Trends from the trenches of Internet traffic. Hackers, spammers and Internet abuse. IP address database. DNS sightings. Views and opinions expressed are my own. ~ Teri Radichel @teriradichel
Friday, June 29, 2007
Servervault
OrgName: Servervault OrgID: SVLT Address: 1506 Moran Road City: Dulles StateProv: VA PostalCode: 20166 Country: US ReferralServer: rwhois://rwhois.servervault.com:4321 NetRange: 216.12.128.0 - 216.12.159.255
Network Solutions Validation Flaws
The imposter company is listed on a bunch of spammy web sites that are detracting from the business of the valid company. The imposter company was even listed in Hoovers and D & B databases -- which are used to by Network Solutions to validate SSL certificates.
Do you see a HUGE problem here? This is it: some company gets bogus records into the much flawed D & B records - D & B had company addresses that were six years old in this database. Also anyone can call in and change company records pretty easily. So Network Solutions uses these very inaccurate databases to validate SSL certificates and back them with a $1 Million Guarantee - and because the records are flawed it is a real pain in the you know what for the legitimate companies to actually get SSL certificates because D & B is showing records for some imposter company.
Using a marketing database that anyone can call in and update is a pretty flawed way of validating a company is legitmate. Additionally they use the state records to validate and companies typically have a separate address for power of attorney which may not match their billing and mailing addresses for the actual company. Using these things to validate the company is also flawed.
Also recently someone was able to change my banking records to send my mail to an old PO box. If someone could get my banking records to go to an old mailbox and pick up my mail they can send in the bank statements to validate the company with Network Solutions. The whole way Network Solutiongs is doing their validation is completely flawed.
Why can't they use verified by Visa or the billing address on the credit card that and the information on the actual web site that the person owns? Also since I have other SSL certificates which I registered with them recently and already sent in validation for that- why can't they look at the history - both to validate and to invalidate rip off requests?
There has to be some better form of validation, though I am not exactly sure what it is. I just know the current forms of validation are not the best.
Thursday, June 28, 2007
131.107.0.73
This IP is searching on odd things nad not quite sure how they were directed to our site from these links...
http://sailingseattle.com/catering.htm
131.107.0.73
http://search.live.com/result.aspx?q=buspar&mrt=en-us&FORM=LVSP
131.107.0.95
http://search.live.com/result.aspx?q=keno&mrt=en-us&FORM=LVSP
131.107.0.95
http://search.live.com/result.aspx?q=nissan&mrt=en-us&FORM=LVSP
131.107.0.95
http://search.live.com/result.aspx?q=porche&mrt=en-us&FORM=LVSP
131.107.0.95
http://search.live.com/result.aspx?q=tenuate&mrt=en-us&FORM=LVSP
131.107.0.95
http://search.live.com/result.aspx?q=amitriptyline&mrt=en-us&FORM=LVSP
131.107.0.96
http://search.live.com/result.aspx?q=blowjob&mrt=en-us&FORM=LVSP
131.107.0.96
http://search.live.com/result.aspx?q=hydrocodone&mrt=en-us&FORM=LVSP
131.107.0.96
http://search.live.com/result.aspx?q=milf&mrt=en-us&FORM=LVSP
131.107.0.96
http://search.live.com/result.aspx?q=tramadol&mrt=en-us&FORM=LVSP
131.107.0.96
http://www.google.com.au/search?sourceid=navclient&ie=UTF-8&rls=GGLD,GGLD:2004-09,GGLD:en&q=low+carb+lunches
131.170.90.4
Wednesday, June 27, 2007
Cross Site Request Forgeries
http://www.eweek.com/article2/0,1895,2151154,00.asp
http://shiflett.org/articles/cross-site-request-forgeries
http://4diggers.blogspot.com/
67.40.220.161
/instmsg/aliases/orders
Tuesday, June 26, 2007
instmsg/aliases/orders 67.40.220.161
This IP: 67.40.220.161 from Qwest
is trying to access this URI
instmsg/aliases/orders
on our shopping cart system.
I found this on the Microsoft web site:
http://support.microsoft.com/kb/278974
Noc4Hosts bombing our server
66.232.97.32
OrgName: NOC4Hosts Inc. OrgID: NOC4HAddress: 400 N Tampa StAddress: #1025City: TampaStateProv: FLPostalCode: 33602Country: USReferralServer: rwhois://rwhois.noc4hosts.com:4321/NetRange: 66.232.96.0 - 66.232.127.255
Monday, June 25, 2007
XSL Transformations and Client Side Calculations
Yes, this all sounds lovely but I'm sure that most smart e-commerce programmers would instantly recognize that you should not leave any important calculations to the client side of the e-commerce process where it can be manipulated, either by the end user, or by a hacker that has infected his or her machine.
I was going to note that I've always had a somewhat significant amount of traffic from Turkey, by the way, which I find odd given what I am hosting.
Programmer beware - don't jump on everything you read as the next best thing. Consider the pros, cons and appropriate usages of each new technology option. And if you are not entirely sure how it works within your application framework, best check that out before rushing to implementation.
RackSpace potential hacker
It is either a bot or a hacker since this is not an end user computer:
207.97.207.39 resolves to"navigatormultimedia.com"
Top Level Domain: "navigatormultimedia.com"
OrgName: Rackspace.com, Ltd. OrgID: RSPCAddress: 9725 Datapoint DriveAddress: Suite 100City: San AntonioStateProv: TXPostalCode: 78229Country: USNetRange: 207.97.192.0 - 207.97.255.255
Friday, June 22, 2007
Are you worried yet?
I have been writing in this blog about the need for increased security and government involvement to resolve these problems. I have been writing that these problems are bigger than people realize and affect each and every one of us - our security, our salary, our bank accounts, credit cards, identities and our online purchases.
Today the pentagon was hacked:
Ok it happens. But how long has this been going on I wonder?And even worse...our secretary of state says "I'm a very low-tech person."
If the government doesn't get it that they need someone who understands Internet security at the top of the chain - then we are all in big trouble. He better get high-tech or at least tech savvy pretty soon or we are all in big trouble.
Kapersky Wants to Give Awards to Hackers
http://blogs.pcmag.com/securitywatch/2007/06/the_kaspersky_malware_awards_1.php
Not a fan. These people do not deserve awards and they probably thrive on the attention. Shame on any news organization that publishes these things. These people do not need to be given attention as if they have performed some great feat. They need to be put in jail and shown to all the world that they are hated, despised criminals that will be punished.
Kapersky says who knows malware better than the people who fight it. I say who knows malware better than the people who WRITE it.
Hmm so the logic goes if A=B and B=C then A = B. Oh never mind.
Just audit everything. Everything.
Thursday, June 21, 2007
AOL Bot
Following right on it's heels - this known hacker IP was attempting to reach the web server: 8.7.22.195
Shortly before we were hit multiple times by a known hacker IP range: 207.36.201.40
Firefox spyware
IPhone not secure
http://www.networkworld.com/news/2007/061907-apple-iphone-gartner.html?nlhtsec=0618securityalert4&
Tuesday, June 19, 2007
Google Security API
http://www.pcworld.com/article/id,133069-page,1/article.html
Microsoft - Security Opinion
http://www.networkworld.com/community/?q=node/16266&nlhtsec=0618securityalert1&
I disagree. There is a certain level of security that needs to be provided at the operating system level that is beyond the application itself, and in some cases the people who own the system did not even intend to install the software, or the software is doing something other than it's intended purpose. My point here is the operating system has certain "responsibilities" shall we say to manage all these applications and it should prevent some rogue activity and provide appropriate monitoring of things it will not necessarily block so users can easily see what is happening on their system.
Additionally Microsoft does write some of these programs and has responsibility to ensure they are secure and fix any new security breaches. This is not necessarily blaming - it is a fact, however.
Additionally Microsoft needs to delve deeply into the security of things that allow communication across servers such as RPC and DCOM. I have had someone hacking on my server using these technologies - I don't even use them. Microsoft needs to ensure these cannot be used unless the server owner specifically requests to open up these channels in and out of their servers or provide some huge warning if they are open and available.
These are the areas where I would blame Microsoft if there is a security breach, or at least where they can improve and help ensure security.
Microsoft actually can have a competitive advantage over other operating systems that are open source because they have the resources, if they so choose, to pour into security on systems and provide a more cohesive solution than an open source software platform. However some people will always choose open source due the cost issue and the ability to reprogram parts of the OS if needed.
Where to report Internet Crime...
Here are some tips....
Here are some useful links for reporting fraud: Internet Fraud
You can report crimes at the Internet Crime Complaint center:
Internet Crime Complaint Center
If it is a crime by someone within the US, there is a link on the FBI web site.
If it is a crime committed by someone outside of the US you may want to report it to the CIA and related web sites.
You can report your hacker traffic trends at SANS Institute. The more people submit firewall logs the more information they have to analyze and compile research to help thwart hackers.
For spam you can report it in some cases to your local government officials. Some states have laws against spam and will prosecute so try your state prosecuting attorney's office. You can also report to anti-spam organizations that go after and try to prosecute spammers such as Spam Cop. Here are some good links: How to Report Spam In the case of spam if you know how to look at email headers, report the spam to the offending network - and not just the local network if it is a company - but the larger network such as AT&T, Comcast or SBC.
In the case of bots and extraneous network traffic report the excessive traffic to the offending network, same as above and the server owner if possible. In some cases you can find out the owner of a computer by doing a reverse look up on the IP address to get the domain name. You can also use tools like DNSStuff.com to look up an IP address and find out the abuse email of the offending network. Send them your logs so they have accurate information with time and date to track down the offending person or malware infected machine.
Make sure you report known bugs and affected software to the vendors that make the hardware and software that may be the source of the problem. The more people that report the problem the better the chance it will be solved.
Write to your local, state, and federal representives for issues such as fraud, identity theft, hacking and spam so they understand and address your concerns. Some of these issues on the international level require government knowledge, diplomacy, more approriate laws and better law enforcement to be resolved.
More useful links on reporting Internet crime:
Report fraud here: http://www.sec.gov/investor/pubs/cyberfraud/tellus.htm and read more about it here: http://www.usa.gov/Citizen/Topics/Internet_Fraud.shtml or here: http://www.fbi.gov/majcases/fraud/internetschemes.htm
CyberCrime: http://www.usdoj.gov/criminal/cybercrime/
http://wiki.castlecops.com/Reporting_Internet_Crime:_The_United_States_of_America
Internet Scams: http://www.scambusters.org/
Reporting Internet Crime in the UK: http://www.homeoffice.gov.uk/crime-victims/reducing-crime/internet-crime/
IFrame Hack Job
http://www.networkworld.com/news/2007/061907-italian-job-web-attack.html
Monday, June 18, 2007
PHP Hackers - 2007 to date
36 205.247.203.14 /PHPMYadmin/main.php 6
20 205.247.203.14 /myADMIN/main.php 6
8 205.247.203.14 /mysql-admin/main.phpmain.php 6
8 205.247.203.14 /pma/main.php 6
4 205.247.203.14 /PMA/main.phpmain.php 6
4 205.247.203.14 /pmamy/main.php 6
4 205.247.203.14 /admin/mysql/main.phpmain.php 6
4 205.247.203.14 /admin/phpmyadmin/main.phpmain.php 6
4 205.247.203.14 /admin/pma/main.phpmain.php 6
4 217.71.214.163 /cacti//graph_image.php 6
4 205.247.203.14 /db/main.phpmain.php 6
4 205.247.203.14 /mysql/main.phpmain.php 6
4 205.247.203.14 /phpMyAdmin-2.2.3/main.phpmain.php 6
4 205.247.203.14 /phpMyAdmin-2.2.7-pl1/main.phpmain.php 6
4 205.247.203.14 /phpMyAdmin-2.2.7/main.phpmain.php 6
4 205.247.203.14 /phpMyAdmin-2.7.0/main.phpmain.php 6
4 205.247.203.14 /phpMyAdmin-2.9.1/main.phpmain.php 6
4 205.247.203.14 /phpmyadmin2/main.phpmain.php 6
4 217.71.214.163 //graph_image.php 6
4 205.247.203.14 /web/phpMyAdmin/main.phpmain.php 6
4 205.247.203.14 /mysqladmin/main.phpmain.php 6
4 205.247.203.14 /phpMyAdmin-2.2.0/main.phpmain.php 6
4 205.247.203.14 /phpMyAdmin-2.2.6/main.phpmain.php 6
4 205.247.203.14 /phpMyAdmin-2.5.1/main.phpmain.php 6
4 205.247.203.14 /phpMyAdmin-2.5.4/main.phpmain.php 6
4 205.247.203.14 /phpMyAdmin-2.5.6/main.phpmain.php 6
4 205.247.203.14 /phpMyAdmin-2.6.4-pl4/main.phpmain.php 6
4 205.247.203.14 /phpMyAdmin-2.6.4/main.phpmain.php 6
4 205.247.203.14 /phpMyAdmin-2.7.0-pl2/main.phpmain.php 6
4 205.247.203.14 /phpMyAdmin-2.8.1/main.phpmain.php 6
4 205.247.203.14 /phpMyAdmin-2.8.2.1/main.phpmain.php 6
4 205.247.203.14 /phpMyAdmin-2.8.2.2/main.phpmain.php 6
4 205.247.203.14 /phpMyAdmin-2.8.2.4/main.phpmain.php 6
4 205.247.203.14 /phpMyAdmin-2.9.0.1/main.phpmain.php 6
4 205.247.203.14 /phpMyAdmin-2.9.0.2/main.phpmain.php 6
4 205.247.203.14 /phpMyAdmin-2.9.0/main.phpmain.php 6
4 205.247.203.14 /phpmyadmin/main.phpmain.php 6
4 205.247.203.14 /phpmyadmin/test.phpmain.php 6
4 205.247.203.14 /admin/main.phpmain.php 6
4 205.247.203.14 /dbadmin/main.phpmain.php 6
4 205.247.203.14 /myadmin/main.phpmain.php 6
4 205.247.203.14 /main.phpmain.php 6
2 87.106.103.182 /include/include_top.php 6
1 130.39.11.106 /index.php 6
1 218.127.216.28 /index.php 6
1 219.254.1.163 /index.php 6
1 67.82.106.110 /index.php 6
1 87.228.58.238 /index.php 6
1 122.16.74.92 /profile.php 6
1 220.102.115.237 /profile.php 6
1 67.84.237.55 /profile.php 6
1 68.102.105.73 /profile.php 6
1 68.197.29.166 /profile.php 6
1 68.226.166.235 /register.php 6
1 61.47.47.58 //index.php 6
1 195.222.29.132 //forum/admin/index.php 6
1 172.177.4.5 /index.php 6
1 24.210.154.219 /index.php 6
1 24.250.199.114 /index.php 6
1 64.178.157.212 /index.php 6
1 68.42.187.199 /index.php 6
1 70.161.19.176 /index.php 6
1 222.66.48.253 /profile.php 6
1 68.40.241.80 /profile.php 6
1 72.137.246.167 /profile.php 6
1 72.187.132.166 /profile.php 6
1 213.113.230.166 /register.php 6
1 61.102.25.233 /register.php 6
1 61.157.96.36 /register.php 6
1 65.75.109.219 /register.php 6
1 68.102.172.102 /register.php 6
1 68.94.231.55 /register.php 6
1 72.188.93.47 /register.php 6
1 86.107.156.115 /register.php 6
71.13.115.117 - Charter - Bot
Charter Communications MDS-WI-71-13-112 (NET-71-13-112-0-1) 71.13.112.0 - 71.13.119.255Charter Communications CC04 (NET-71-8-0-0-1) 71.8.0.0 - 71.15.255.255
CONTINENTAL BROADBAND PENNSYLVANIA, INC. - HACKER
There's a hacker at this location attempting to access our sites with ColdFusion:
OrgName: CONTINENTAL BROADBAND PENNSYLVANIA, INC. OrgID: CBP-17Address: 810 Parish StCity: PittsburghStateProv: PAPostalCode: 15220Country: USNetRange: 208.40.128.0 - 208.40.207.255
IP Address: 208.40.131.148New Horizons - Major Hacking
We are getting major hacking from this network on this IP: 205.247.203.14
OrgName: New Horizons OrgID: NEWHOR-1Address: 1231 E Dyer Rd, Ste 140City: Santa AnaStateProv: CAPostalCode: 92705Country: USNetRange: 205.247.203.0 - 205.247.203.255
They have requestsed PHP admin pages in over 200 sessions this month so far alone.
Saturday, June 16, 2007
Another Hacker - CenturyTel
Hacker - Comcast in Miami
Thursday, June 14, 2007
Botnets - Scourge of the Internet
http://www.networkworld.com/news/2007/061307-fbi-operation-bot-roast.html?nlhtsec=0611securityalert4
Since starting to uncover the network patterns of spam about 3 years ago when I got sick of 950 spam emails per day I have been sending out messages about how these attacks are coordinated and coming from the servers of large companies...and since then the problem has only gotten worse.
One of my biggest reasons for writing this blog was to get someone - anyone - to take notice of the underlying Internet traffic - good and bad - and do something about it. I got sick of network admins throwing up their hands and telling me I was full of it when my server was hacked or that there was nothing that can be done about it...
This is exactly what we need. We need big businesses involved and the government and even better yet, we need large hosting facilities to analyze their traffic on an anonymous but global basis to determine traffic patterns that are obviously bots and illegal activities.
This is a long awaited happy day...
Thursday, June 07, 2007
National Vulnerability Database
http://nvd.nist.gov/viewvpv.cfm?complete=no&vendor=yes&product=yes&version=no&vendorchar=Omniture
This can be useful when researching whether or not you want to use a particular product - how many times has it been hacked?
Omniture Vulnerabilities
http://securitytracker.com/alerts/2006/Dec/1017392.html
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6640
http://securitytracker.com/alerts/2006/Dec/1017392.html
Vulnerability using .gif files
http://randominternet.blogspot.com/2007/06/omniture-hacking-again.html
He stated that he's reviewed the code and all they are doing is downloading gif files, and that Omniture is used by large sites like CNN, Amazon and Sun. (Implication: if they use it it must be secure).
My response was: that makes them a great target. Look at the pot of gold at the other end of the rainbow. There are huge user bases for these sites plus people testing and reviewing the code at these companies behind firewalls...
So anyway I said what if the execution of malicious code is in the gif files, not in the JavaScript itself? And my boss says no, they are just simple gif files.
So I thought well, I've seen hacks in image files before let's see what's out there. And I found this:
___________
http://vil.nai.com/vil/Content/v_vul26549.htm
http://www.microsoft.com/technet/security/advisory/912840.mspx
Microsoft Office Remote Code Execution Using a Malformed GIF Vulnerability - CVE-2006-1540A remote code execution vulnerability exists in Office using a GIF file. An attacker could exploit the vulnerability by constructing a specially crafted Office file that could allow remote code execution. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
________
And guess what. If someone could get this onto the Sun web site, that is where everyone goes to download Java - on servers that run e-commerce web sites, application servers, etc. You get the picture.
I have no idea how to test this theory. Maybe someone out there can just verify nothing funky is going on...
Tuesday, June 05, 2007
The problem with your VPN
Right.
Talking to a firewall administrator today at Datapipe here's how your Cisco Pix really works:
Someone logs into the VPN and gets onto the server. From there they have free reign to do anything your outbound port access allows them to do. If they can get onto the server, they can send all your data to whatever server they want outside that server if your outbound access includes FTP. Apparently if you want to restrict downloading FTP to anyone but, say, and administrative VPN user - you can't do that at the firewall level.
And it also means if you want to allow customers to upload photos, for instance, but not download data, and make their access more secure so only VPN users can upload files, that's not completely solved by a VPN.
Which means you have to count on software - your OS, your applications... and you have to manage via a Windows domain or manage each individual server and cannot globally handle these things at the network level.
And that's scary.
Monday, June 04, 2007
First Data Better Check How Internet Requests are Handled
Some fast talking woman just called me who either had no comprehension of my request or she sniped the information somehow from the FirstData database. She was speaking very quickly and told me she was with Express Merchant blah blah blah or something like that. She told me this is some part of First Data. Maybe it is but it is but the way this request was handled was completely innapropriate.
First she asked me if I already have a processor. In my request I stated specific information that would have answered that question. It was pretty clear that she was about to try to sell me something and that is not why I requested information from First Data. Secondly when I said that is not what I requested she said "what was your request?" Excuse me but shouldn't you have the customer's request in front of you when you are calling them to answer the questions in their request?
Basically I already got the information through other means. I had to call First Data and sit on hold forever and talk to five different departments. I had to call my software gateway and go through 3 different people over there to get partial answers. I had in depth conversations with my bank who clearly knows very little how any of this works. Then I called an equipment manufacturer of terminals for their side of the story. They clearly didn't have the big picture either. I was able to piece together the information step by step and probably have a 95% grasp of what I need to know to implement a secure solution for my client - however no thanks to First Data's convoluted phone system or uninformed phone operators, sales people, and technical staff. This is nothing against the people themselves as they are all just doing their job the way they were trained to do it. There is a lack of global understanding in the credit card industry which makes it easier for hackers and harder and more expensive for customers to get things done.
Saturday, June 02, 2007
Wrong Country? DODO
This Ip range lists a country of AP but the contact information is for AU
inetnum: 122.148.0.0 - 122.149.255.255netname: DODO-AUdescr: Layer 2 Broadband Customer Networkcountry: APadmin-c: PR93-APtech-c: PR93-APstatus: ALLOCATED PORTABLEmnt-by: APNIC-HMremarks: Send abuse reports toremarks: abuse@dodo.com.auperson: Paul Rivoliaddress: Dodo Australia Pty Ltdaddress: Level 14 / 600 St Kilda Rdaddress: Melbourneaddress: VIC 3004country: AU