Friday, June 29, 2007

PHP bomber:

This IP was bombing our server today looking for PHP hacks.


There are web sites hosted by this hosting company that have bogus information on them...someone may want to explore this:

OrgName: Servervault OrgID: SVLT Address: 1506 Moran Road City: Dulles StateProv: VA PostalCode: 20166 Country: US ReferralServer: rwhois:// NetRange: -

Network Solutions Validation Flaws

It looks like there is an imposter company in Princeton Junction, New Jersey trying to impersonate a valid company in Seattle, Washington - Radical Software, Inc. Radical Software, Inc. has been in business since 1998 and partners with major solid companies that have been in business for a long time and are major players in the web industry.

The imposter company is listed on a bunch of spammy web sites that are detracting from the business of the valid company. The imposter company was even listed in Hoovers and D & B databases -- which are used to by Network Solutions to validate SSL certificates.

Do you see a HUGE problem here? This is it: some company gets bogus records into the much flawed D & B records - D & B had company addresses that were six years old in this database. Also anyone can call in and change company records pretty easily. So Network Solutions uses these very inaccurate databases to validate SSL certificates and back them with a $1 Million Guarantee - and because the records are flawed it is a real pain in the you know what for the legitimate companies to actually get SSL certificates because D & B is showing records for some imposter company.

Using a marketing database that anyone can call in and update is a pretty flawed way of validating a company is legitmate. Additionally they use the state records to validate and companies typically have a separate address for power of attorney which may not match their billing and mailing addresses for the actual company. Using these things to validate the company is also flawed.

Also recently someone was able to change my banking records to send my mail to an old PO box. If someone could get my banking records to go to an old mailbox and pick up my mail they can send in the bank statements to validate the company with Network Solutions. The whole way Network Solutiongs is doing their validation is completely flawed.

Why can't they use verified by Visa or the billing address on the credit card that and the information on the actual web site that the person owns? Also since I have other SSL certificates which I registered with them recently and already sent in validation for that- why can't they look at the history - both to validate and to invalidate rip off requests?

There has to be some better form of validation, though I am not exactly sure what it is. I just know the current forms of validation are not the best.

Thursday, June 28, 2007

This IP is searching on odd things nad not quite sure how they were directed to our site from these links...,GGLD:2004-09,GGLD:en&q=low+carb+lunches

Wednesday, June 27, 2007

Cross Site Request Forgeries

Another cross site attack...the kind I was assured by my hosting providers could not possibly exist:,1895,2151154,00.asp

This IP is at it again. It just requested this URL from our shopping cart system:


Tuesday, June 26, 2007


Hmm, here's a new one.

This IP: from Qwest

is trying to access this URI


on our shopping cart system.

I found this on the Microsoft web site:

Noc4Hosts bombing our server

Someone at this IP address was just attempting to access our server. Since this is a data center related company in Florida I am not sure why they would be trying to access a local service business in California. Seems a bit fishy doesn't it?

OrgName: NOC4Hosts Inc. OrgID: NOC4HAddress: 400 N Tampa StAddress: #1025City: TampaStateProv: FLPostalCode: 33602Country: USReferralServer: rwhois:// -

Monday, June 25, 2007

XSL Transformations and Client Side Calculations

In a recent edition of Dr. Dobb's Journal (May 2007) a couple of programmers from Turkey explain how to do client side mathematical calculations using XIM and XSLT transformations. This, they explain, is a way to offload some processing to the client side computer.

Yes, this all sounds lovely but I'm sure that most smart e-commerce programmers would instantly recognize that you should not leave any important calculations to the client side of the e-commerce process where it can be manipulated, either by the end user, or by a hacker that has infected his or her machine.

I was going to note that I've always had a somewhat significant amount of traffic from Turkey, by the way, which I find odd given what I am hosting.

Programmer beware - don't jump on everything you read as the next best thing. Consider the pros, cons and appropriate usages of each new technology option. And if you are not entirely sure how it works within your application framework, best check that out before rushing to implementation.

RackSpace potential hacker

This IP is snooping around on our servers - it is coming from a RackSpace data center:

It is either a bot or a hacker since this is not an end user computer: resolves to""
Top Level Domain: ""

OrgName:, Ltd. OrgID: RSPCAddress: 9725 Datapoint DriveAddress: Suite 100City: San AntonioStateProv: TXPostalCode: 78229Country: USNetRange: -

Friday, June 22, 2007

Are you worried yet?

I have been writing in this blog about the need for increased security and government involvement to resolve these problems. I have been writing that these problems are bigger than people realize and affect each and every one of us - our security, our salary, our bank accounts, credit cards, identities and our online purchases.

Today the pentagon was hacked:

Ok it happens. But how long has this been going on I wonder?

And even worse...our secretary of state says "I'm a very low-tech person."

If the government doesn't get it that they need someone who understands Internet security at the top of the chain - then we are all in big trouble. He better get high-tech or at least tech savvy pretty soon or we are all in big trouble.

Kapersky Wants to Give Awards to Hackers

Kapersky wants to give awards to hackers:

Not a fan. These people do not deserve awards and they probably thrive on the attention. Shame on any news organization that publishes these things. These people do not need to be given attention as if they have performed some great feat. They need to be put in jail and shown to all the world that they are hated, despised criminals that will be punished.

Kapersky says who knows malware better than the people who fight it. I say who knows malware better than the people who WRITE it.

Hmm so the logic goes if A=B and B=C then A = B. Oh never mind.

Just audit everything. Everything.

Thursday, June 21, 2007


Someone on this AOL IP: is pounding our site with the MJ12 bot - 6/21/07 10:28 a.m.

Following right on it's heels - this known hacker IP was attempting to reach the web server:

Shortly before we were hit multiple times by a known hacker IP range:

Firefox spyware

Hmm, related to my last post about IE acting all weird, I moved to Firefox and while using the Google web site got a message that it appears I have spyware on my machine. Perhaps messing up IE will get me to switch to Firefox and then... Downloading spybot now...

IPhone not secure

Hmm...this article claims the hot new iPhone is not really secure:

Tuesday, June 19, 2007

Google Security API

This is interesting - Google has a security API that can be incorporated into software programs to blacklist malicious URLS:,133069-page,1/article.html

Spammers and Hackers - Going to Jail

It's about time:

Microsoft - Security Opinion

I am not 100% in agreement with this person. He claims he would "never blame Microsoft" because many apps are not written by Microsoft.

I disagree. There is a certain level of security that needs to be provided at the operating system level that is beyond the application itself, and in some cases the people who own the system did not even intend to install the software, or the software is doing something other than it's intended purpose. My point here is the operating system has certain "responsibilities" shall we say to manage all these applications and it should prevent some rogue activity and provide appropriate monitoring of things it will not necessarily block so users can easily see what is happening on their system.

Additionally Microsoft does write some of these programs and has responsibility to ensure they are secure and fix any new security breaches. This is not necessarily blaming - it is a fact, however.

Additionally Microsoft needs to delve deeply into the security of things that allow communication across servers such as RPC and DCOM. I have had someone hacking on my server using these technologies - I don't even use them. Microsoft needs to ensure these cannot be used unless the server owner specifically requests to open up these channels in and out of their servers or provide some huge warning if they are open and available.

These are the areas where I would blame Microsoft if there is a security breach, or at least where they can improve and help ensure security.

Microsoft actually can have a competitive advantage over other operating systems that are open source because they have the resources, if they so choose, to pour into security on systems and provide a more cohesive solution than an open source software platform. However some people will always choose open source due the cost issue and the ability to reprogram parts of the OS if needed.

Where to report Internet Crime...

So you've been hacked, spammed, ripped off and what?

Here are some tips....

Here are some useful links for reporting fraud: Internet Fraud

You can report crimes at the Internet Crime Complaint center:
Internet Crime Complaint Center

If it is a crime by someone within the US, there is a link on the FBI web site.

If it is a crime committed by someone outside of the US you may want to report it to the CIA and related web sites.

You can report your hacker traffic trends at SANS Institute. The more people submit firewall logs the more information they have to analyze and compile research to help thwart hackers.

For spam you can report it in some cases to your local government officials. Some states have laws against spam and will prosecute so try your state prosecuting attorney's office. You can also report to anti-spam organizations that go after and try to prosecute spammers such as Spam Cop. Here are some good links: How to Report Spam In the case of spam if you know how to look at email headers, report the spam to the offending network - and not just the local network if it is a company - but the larger network such as AT&T, Comcast or SBC.

In the case of bots and extraneous network traffic report the excessive traffic to the offending network, same as above and the server owner if possible. In some cases you can find out the owner of a computer by doing a reverse look up on the IP address to get the domain name. You can also use tools like to look up an IP address and find out the abuse email of the offending network. Send them your logs so they have accurate information with time and date to track down the offending person or malware infected machine.

Make sure you report known bugs and affected software to the vendors that make the hardware and software that may be the source of the problem. The more people that report the problem the better the chance it will be solved.

Write to your local, state, and federal representives for issues such as fraud, identity theft, hacking and spam so they understand and address your concerns. Some of these issues on the international level require government knowledge, diplomacy, more approriate laws and better law enforcement to be resolved.

More useful links on reporting Internet crime:

Report fraud here: and read more about it here: or here:


Internet Scams:

Reporting Internet Crime in the UK:

IFrame Hack Job

Over 10,000 legitimate web sites using IFrames were exploited and used to download malicious software to end user computers.

Monday, June 18, 2007

PHP Hackers - 2007 to date

Count IP Requested Page Month
36 /PHPMYadmin/main.php 6
20 /myADMIN/main.php 6
8 /mysql-admin/main.phpmain.php 6
8 /pma/main.php 6
4 /PMA/main.phpmain.php 6
4 /pmamy/main.php 6
4 /admin/mysql/main.phpmain.php 6
4 /admin/phpmyadmin/main.phpmain.php 6
4 /admin/pma/main.phpmain.php 6
4 /cacti//graph_image.php 6
4 /db/main.phpmain.php 6
4 /mysql/main.phpmain.php 6
4 /phpMyAdmin-2.2.3/main.phpmain.php 6
4 /phpMyAdmin-2.2.7-pl1/main.phpmain.php 6
4 /phpMyAdmin-2.2.7/main.phpmain.php 6
4 /phpMyAdmin-2.7.0/main.phpmain.php 6
4 /phpMyAdmin-2.9.1/main.phpmain.php 6
4 /phpmyadmin2/main.phpmain.php 6
4 //graph_image.php 6
4 /web/phpMyAdmin/main.phpmain.php 6
4 /mysqladmin/main.phpmain.php 6
4 /phpMyAdmin-2.2.0/main.phpmain.php 6
4 /phpMyAdmin-2.2.6/main.phpmain.php 6
4 /phpMyAdmin-2.5.1/main.phpmain.php 6
4 /phpMyAdmin-2.5.4/main.phpmain.php 6
4 /phpMyAdmin-2.5.6/main.phpmain.php 6
4 /phpMyAdmin-2.6.4-pl4/main.phpmain.php 6
4 /phpMyAdmin-2.6.4/main.phpmain.php 6
4 /phpMyAdmin-2.7.0-pl2/main.phpmain.php 6
4 /phpMyAdmin-2.8.1/main.phpmain.php 6
4 /phpMyAdmin- 6
4 /phpMyAdmin- 6
4 /phpMyAdmin- 6
4 /phpMyAdmin- 6
4 /phpMyAdmin- 6
4 /phpMyAdmin-2.9.0/main.phpmain.php 6
4 /phpmyadmin/main.phpmain.php 6
4 /phpmyadmin/test.phpmain.php 6
4 /admin/main.phpmain.php 6
4 /dbadmin/main.phpmain.php 6
4 /myadmin/main.phpmain.php 6
4 /main.phpmain.php 6
2 /include/include_top.php 6
1 /index.php 6
1 /index.php 6
1 /index.php 6
1 /index.php 6
1 /index.php 6
1 /profile.php 6
1 /profile.php 6
1 /profile.php 6
1 /profile.php 6
1 /profile.php 6
1 /register.php 6
1 //index.php 6
1 //forum/admin/index.php 6
1 /index.php 6
1 /index.php 6
1 /index.php 6
1 /index.php 6
1 /index.php 6
1 /index.php 6
1 /profile.php 6
1 /profile.php 6
1 /profile.php 6
1 /profile.php 6
1 /register.php 6
1 /register.php 6
1 /register.php 6
1 /register.php 6
1 /register.php 6
1 /register.php 6
1 /register.php 6
1 /register.php 6 - Charter - Bot is running a bot that continues to hit our sites after asking Charter for months to make it stop.

Charter Communications MDS-WI-71-13-112 (NET-71-13-112-0-1) - Communications CC04 (NET-71-8-0-0-1) -


There's a hacker at this location attempting to access our sites with ColdFusion:

OrgName: CONTINENTAL BROADBAND PENNSYLVANIA, INC. OrgID: CBP-17Address: 810 Parish StCity: PittsburghStateProv: PAPostalCode: 15220Country: USNetRange: -

IP Address:

New Horizons - Major Hacking

We are getting major hacking from this network on this IP:

OrgName: New Horizons OrgID: NEWHOR-1Address: 1231 E Dyer Rd, Ste 140City: Santa AnaStateProv: CAPostalCode: 92705Country: USNetRange: -

They have requestsed PHP admin pages in over 200 sessions this month so far alone.

Saturday, June 16, 2007

Another Hacker - CenturyTel

This appears also to be someone hacking: at CentryTel in Louisiana at 6/13/2007 12:55:48 PM.

Hacker - Comcast in Miami

Someone on Comcast in Miami at this IP address: was attempting to hack our e-commerce sites by passing invalid data to our application and causing a null pointer exception. The issue has been fixed. I hope someone will monitor the activities of the user of this IP address at 6/15/2007 3:14:59 PM

Thursday, June 14, 2007

Botnets - Scourge of the Internet

SWEET. Finally big companies and the governement are honing in on this issue. It is about time and I am so happy to hear it:

Since starting to uncover the network patterns of spam about 3 years ago when I got sick of 950 spam emails per day I have been sending out messages about how these attacks are coordinated and coming from the servers of large companies...and since then the problem has only gotten worse.

One of my biggest reasons for writing this blog was to get someone - anyone - to take notice of the underlying Internet traffic - good and bad - and do something about it. I got sick of network admins throwing up their hands and telling me I was full of it when my server was hacked or that there was nothing that can be done about it...

This is exactly what we need. We need big businesses involved and the government and even better yet, we need large hosting facilities to analyze their traffic on an anonymous but global basis to determine traffic patterns that are obviously bots and illegal activities.

This is a long awaited happy day...

Thursday, June 07, 2007

National Vulnerability Database

Here's a database of products and their vulnerabilities:

This can be useful when researching whether or not you want to use a particular product - how many times has it been hacked?

Omniture Vulnerabilities

Related to my last two Omniture posts I did a little research on Omniture related vulnerabilities and hacks - this is what I found:

Vulnerability using .gif files

I was talking to my boss about the possibility of an Omniture hack:

He stated that he's reviewed the code and all they are doing is downloading gif files, and that Omniture is used by large sites like CNN, Amazon and Sun. (Implication: if they use it it must be secure).

My response was: that makes them a great target. Look at the pot of gold at the other end of the rainbow. There are huge user bases for these sites plus people testing and reviewing the code at these companies behind firewalls...

So anyway I said what if the execution of malicious code is in the gif files, not in the JavaScript itself? And my boss says no, they are just simple gif files.

So I thought well, I've seen hacks in image files before let's see what's out there. And I found this:

Microsoft Office Remote Code Execution Using a Malformed GIF Vulnerability - CVE-2006-1540A remote code execution vulnerability exists in Office using a GIF file. An attacker could exploit the vulnerability by constructing a specially crafted Office file that could allow remote code execution. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

And guess what. If someone could get this onto the Sun web site, that is where everyone goes to download Java - on servers that run e-commerce web sites, application servers, etc. You get the picture.

I have no idea how to test this theory. Maybe someone out there can just verify nothing funky is going on...

Tuesday, June 05, 2007

The problem with your VPN

So you set up a user and you say OK, you can do stuff on the VPN that you cannot do when you're not on the VPN and that makes my server that you are remoting into secure.


Talking to a firewall administrator today at Datapipe here's how your Cisco Pix really works:

Someone logs into the VPN and gets onto the server. From there they have free reign to do anything your outbound port access allows them to do. If they can get onto the server, they can send all your data to whatever server they want outside that server if your outbound access includes FTP. Apparently if you want to restrict downloading FTP to anyone but, say, and administrative VPN user - you can't do that at the firewall level.

And it also means if you want to allow customers to upload photos, for instance, but not download data, and make their access more secure so only VPN users can upload files, that's not completely solved by a VPN.

Which means you have to count on software - your OS, your applications... and you have to manage via a Windows domain or manage each individual server and cannot globally handle these things at the network level.

And that's scary.

Monday, June 04, 2007

First Data Better Check How Internet Requests are Handled

I sent an email to First Data via their web site with some specific technical questions about processing cards over their platform(s) and integration with certain types of transactions and hardware.

Some fast talking woman just called me who either had no comprehension of my request or she sniped the information somehow from the FirstData database. She was speaking very quickly and told me she was with Express Merchant blah blah blah or something like that. She told me this is some part of First Data. Maybe it is but it is but the way this request was handled was completely innapropriate.

First she asked me if I already have a processor. In my request I stated specific information that would have answered that question. It was pretty clear that she was about to try to sell me something and that is not why I requested information from First Data. Secondly when I said that is not what I requested she said "what was your request?" Excuse me but shouldn't you have the customer's request in front of you when you are calling them to answer the questions in their request?

Basically I already got the information through other means. I had to call First Data and sit on hold forever and talk to five different departments. I had to call my software gateway and go through 3 different people over there to get partial answers. I had in depth conversations with my bank who clearly knows very little how any of this works. Then I called an equipment manufacturer of terminals for their side of the story. They clearly didn't have the big picture either. I was able to piece together the information step by step and probably have a 95% grasp of what I need to know to implement a secure solution for my client - however no thanks to First Data's convoluted phone system or uninformed phone operators, sales people, and technical staff. This is nothing against the people themselves as they are all just doing their job the way they were trained to do it. There is a lack of global understanding in the credit card industry which makes it easier for hackers and harder and more expensive for customers to get things done.

Saturday, June 02, 2007

Wrong Country? DODO

This Ip range lists a country of AP but the contact information is for AU

inetnum: - DODO-AUdescr: Layer 2 Broadband Customer Networkcountry: APadmin-c: PR93-APtech-c: PR93-APstatus: ALLOCATED PORTABLEmnt-by: APNIC-HMremarks: Send abuse reports toremarks: Paul Rivoliaddress: Dodo Australia Pty Ltdaddress: Level 14 / 600 St Kilda Rdaddress: Melbourneaddress: VIC 3004country: AU