[Intrusions] SSH scanning, operation of phishing site

bryce_alexander at vanguard.com bryce_alexander at vanguard.com
Thu Mar 23 18:01:44 GMT 2006

Great write-up Andrew, Thanks for sharing.

What struck me was the apparent familiarity that your attacker has with 
your network. If I were in your position I would certainly take a long 
hard look at how vulnerable you are to reconnaissance gathering. Knowing 
that there was an unused machine, and how to obfuscate it to look like one 
of the laptops means the attacker has a very clear view of your internal 
operations. That means you either have an insider, or you have several 
machines that are already "owned" allowing the intruder to track the 
network topology and operations.

Andrew Daviel <andrew at andrew.triumf.ca> 
Sent by: intrusions-bounces at lists.sans.org
03/22/2006 06:58 PM
Please respond to
"Intrusions List \(GCIA Practicals\)" <intrusions at lists.sans.org>

intrusions at incidents.org

[Intrusions] SSH scanning, operation of phishing site

Further to my post of a week or two back, we had another 2 machines hit
by SSH dictionary attacks (we had locked down root on several critical
servers, but not everything, and I realized my blocking script was
running not 4x an hour as I thought, but 4x a day...since fixed in
advance of getting the realtime script up)

BTW - I have placed an ssh password-guessing list found on a hacked
machine on http://andrew.triumf.ca/ssh_pass_file - our machine from last
time had indeed had one of these passwords (qazwsxedc), which explains
why it was guessed in less than 500 attempts ... not me that chose it,
but if asked I might have said it wasn't that easy to guess.
The scanning script also checks a load of user accounts for user=password
(e.g. candice/candice) plus more guesses for admin, guest, database,
postgres etc.

I have recently made a hacked version of sshd which logs failed passwords
- it might be interesting to see what it finds
(openssh-4.1p1/auth-passwd.c.mod add after line 116
  if (result == 0 ) logit ("failed password %s", password) ;
if interested)

On to phishing .. this was fun ...

A machine that had been used as a testbed was still online, with what we
thought was a reasonably strong password (9 chars semi-random
Remote logging had been disabled while testing network stuff, so the
blocking script was not activated.
The password was guessed after some 2600 attempts from
(CHINANET jiangsu province)

The attacker then logged in from (I think) another hacked Linux machine,
downloaded some phish stuff from an ftp server in Romania (.ro),
and started up the webserver which had been stopped.

They then created ip aliases (eth0.1, eth0.2 etc.) corresponding, as it
happened, to addresses assigned to visitors staying in a dormitory up the
road. These visitor addresses were then advertised in spam email sent
probably from a botnet (e.g. Bellsouth ADSL), while the "real" address
was unused. So, when we started getting reports from SpamCop, the finger
was pointed at the visitor's laptops offsite. It didn't help that one
was, by coincidence, running Debian Linux.

A report of a machine I knew should be onsite and could not
possibly host a phishing page clued me in to what was happening, and
a quick ping and ARP query turned up a MAC address pointing to the
real culprit.

The attacker had changed the password so I had to boot a CD to get access
(pity; could not check running processes, though I did make an attempt to
dump the warm memory after rebooting). Luckily, the attacker had
not properly erased the shell history or syslogs so I could
read pretty much everything that was done.

The phishing script was written in PHP and logged credit card numbers,
security numbers, user ID and PIN to a text file on the webserver.
The attacker monitored this file from a browser via a web proxy
in Romania (cache02.canals.ro). Occasionally they would log in from
a DSL connction on pacbell.net to check things, and clean the file.

After a few days, while we filtered the aliases as reports came in,
they installed a second phish package for Chase Manhattan, then attacked
a second machine, but as it was in use and they broke the network trying
to install a rootkit, we found it quite quickly

Overall, they got maybe 90 IDs, about 25% of (the undeleted) which were
bogus or obscene, from about 2000 hits. So that's what, about 3% of
people who click the email link enter valid data. Who knows how many
emails went out. We had maybe 40 SpamCop reports to abuse at triumf.ca,
several personal emails to assorted administrators onsite, and one phone
call. Plus (real) email from eBay and PayPal (lucky it didn't get
filtered, though I think I whitelist "abuse@")

The actual phish page started with a regular browser window (exposed URL)
saying "our page has moved, click here". The next page was a big window
with a toolbar but no location box, and all the PayPal graphics etc.
No SSL, nothing special there, I think. The email was one of the HTML
"we have noticed unauthorized activity on your account. please visit
the resolution center <a href="http://some.triumf.ca/xxx

Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
security at triumf.ca

Intrusions mailing list
Intrusions at lists.sans.org

CONFIDENTIALITY STATEMENT. The information contained in this e-mail message, including attachments, is the confidential information of, and/or is the property of, Vanguard. The information is intended for use solely by the individual or entity named in the message. If you are not an intended recipient or you received this in error, then any review, printing, copying, or distribution of any such information is prohibited, and please notify the sender immediately by reply e-mail and then delete this e-mail from your system.

More information about the Intrusions mailing list