkqne24ojvle Thu Apr 05 00:29:53 PDT 2007 61.62.83.165 /b2evo/xmlsrv/xmlrpc.php /b2evo/xmlsrv/xmlrpc.php 83 7 1 4/5/2007 12:29:53 AM 5 4 4/5/2007 12:29:53 AM
269077 BLOCKED vt6xth4n6s0r Thu Apr 05 00:29:52 PDT 2007 61.62.83.165 /b2/xmlsrv/xmlrpc.php /b2/xmlsrv/xmlrpc.php 83 7 1 4/5/2007 12:29:53 AM 5 4 4/5/2007 12:29:53 AM
269076 BLOCKED qiox5oyth034 Thu Apr 05 00:29:52 PDT 2007 61.62.83.165 /b2/xmlsrv/xmlrpc.php /b2/xmlsrv/xmlrpc.php 83 7 1 4/5/2007 12:29:53 AM 5 4 4/5/2007 12:29:53 AM
269075 BLOCKED e7ecb4966qpr7 Thu Apr 05 00:29:52 PDT 2007 61.62.83.165 /blogtest/xmlsrv/xmlrpc.php /blogtest/xmlsrv/xmlrpc.php 83 7 1 4/5/2007 12:29:52 AM 5 4 4/5/2007 12:29:52 AM
269074 BLOCKED 12ncmocu7lv5a Thu Apr 05 00:29:52 PDT 2007 61.62.83.165 /blogtest/xmlsrv/xmlrpc.php

Wednesday, April 04, 2007

Charter bot is back

Will it ever give up or will Charter ever do something about this bot...

Charter - bot/1.0 (bot; http://; bot@bot.bot) 267331 BLOCKED 2t10omfv05mc Wed Apr 04 07:58:34 PDT 2007 71.13.115.117 bot/1.0 (bot; http://www.bot.bot; bot@bot.bot) 83 7 1 4/4/2007 7:58:35 AM 4 4 4/4/2007 7:58:35 AM

IPs that need to be updated

Here are some interesting results looking up the information about this IP range:

inetnum: 156.54.0.0 - 156.54.255.255

remarks: This inetnum has been transfered as part of the ERX. It was present in both the ARIN and RIPE databases, so the information from both databases has been merged. If you are the mntner of this object, please update it to reflect the correct information.

Tuesday, April 03, 2007

Comcast needs to fix this domain name

This domain name information is not correct ... MN needs to be changed:

24.18.46.154 resolves to"c-24-18-46-154.hsd1.mn.comcast.net"
Top Level Domain: "comcast.net"

An exchange sever perhaps?

If this is an Exchange server what is it doing surfing our web sites?

Perhaps this stands for something else however:

64.65.150.210 resolves to"exch.seattlearch.org"
Top Level Domain: "seattlearch.org"

Bank Server surfing?

Here's a bank server in Sweden surfing the web....is this right? That's a little scary...but perhaps since I don't speak the language this is referring to a modem bank..so I'll let it slide for now =)

195.242.56.2 resolves to"clients.kaupthing.se"
Top Level Domain: "kaupthing.se

Funny looking domain resolution for a web surfer...

This one looks a little funny ...is this really the IP of an end user surfing or a server?

128.250.172.175 resolves to"guyd.psych.unimelb.edu.au"
Top Level Domain: "edu.au"

Another surfing web server? william.aeoncyberclub.com

Here's an IP with an interesting resolution:

202.7.145.118 resolves to"william.aeoncyberclub.com"
Top Level Domain: "aeoncyberclub.com"

Is this really a machine surfing the web or a human?

www.adressendeutschland.de web server surfing our web sites

This server appears to be surfing the web and appears to be a web server, though by the looks of the "site" it may be an amateur at home hosting his or her own site.

88.198.38.230 resolves to"www.adressendeutschland.de"
Top Level Domain: "adressendeutschland.de"

ozemail.com.au surfing the web

Is this really an email domain or a dsl domain? It says ozemail but then it has dsl in the URL as well. Hopefully someone in Australia can alert this email / dsl provider to find out if this server is hacked.

203.102.242.189 resolves to"189.fip-4.dsl.ozemail.com.au"
Top Level Domain: "com.au"

km6.favo.tv -- a computer user?

This Ip was hitting our site - not sure if this is part of a DSL network - a router or other networking equipment -or something totally not legitimate.

87.118.100.27 resolves to"km6.favo.tv"
Top Level Domain: "favo.tv"

A proxy server in the Phillipines

Here's a proxy server in the Philippines surfing around our web sites...

202.44.136.50 resolves to"proxy.thapra.su.ac.th"
Top Level Domain: "ac.th"

Speak Easy "scan alert" server surfing our sites?

A SpeakEasy IP with some scanalert.com application is surfing our web sites...

66.92.26.98 resolves to"scan0.scanalert.com"
Top Level Domain: "scanalert.com"

EntireWeb surfing our webs

Here's another web server IP address surfing our web sites. This is a search engine optimization company so chances are they are analyzing our sites to snipe content and/or copy our ranking techniques. I suggest you block this one out.

62.13.25.221 resolves to"www.entireweb.com"
Top Level Domain: "entireweb.com"

Monday, April 02, 2007

A web server surfing our web sites

Here's a web server surfing our web sites:

209.180.210.90 resolves to"sightlife.org"Top Level Domain: "sightlife.org"