FTP HACK
The good people over at The New Criterion have seen their fair share of problems recently. As some of you might know, I had done some consulting work for them and it was just one thing after another. None of them were anyone’s particular fault, though the accumulation of a wide range of issues resulted in near-constant problems and downtime, including multiple root-level and apache-level comprimises. I’ll avoid describing the evolution of those issues, but this last one is just funny, mostly because I haven’t ever really seen this type of stuff before on one of my own machines.
This morning the people over at TNC emailed me this morning because their site was down. Indeed, wordpress couldn’t talk to MySQL. I logged in to find a load of >70 on the machine. Since the machine was almost completely unresponsive, I just started killing likely culprits, thinking this was a similar issue that had cropped up before in RHEL4+Apache/2.0.52 (don’t get me started … I fully hate Red Hat). Turns out they had a user-level comprimise for some random Red Hat user ‘netdump’. Without getting into the specifics, they had installed a nice little ftp scanner and a 500k dictionary for a pretty random looking brute-force attack.
What is particularly amazing in this case is it is in fact completely random over 0-255.0.0/16 and tries to log in only as “Administrator”, a user typically seen in Windows environments. This application had not more than 1 hour to run, and easily recovered 131 admin passwords over the 210/8 block (Asia). Now, having cleaned this particular crap from their machine, I’m sitting on a log file of 131 admin passwords for all sorts of machines in Asia, including some fairly large corporations, and in a fairly ironic twist, a number of network security firms. Aside from your standard bad admin passwords including ‘123qwe’, ‘123456′, ‘administrator’, ‘pineapple’, ’software’, ‘root’, the dictionary included in this particular scanner sheds some light as to other ways people create “secure” passwords. For instance, ‘!@#$%’ is the logical replacement for ‘12345′, but modern dictionary attacks aren’t fooled.
So anyway, what should I do with all this information. Purge it? I’m not going through the trouble of emailing noc/abuse/postmasters about this.
Cheers.
Hmmm… sell it… because grad students need money too?
You think that the network security firms might just have these weak passwords as honey pots to fish for this kind of stuff? On isolated machines that they monitor?
Also I didn’t realize that The New Criterion was where you were consulting. That is a really great publication. Not always on my ideological line but they are one of the blessedly rational places on the internet that I routinely enjoy.