News items for tag security - Koos van den Hout

2017-11-15 Lots and lots of distributed SSH scanning 3 weeks ago
I am noticing lots and lots of distributed SSH scanning, not doing enough attempts from one IP address to trigger fail2ban. Timing and choice of login names used suggest a strong link between the ssh attempts even when source IPs are very different. Login names also refer to websites hosted on the same address.

At a given moment I started wondering if this was just me, but others reported the same and exchanging IP address lists showed a lot of matches between attacks on totally unrelated systems.

Tags: ,
2017-11-13 The television version of "The Cuckoo's Egg" 4 weeks ago
I read the Dutch version of "The Cuckoo's Egg" when it came out in 1989. Later I bought the English version.

Via a complete diversion I found out this weekend the book was made into a TV documentary: The KGB, the Computer and Me which has a lot less personal diversions than the book. It is played by Clifford Stoll himself and others involved in the original story. Although the CIA guys look a bit more stereotypical than they come out in the book.

A very interesting part is there is a closing remark in the documentary by Markus Hess. Now I want to get a view of the movie of the other side, '23'.

The funny part is that I found this documentary from following news related to amateur radio: Cliff Stoll -- K7TA -- Has THE KNACK. And a GREAT NOVA Video. Clifford Stoll does have a callsign: K7TA

Tags: , , ,
2017-10-30 I am a paranoid bastard 1 month ago
PGP lock logo I needed to look up some gpg commands and found GPG Cheat Sheet and it had what I was looking for.

Looking at this page I found this gem:
Ok, so what if you're a paranoid bastard and want to encrypt some of your own files, so nobody can break into your computer and get them? Simply encrypt them using yourself as the recipient.
That makes me a paranoid bastard since I use this to store passwords and other secrets.

Tags: , ,
2017-10-16 Information gathering for ssh attacks 1 month ago
Someone has been looking at websites I run to think of ssh login names to try:
Oct 16 16:21:53 greenblatt sshd[19367]: Invalid user weather from
Oct 16 16:22:11 greenblatt sshd[19387]: Invalid user weatherstation from
Oct 16 16:55:07 greenblatt sshd[22596]: Invalid user weerstation from
All valid and published websites on this system:,,

Tags: ,
2017-09-27 Enigmail 'partial decrypt' 2 months ago
PGP lock logo The imap server where I fetch my work mail changed and suddenly the enigmail plugin on one system could not decrypt gpg-encrypted messages anymore with a 'partial decrypt' error. I remember seeing this before but had to look up the details.

Found again, it's a setting in enigmail (not in the general thunderbird preferences!), Enigmail → Preferences → select Advanced → Only download attachments when opened (IMAP only) has to be unchecked.

Answer found via Resolving Thunderbird/Enigmail decryption errors for encrypted emails with large attachments

Tags: ,
2017-08-19 Moving to https 3 months ago
I received a notification from the google webmaster program that chrome browser would start showing security warnings on due to the search box there.

The simple solution: make the site correctly available via https and redirect to the https version. I found out I already started doing the first bit and therefore the conversion was easy. Now with encrypted connections: The Virtual Bookcase.

Tags: , , ,
2017-07-25 If you post about "334 VXNlcm5hbWU6" be aware what you are sharing 4 months ago
I saw someone post somewhere about problems with sending mail, with the complete session log. E-mail addresses were obfuscated, but there was a part of the session not obfuscated, which had far more interesting secrets than just e-mail addresses. It looked a bit like this:
250-SIZE 157286400
250 OK
334 VXNlcm5hbWU6
334 UGFzc3dvcmQ6
235 ... authentication succeeded
250 OK
Those "random" letters and digits look a lot like base64, so to decode them:
$ echo "VXNlcm5hbWU6" | base64 -d ; echo
$ echo "dXNlcm5hbWU=" | base64 -d ; echo
$ echo "UGFzc3dvcmQ6" | base64 -d ; echo
$ echo "cGFzc3dvcmQ=" | base64 -d ; echo
So the random letters and digits are actually username and password, very interesting information. Searching for VXNlcm5hbWU6 gives me examples of usernames and passwords.

Tags: ,
2017-07-19 New threat going around "Please find attached our purchase order" 4 months ago
E-mail with subject starting with "Please find attached our purchase order number" and a zip, with a zip in it with in that zip an .exe file.
Archive:  PO185 - 188207
  Length      Date    Time    Name
---------  ---------- -----   ----
   341805  2017-07-19 04:55   PO362 - 867977
---------                     -------
   341805                     1 file
Archive:  PO362 - 867977
  Length      Date    Time    Name
---------  ---------- -----   ----
   431458  2017-07-19 15:32   PO362 - 867977 X.exe
---------                     -------
   431458                     1 file
I guess the .exe will cause some serious damage in Windows operating systems. The size is huge, where is the time virus writes tried to stay below 1024 bytes!

Tags: ,
2017-07-16 SSH attacks by Java 4 months ago
Jul 16 04:17:01 greenblatt sshd[9365]: reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 04:17:01 greenblatt sshd[9365]: Invalid user 1234 from
Jul 16 04:17:01 greenblatt sshd[9365]: input_userauth_request: invalid user 1234 [preauth]
Jul 16 04:17:01 greenblatt sshd[9365]: Received disconnect from 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
That last bit is not from my sshd but an error message related to a java library for ssh, as noted in Reasons for com.jcraft.jsch.JSchException: Auth fail | Maximilian Böhm which correctly notes that attacks are a reason.

Tags: , ,
2017-07-13 Interesting log item 5 months ago
Haven't seen this before:
Jul 13 09:29:45 greenblatt sshd[24232]: Invalid user  from
Jul 13 09:29:45 greenblatt sshd[24232]: input_userauth_request: invalid user  [preauth]
Jul 13 09:29:59 greenblatt sshd[24232]: Disconnecting: Change of username or service not allowed: (,ssh-connection) -> (admin,ssh-connection) [preauth]
I have seen user '' (empty) before, but a change of username is new to me. Searching finds very little information, only one mention: Which ssh exploit works by changing the user name in the middle of the process? - Information Security stack exchange where the assumption was that this was some kind of attack.

Tags: ,
2017-05-12 SSH usernames being tried 7 months ago
Usernames seen in ssh attempts: 0 1 a a0 adm admin admln agnes ajay apache ask bin byte cactiuser CarpeDiem cisco cs daniel data db2inst1 debian D-Link erp ezrena faxadmin ftp ftpuser glassfish gpadmin guest help jesus lancer maile mailers marifer maronique media mis mysql nodeclient ooooooooo opuser oracle perl personnel pi pig PlcmSpIp postmaster postpone remote root roote rppt sales shop student support test testing ts ts3 turbo ubnt ubuntu user vnc wildfly willy xbmc And the '' username (empty string). By numbers root has the highest number of attempts.

Tags: , ,
2017-05-06 Unive, communiceer graag wat duidelijker 7 months ago
We zijn verzekerd bij Unive, en daarover ontvang ik een mailtje:
Subject: Document(en) bij uw pakket xxxxxxxx

Geachte heer ..

Hierbij ontvangt u het overzicht van uw verzekeringspakket. Wilt u
controleren of de gegevens juist zijn?
Mijn eerste gedachte was om het attachment direct naar een analysestraat voor malware te sturen, maar we zijn inderdaad bij hun verzekerd en het mailtje was gericht aan het adres wat ik gebruik om met Unive te communiceren. Alleen lijkt het subject wel erg op de mailtjes die ik zie met de nieuwste ransomware.

Dus toch maar eens de pdf geopend en daar bleek ook een 'acceptgiro' in te zitten. Dus het was nogal vitaal om dat bestand te openen en door te lezen.

Ik wilde dus Unive op de hoogte stellen van het feit dat ze nogal onhandig communiceren. In het e-mail bericht staat:
Heeft u nog vragen of opmerkingen, neem dan gerust [2]contact met ons op.
Met een verwijzing naar Alleen als ik daar mijn verbetersuggestie probeer in te voeren moet ik om het bericht te mogen versturen ook perse een adres en een geboortedatum geven, en is het optioneel om zelfs mijn burgerservicenummer te geven.

Voor het verwerken van mijn suggestie zijn die gegevens niet nodig en het zou dus heel handig zijn als er een contactoptie was waarbij die gegevens niet gevraagd worden. Dit is geen privacy by design.

Tags: , ,
2017-03-21 Enigmail KEYEXPIRED / SIGEXPIRED error messages 8 months ago
PGP lock logo I was plagued by thunderbird/enigmail in one installation not wanting to send PGP-encrypted messages. It took me a while to debug because I seemed to be the first one to come across it. The error messages are not very helpful with a lot of SIGEXPIRED in them followed by a KEYEXPIRED. I found someone with probably the same problem at Enigmail stopped working: KEYEXPIRED/SIGEXPIRED - Super User but no usable answer at that time.

Searching further found me [Enigmail] enigmail won't let me encrypt messages anymore which does show another problem with old keys in the further thread. I started removing old keys showing with '00 00 00' fingerprints until I found my old 'home' key in the ring (0x2C663B5DF0D7C263). After that the error message changed to the key being unavailable. I dug through ~/.gnupgp/gpg.conf looking for mentions, and found:
#default-key F0D7C263
already disabled, and:
encrypt-to F0D7C263
when I changed that last one to a newer and better fitting key the problem was solved. There was a mention of F0D7C263 at the end of the enigmail error message but it was hard to draw conclusions about what it was doing there.

So as usual: good encryption is hard. And good error messages are hard too. I added a suggestion to the message so others may spend less time debugging this problem.

Tags: , ,
2017-03-10 Improving the Internet security one service at a time 9 months ago
At work we (indirectly) get the scanning results from Shadowserver which now includes open VNC servers which is yet another service we don't really want left open to the Internet in general. A few were found which are now actively chased after to get them firewalled/disabled.

I really like the concept of shadowserver. ISPs that want the information can get full overviews of insecure services and botnet activity on their network. A full overview of what shadowserver looks for can be found at The scannings will continue until the Internet improves - Shadowserver.

Tags: , ,
2016-12-07 Popular ports for scans... 1 year ago
Currently over half of the incoming TCP SYN packets logged and dropped in my firewall are for port 23 or port 2323. According to on-line sources this is all related to the Mirai botnet and copycats of that botnet.

Tags: ,
2016-11-18 Trying to scam the spammed 1 year ago
An interesting scam mail received in several of my inboxes:
To: abuse@...
Subject: you've been scammed

Your email abuse@... has been hacked and spam is sent to all your contacts!
If you don't have a lawyer, you may contact me at

Best Regards,
I guess 'Mark' bought the cheapest available list of spammable addresses and is now trying to profit from the people spammed.

The other variation is with
Subject: You are hacked!
But with everything else exactly the same.

Update: I am getting some responses to this post, other people are seeing this spam too. I guess I was just the first one to write a post about it, since I usually like to link to posts showing I am not the only one. Hello visitors puzzling about this spam!

Update II: It's not just me! Also noted at You are hacked or scammed -

Tags: , ,
2016-11-02 Attacks trying to make me attack another site 1 year ago
I noted some weirdness:
tcp        0      0 xx.xx.xx.xx:http     SYN_RECV   
Variation on earlier Don't try to use my system to attack another. I viewed the traffic with p0f and noticed there isn't variation in the sources now: - UNKNOWN [8192:59:1:40:.:.:?:?]
  -> xx.xx.xx.xx:80 (link: unspecified) - UNKNOWN [8192:59:1:40:.:.:?:?]
  -> xx.xx.xx.xx:80 (link: unspecified) - UNKNOWN [8192:51:1:40:.:.:?:?]
  -> xx.xx.xx.xx:80 (link: unspecified) - UNKNOWN [8192:39:1:40:.:.:?:?]
  -> xx.xx.xx.xx:80 (link: unspecified) - UNKNOWN [8192:39:1:40:.:.:?:?]
  -> xx.xx.xx.xx:80 (link: unspecified) - UNKNOWN [8192:67:1:40:.:.:?:?]
  -> xx.xx.xx.xx:80 (link: unspecified) - UNKNOWN [8192:43:1:40:.:.:?:?]
  -> xx.xx.xx.xx:80 (link: unspecified)
All trying to make my system take part in an attack on and, both part of "William Hill Organization" on Gibraltar.

The rules saying that I want to limit the amount of outgoing tcp syn/ack packets to one IP are working. Of course the real source of the attack is some network that does not implement BCP38 source address filtering.

Tags: ,
2016-10-23 Botnets made of the Internet of (Insecure) Things 1 year ago
Lots of reporting on the recent DDoS attack on Dyn infrastructure tells that (part of) the attack came from insecure "Internet of Things" (IoT) devices.

Lots of devices with some 'Internet' network capabilities are being produced, and the new owners of those devices have little interest in patching them being only a reasonable small part of the DDoS attacks and the makers have little interest in securing them since that will not sell one more device.

In the mean time, I see an increase in scans on ports 23 and 2323 which seem to be the default ports used to remotely access some of the vulnerable devices.

Tags: ,
2016-10-10 How to recognize a job advertisment for money mules 1 year ago
Don't fall for it..

I received spam which translates (to me) very clearly to 'be a money mule':
[..] is looking for a qualified representative, reliable, efficient and dedicated to help facilitate their business transactions in Australia. The work is based on administrative / customer service support improving productivity and above all performing basic banking transactions.

We are located in the London If you are satisfied with all the conditions and wish to register, please contact our Human Resources department at [.. generic webmail account ..]
Alerting items:
  • Unsollicited e-mail (spam) sent to a random address
  • Lots of buzzwords but the work seems to be "basic banking transactions"
  • Doing transactions in Australia but located in London
  • Using a generic webmail account

Tags: , ,
2016-10-03 Discovering new archiving methods... via malware 1 year ago
In the incoming spam this morning:
See attached Bill Of Laden.

[-- Attachment #2: Shipping_Documents.ace --]
I had never heard of .ace files, but I miss some developments. So I asked:
$ file Shipping_Documents.ace
Shipping_Documents.ace: ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), solid
So it is an archiving format, better described at ACE (compression file format) - Wikipedia. There is an unace for linux, and this gave me:
RFQ#0929919882.exe: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
c04e10a084657473828a03a97c82f0a9  RFQ#0929919882.exe
Which is obviously not shipping documents but an executable. Looking at the file showed some dangerous function names.

Tags: , ,
  Older news items for tag security ⇒
, reachable as PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews, Weather maps