Koos van den Hout
Koos van den Hout - Latest news, thoughts, rants, projects and other things to write about.
2021-10-13 Wordpress brute force attacks 2 days ago
The wordpress blog software is a popular target for attacks. I normally have fail2ban running with some rules to detect bad things on sites behind haproxy but due to some other work on the firewall rules I had that rule disabled. Someone/something at IP address 22.214.171.124 (A Microsoft-managed IPv4 address) noticed this and fired off a brute force script which ended up making 521525 attempts at logging in, none of which worked. The first indication of interesting amounts of things happening was that the disc i/o led of the server was blinking a lot. The second indication was the high amount of traffic seen for the specific backend in haproxy.
2021-10-09 A long bitcoin extortion scam 6 days ago
This time the scammer / fraud / criminal tries using a lot of text to convince victims to pay bitcoins. Using bitcoin address bc1qtzqgwqe3cd4cnv26vawxvfg3kr09r0jv53p8nw where it shows this one is already known and no money has been lost. A bit of a sample, showing that the scammer has some imagination and a good grasp of English:During the pandemic outbreak a lot of providers have faced difficulties in maintaining a huge number of staff in their offices and so they have decided to use outsourcing instead. While working remotely from home, I have got unlimited abilities to access the user databases. I can easily decrypt passwords of users, access their chat history and online traffic with help of cookie-files. I have decided to analyse users traffic related to adult websites and adult content. My spyware functions as a driver. Hence, I can fully control your device and have access to your microphone, camera, cursor and set of symbols. Generally speaking, your device is some sort of my remote PC. Since this spyware is driver-based, then I can constantly update its signatures, so that no antivirus can detect it. While digging through your hard drive, I have saved your entire contact list, social media access, chat history and media files.Earlier items about bitcoin extortion scams: Earlier, earlier, earlier, earlier, earlier, earlier, earlier (although I think bitcoin is generally a really bad idea and a huge scam) Update 2021-10-13: As not enough money is coming into this wallet the scammer tries again. Same address, demanding an amount equivalent to $1150 (USA Dollars). As the mail comes from some random ISP in Chili I think the criminal is somewhere else on this planet.
2021-10-08 Op het spoor van de scammer/spammer 1 week ago
Een redelijk standaard valse mail, al bekend bij de fraudehelpdesk: Diverse onderwerpen Klik op “Lees meer” - fraudehelpdesk.nlGeachte heer/mevrouw , Er staat een document in uw Berichtenbox van Belastingsamenwerking Gemeenten en Waterschappen. Ga naar MijnOverheid om het bericht te bekijken. Mogelijk moet u naar aanleiding van dit bericht actie ondernemen. Lees het daarom op tijd. Met vriendelijke groet, MijnOverheid Logo Rijksoverheid Technisch onderhoud Berichtenbox app Vanwege technisch onderhoud is het momenteel niet mogelijk om het bericht via de Berichtenbox direct te lezen. Bekijk het bericht daarom direct via uw webbrowser.URL spoor:
Niet geheel onverwacht is dit domein vandaag geregistreerd:
- hxxps://ukrijgtterug2020.xyz/Domain Name: UKRIJGTTERUG2020.XYZ Registry Domain ID: D253685109-CNIC Updated Date: 2021-10-08T10:58:04.0Z Creation Date: 2021-10-08T10:44:42.0Z Registry Expiry Date: 2022-10-08T23:59:59.0ZSite staat achter cloudflare IP adressen. Dus het certificaat zegt ook niet zoveel op https://crt.sh/?id=5375183746 en de achterliggende site reageert op dit moment niet dus ik krijg een mooie cloudflare foutmelding.
2021-10-07 Adding security headers to websites I develop and run 1 week ago
2021-09-30 Seeing the expiry of the old LetsEncrypt chain happen 2 weeks ago
The 'moment of truth' for LetsEncrypt: the end of the validity of the root certificate that was used to kickstart LetsEncrypt before they got their own root certificate in (most) certificate stores. I notice openssl is still showing the old chain (but not the expired intermediate):--- Certificate chain 0 s:CN = koos.idefix.net i:C = US, O = Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 i:O = Digital Signature Trust Co., CN = DST Root CA X3 ---Which is interesting as the ISRG Root X1 is also in the root store. But it's also cross-signed to the DST Root CA. Checking the verification steps (and not the chain as given out by the server) gives the new path already:depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = koos.idefix.net verify return:1This is a subtle but important difference. Only hours left until the DST Root expires:$ openssl x509 -in DST_Root_CA_X3.crt -noout -enddate notAfter=Sep 30 14:01:15 2021 GMTIf services break after 14:01:15 GMT (UTC) today you're not working according to best practices (replacing the certificate chain with every certificate replacement) or you have old clients. Slight update: I requested a new LetsEncrypt certificate for a service after 14:01:15 GMT (UTC) and it still has the certificate chain with cross-certification to DST Root CA X3:--- Certificate chain 0 s:CN = koos.idefix.net i:C = US, O = Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 i:O = Digital Signature Trust Co., CN = DST Root CA X3 ---The verification steps are as above.
2021-09-29 Spam/phishing/fraude woningnet 2 weeks ago
Het nieuws over de woningmarkt in nederland is blijkbaar ook opgepikt door de fraudeurs die graag mensen geld afhankelijk maken. Onderstaande uit de inkomende berichten. Keurig alle kenmerken van een poging fraude: urgentie 'binnen 2 weken' en vervelende consequenties als de gebruiker niets doet 'Uw opgebouwde inschrijfduur en eventuele reacties vervallen dan'. Allemaal vooral tekenen van een poging tot oplichting. Trap hier niet in. Meer informatie bij Diverse onderwepen Klik op “Lees meer” - fraudehelpdesk.nl.Geachte klant, Uw inschrijving bij WoningNet Over 2 weken verloopt uw inschrijving. Uw inschrijving verlengen wij met een jaar als u de verlenginskosten van WoningNet-verlengingskosten Factuurnummer: SRA-00717113 Wilt u betalen via een doorlopende machtiging? dit kan, nadat u dit jaar nog via iDEAL betaald heeft. U kunt na de betaling bij overzicht van mijn gegevens uw betaalwijze veranderen. Volgend jaar zullen wij dan de verlengingskosten van uw rekening incasseren. Ook hiervan krijgt u via e-mail een bericht. Meer informatie over betalen van de verlengingskosten vindt u op onze website. Uitschrijven Als u niet binnen 2 weken betaalt, schrijven wij u uit. Uw opgebouwde inschrijfduur en eventuele reacties vervallen dan.De url voor de 'WoningNet-verlengingskosten' :hxxps://t.co/1nuIzIn4KV?amp=1t.co is de url-verkorter van twitter. Gaat door naar:hxxps://0x1.co/WE8FYEen andere url-verkorter. Gaat door naar:hxxps://0mgeving-online.ga/ ;; ANSWER SECTION: 0mgeving-online.ga. 3511 IN A 126.96.36.199En die reageert op dit moment niet. Opvallend: Er is ook (nog) geen certificaat voor bekend in de CT-logs. Update: Aparte vermelding nu bij fraudehelpdesk.nl met voorbeeld: Lidmaatschap behouden - Fraudehelpdesk.
2021-09-28 Debugging a systemd issue .. without having to curse 2 weeks ago
Today I ran into an issue related to systemd and I decided to try to fix it without too much cursing. The result was a number of google searches ending up on unix.stackexchange.com but eventually I fixed the problem. At work we use splunk for security monitoring and one of the indexers failed to start the splunk processes after a reboot. On browsing the systemd boot log with journalctl -b -l I discovered that the main issue was that creating files in /opt/splunk failed. This was due to an interesting race condition: splunk may start as soon as target network.target has been reached, but mounting /opt over iscsi also needs network.target to start. So the unit file has been updated to:[Unit] Description=Systemd service file for Splunk, generated by 'splunk enable boot-start' After=network.target opt.mountThe next problem was the systemctl start Splunkd.service failing in some intricate way. I had a look at the logging and saw that it was actually trying to restart the service and failed at killing one of the old processes. It turned out the /opt/splunk/var/run/splunk/splunkd.pid file had old contents and one of the PIDs in that file was now in use by a kernel thread. Those you can't kill, the restart failed and therefore the service did not start at all. Solution: remove the .pid file.
2021-09-27 I participated in the CQ World Wide RTTY DX Contest 2 weeks ago
Past weekend was the 2021 version of the CQ World Wide RTTY DX Contest and I participated. I had time to participate in a few intervals during the weekend and it helped that it was a 48-hour contest so I could get some more contacts in the log Sunday evening. In the end I made 151 contacts, a really nice number.
2021-09-23 Phishing with error messages 3 weeks ago
In the phishing mail today:-------- Original Message -------- Subject: Mail delivery failed: returning message to sender From: Mail Delivery System Date: 9/23/2021 7:09:49 p.m. To: koos@[..] This message was created automatically by mail delivery software. Some recent messages that you sent could not be delivered to one or more of its recipients. This is a temporary error tha can be corrected. Reporting-MTA: dns;click to retry delivery Action: failed Status: Queued on serverThe 'click to retry' was a link to a phishing site. Nicely copied from a standard mailer error message. Too bad the phishing site doesn't work!
2021-09-18 New countries in the log: Trinidad & Tobago, Taiwan and New Zealand 3 weeks agoNews archive by year: 1999 | 2000 | 2001 | 2002 | 2003 | 2004 | 2005 | 2006 | 2007 | 2008 | 2009 | 2010 | 2011 | 2012 | 2013 | 2014 | 2015 | 2016 | 2017 | 2018 | 2019 | 2020 | 2021
I haven't written about new countries I had contacts with via amateur radio for a while, but today I finally got New Zealand in the log, which has been on my wishlist for a while. Indeed all countries that I don't have in the log yet are on that wishlist, but ranked according to Clublog New Zealand should be the 'easiest' for me. This morning I had a contact using the FT8 mode with ZL4AS on the 40 meter amateur band. This means a contact over a distance of 18726 kilometers. And by the time I write this the contact is already confirmed via Logbook of The World. The previous new country was Taiwan, last Wednesday using FT8 on the 20 meter band. That contact was with amateur station BU2FF who also confirmed very fast. And a while ago I had a contact with a station in Trinidad & Tobago but I haven't seen confirmation yet. So I am still going strong with contacts on amateur radio, sometimes finding that rare opportunity for a new country.