0wned.it?

Different and increased SSH brute force attacks?

David Ramsden — Mon, 22 Oct 2007 17:25:10 +0000

SSH brute force attacks have been happening for years now. Nothing new there but over the last couple of days, logcheck has been sending me emails nearly every hour with failed SSH login attempts. Something I've not had for months and months, especially with fail2ban running.

But I've noticed something "different" about these brute force attacks. There appears to be multiple hosts trying the same user within minutes of each other. And each host only tries a few times, so fail2ban isn't catching any attempts. I've only ever seen user "root" and "mysql" tried instead of the usual random users that are tried 4 or more times by the same host.

Has anyone else noticed this? It's almost as if it's a distributed and coordinated brute force attack, designed to get around people running things like fail2ban. I've reported it to SANS Internet Storm Center in case they were interested but I doubt I'll hear anything back.

Update #1: Donald Smith from SANS ISC got back to me to say I was the second person to report this today.
Update #2: SANS ISC now has a diary entry about this which can be found here. The coordination part now appears to be verified.

Modified Linksys WUSB54G antenna for fun and profit

David Ramsden — Sat, 14 Apr 2007 14:25:04 +0000

I use a Linksys WUSB54G wireless adapter for wireless pentesting because the patched Linux drivers support packet injection and MAC address changing. But I wanted to get a bit more juice out of it and a few Google searches later I found this.

After spending 20 quid (inc. VAT, delivery) on wifi-antennas.co.uk, this was the end result:

Sending mail from a different address with mutt.

David Ramsden — Thu, 22 Mar 2007 18:02:04 +0000

My main domain is hexstream.co.uk which my server uses but my personal domain is 0wned.it. I changed the From header in my .muttrc to reflect this when my personal domain went live but it wasn't until recently that I noticed not all the headers were set correctly.

For example, the envelope-from was still using hexstream.co.uk. After some research the solution according to the mutt wiki was to set envolpe_from=yes in .muttrc. This didn't work

The problem turned out to be Exim. By default, Exim's primary domain is used in the headers even if you tell it to use something else, which is probably a good thing of course.

The solution is to add your user to trusted_users in the Exim config. This then allows the headers to be modified.

sa-stats in CVS

David Ramsden — Sat, 17 Mar 2007 11:47:19 +0000

Being off work has given me a little time to work on a few personal projects. One of these is my sa-stats.pl Perl script which simply reads your mail logfile (such as /var/log/mail.info) and outputs a few statistics from SpamAssassin.

Over the months I've been sent fixes, suggestions and patches extending sa-stats.pl. Yesterday I finally put sa-stats.pl in to CVS and worked on it a little, hopefully putting a new release out soon.

You can browse the CVS repository online:
http://cvs.hexstream.co.uk/sa-stats

Download the current tarball and give it a go

Bye bye wisdom teeth

David Ramsden — Thu, 15 Mar 2007 18:12:13 +0000

I had my wisdom teeth out on Monday under a general. It isn't as bad as I thought it would be apart from the lack of feeling in my tongue. That's due to the swelling disrupting the nerves and should return... within 2-3 weeks!

I've been signed off work for a week and today I actually did something productive by making some small changes to my website. I've also been sent a patch for sa-stats so I'll try to find time to work on that and publish an updated version.

New domain, the War on Blog Spam and site updates.

David Ramsden — Fri, 12 Jan 2007 17:51:18 +0000

Aaaages ago, I bought 0wned.it and finally last night I got the motivation to put it to use. From now on I'll be using this domain. I also created a new PGP key because I'd stuffed the last one up.

Thanks to mod_rewrite for making the transition so much easier:

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^david\.hexstream\.co\.uk
RewriteRule ^(.*)$ http://0wned.it/$1 [R=permanent,L]

I've also had to add another check on to blog comments to cut down on spam. Not that I've ever had any comment spam because email verification is needed but I was getting several NDRs each day. Check it out by leaving a comment

I also made a few updates to the site. Everything now works in IE7, removed some crappy pages (music, webcam, gallery) and updated the About page so it's a lot more recent.

Still to do: Use AJAX because it's "cool and trendy", apparently. Use blog titles instead of IDs (i.e. /view/a_blog_entry) and probably lots of other things.

Installing VERITAS Backup Exec 10 agent on Debian

David Ramsden — Thu, 28 Dec 2006 12:54:15 +0000

I've just placed the first Debian server for production use in the rack at work. This is running Nagios and MRTG for our Network Operations Centre.

This needs to be added to our backup schedule. We're using VERTIAS Backup Exec 10 for Windows as our media server. No problem, I though. We have the UNIX/Linux agent installation on CD. I've used the ArvServe UNIX agent in the past and this was a piece of cake to install. The VERITAS agent wasn't quite as simple.

I've typed up a few notes on how to install the VERTIAS agent under Debian. Credit to newvibes.net which helped me out initially. A few things needed to be changed...

DDoS attack on EveryDNS.net

David Ramsden — Sat, 02 Dec 2006 00:55:00 +0000

3:45 PM (EST), all 4 of EveryDNS.net's nameservers stopped responding. EveryDNS.net have all four of their nameservers in different geographical locations, on different networks.

Looking on Wikipedia and various other sites, it became apparent that this was a large scale DDoS attack on EveryDNS.net and not some major configuration error. Service currently appears to be very patchy.

hexstream.co.uk, 0wned.it and dnbsessions.co.uk all have their nameservers with EveryDNS.net so services won't be optimal at the moment (to say the least).

If anyone wants to offer me a 5th nameserver for the above domains to mitigate against this in the future, please get in touch

Wireless insecurity.

David Ramsden — Wed, 30 Aug 2006 16:47:30 +0000

I'm sure most people who read this will know that WEP is crap. I had a few minutes spare today and to make use of my Linksys WUSB54G adapter that I bought months ago for wireless pentesting.

After downloading some patched rt2750 drivers and I had packet injection working. It took me 14 minutes from start to finish to find a wireless network using WEP and connect myself to it. The captured data I could decrypt with the cracked WEP key and load in to wireshark. Cleartext passwords everywhere!

The next task is to research in to attacking wireless clients directly. Looking at airodump-ng, there's so many machines probing for hotspots such as iZone. All I need to do is turn my laptop in to a hotspot and trick the clients in to connecting. Projects already exist for this, such as hotspotter.

Disclaimer: Breaking in to computers and networks is illegal. Don't do it unless you've been authorised to do so (i.e. you're conducting a pentest for a client).

./~ Happy Birthday to me ./~

David Ramsden — Tue, 29 Aug 2006 08:53:01 +0000

22 years old today. Wonderful!