Category Archives: Real world

WordPress Password Attacks for the last few days IP addresses

Posted on by
Reply

There’s been a number of news stories on mass password guessing attacks on WordPress sites – none of which is anything new or exciting. The possibility some of these attacks are being done by a large botnet has seemed to shaken some folks.

http://blog.hostgator.com/2013/04/11/global-wordpress-brute-force-flood/

http://blog.sucuri.net/2013/04/mass-wordpress-brute-force-attacks-myth-or-reality.html

http://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/

Well, being the chummy, log sharing chap I am here’s a list of the naughty machines that have been trying to logging with the admin username on my lovely blog site.

My top security tip is rename the admin account to something less obvious: Elvis, pancake, tree, duh! or metalmicky would thwart this rather simplistic attack. A decent passphrase would be another fine option too…

Needless to say most of the attacking IP addresses are from the land of the free and the home of the weak password: The  United States of America.65 out of the 151 in the table below.

Thank you compromised US systems!

Thank you compromised US systems!

I found a niffy web site that allowed me to make this pretty visual map of the attackers location http://batchiplocator.webatu.com/

Shame they only allow 110 addresses to be entered for display on the geo-ip map, but it very handy for putting together a blog post like this.

Attackers this week 18Apr2013

Add the following naught password guessing IPs to block lists, see if these have hit your logs too or even report them to their abuse@ ISP emails. It’s up to you.

These IP addresses are from the 14th of April up to today (18th of April).

ip country
193.180.115.113 Austria
85.158.215.36 Belgium
177.180.13.250 Brazil
187.85.82.38 Brazil
78.142.63.82 Bulgaria
199.204.214.208 Canada
184.107.150.58 Canada
108.163.128.206 Canada
108.163.188.186 Canada
198.144.157.117 Canada
24.64.120.194 Canada
190.98.219.99 Chile
210.14.78.21 China
223.87.0.177 China
111.13.87.150 China
218.203.105.26 China
61.234.146.186 China
61.175.223.134 China
211.167.112.14 China
14.17.29.112 China
41.222.196.37 Congo, The Democratic Republic of the
185.15.196.72 Europe
94.23.234.227 France
188.165.202.45 France
5.135.158.104 France
109.1.137.192 France
81.252.211.149 France
194.231.138.35 Germany
194.116.187.25 Germany
83.243.57.33 Germany
87.253.162.6 Germany
188.40.166.133 Germany
31.22.104.28 Germany
85.10.195.141 Germany
176.9.78.117 Germany
85.214.27.40 Germany
46.165.198.100 Germany
85.25.73.37 Germany
188.40.69.202 Germany
78.46.34.77 Germany
180.188.194.54 Hong Kong
124.244.59.238 Hong Kong
94.199.51.8 Hungary
210.210.178.20 Indonesia
115.124.72.62 Indonesia
118.99.79.123 Indonesia
42.62.176.150 Indonesia
180.244.193.110 Indonesia
77.237.73.3 Iran, Islamic Republic of
85.119.183.223 Italy
202.232.236.66 Japan
210.188.201.41 Japan
115.187.79.147 Japan
202.214.8.82 Japan
2.135.238.162 Kazakhstan
176.123.0.114 Moldova, Republic of
176.123.0.105 Moldova, Republic of
91.214.200.45 Moldova, Republic of
176.123.0.237 Moldova, Republic of
176.123.0.231 Moldova, Republic of
176.123.0.94 Moldova, Republic of
77.235.47.247 Netherlands
194.247.30.126 Netherlands
80.95.160.178 Netherlands
146.0.79.23 Netherlands
89.44.200.154 Romania
92.114.86.81 Romania
93.187.140.18 Romania
89.38.207.234 Romania
80.86.105.174 Romania
80.78.247.92 Russian Federation
178.208.91.196 Russian Federation
151.248.123.211 Russian Federation
212.49.116.20 Russian Federation
119.31.233.40 Singapore
80.35.80.139 Spain
80.28.254.179 Spain
61.19.248.138 Thailand
95.173.186.104 Turkey
31.210.86.205 Turkey
37.247.99.82 Turkey
94.138.206.66 Turkey
37.57.25.225 Ukraine
31.202.217.135 Ukraine
95.154.234.101 United Kingdom
80.68.95.137 United Kingdom
216.224.169.123 United States
184.154.36.210 United States
67.205.24.238 United States
96.127.139.170 United States
74.208.66.177 United States
65.254.40.154 United States
70.32.112.125 United States
64.202.240.136 United States
209.51.142.178 United States
199.195.143.121 United States
24.234.3.189 United States
184.105.235.28 United States
66.36.228.123 United States
207.58.185.126 United States
184.154.115.10 United States
69.163.164.44 United States
199.180.252.22 United States
66.55.144.244 United States
173.245.6.132 United States
65.254.168.168 United States
67.215.243.250 United States
216.224.175.71 United States
72.29.68.51 United States
74.207.224.242 United States
69.174.254.88 United States
74.117.61.88 United States
174.127.117.77 United States
72.32.68.101 United States
69.195.198.111 United States
198.1.127.222 United States
208.113.170.83 United States
204.93.60.103 United States
204.93.60.174 United States
207.58.139.238 United States
204.93.60.208 United States
204.93.60.84 United States
216.172.147.251 United States
204.93.60.164 United States
204.93.60.75 United States
50.22.236.98 United States
204.93.60.12 United States
50.117.80.66 United States
204.93.60.58 United States
216.172.147.234 United States
184.168.112.26 United States
199.223.214.154 United States
8.29.131.248 United States
184.168.109.23 United States
23.27.237.205 United States
208.116.36.230 United States
198.98.113.47 United States
65.60.19.242 United States
72.167.13.19 United States
50.117.80.168 United States
216.172.147.57 United States
198.144.116.91 United States
184.168.114.10 United States
204.93.60.9 United States
208.115.125.60 United States
204.93.60.207 United States
23.27.238.51 United States
198.144.116.100 United States
50.117.80.38 United States
50.31.98.92 United States
209.73.151.229 United States

 

 

 

My, my! Bye-bye 2012

Posted on by

The end of the old year rapidly approaching, and the birth of a new one is nigh!

That’s all for this year folks. Let’s see if I can’t come up with something a bit more interesting or relevent in 2013.

SharePoint 2010 returning HTTP 304 for files in Style Library directory

Posted on by
Reply

I asked to look into  a very curious problem with a new SharePoint 2010 site’s images not being displayed which, in theory, shouldn’t have happened.  Red crosses replaced the images on the page and the JavaScript code wasn’t running.

As an example of the missing images, if I attempted to view one of the failed images say, http ://someweb_site/Style%20Library/Images/btn_home.gif, it would display :

 (the white square and red cross is intentional, please don’t adjust your screens)

rather than  

 

With the aid of fiddler2 I could clearly see the process of the connection to the SharePoint server. What was odd was the 304 HTTP message from the server, despite it being the first time I visited the site.

In case you haven’t memorised the HTTP codes Wikipedia offers this refresher:

 304 Not Modified

Indicates the resource has not been modified since last requested. Typically, the HTTP client provides a header like the If-Modified-Since header to provide a time against which to compare. Using this saves bandwidth and reprocessing on both the server and client, as only the header data must be sent and received in comparison to the entirety of the page being re-processed by the server, then sent again using more bandwidth of the server and client.

Even though fiddler does a cracking job of recording what happening, I can never resist firing up Wireshark to confirm the same information. Below shows the server returning the 304 Not Modified response.

 

So the file was being requested from the server and the server was telling the client it hadn’t changed since last visit. But I hadn’t visited the site before. I flushed the client’s web browser cache just to be sure and still got the same error. To me that confirmed the error was at the server end.

SharePoint has its own caches to speed up page and content delivery.  The one I was interested in is the binary large objects (BLOB) cache and initial thought was to flush this cache and fix the problem, MS have a nice simple powershell script to do this http://technet.microsoft.com/en-us/library/gg277249.aspx

Flushed BLOB cach for the site, but still no dice. Then took a bit of a step back and looked at how SP used blog caches. Tobias Zimmergren’s blob piece was very help in understand where to look for the BLOB setting in the web.config file. A few simple checks showed that this site wasn’t using BLOB caching. Somehow SharePoint must have got confused in to thinking it did have a BLOB cache and was trying to return the images and JavaScript from the non-existent cache.

 

The fix was easy; we created a BLOB cache and everything worked beautifully, then we disable the BLOB cache and everything still worked. Despite the web page displaying the content correctly, I confirmed under the hood with fiddler and as you can see a much happier result.

 

SANS Network Security 2010

Posted on by
2

Las Vegas was hot, darned hot. The average temperature was a blistering 38C, without promise of clouds, rain or even a cool breeze. None of this really mattered to me as for nine days I was a virtual prisoner of Caesars Palace, doomed to only see the outside sunlight though glimpses out of windows, doorways and the TV.

The pre-panic GSE study, followed by the GSE exam took care of three days. Those days descended into terrible sleepless nights, which manifested itself in forcing me to roaming the halls, streets and haunts of nearby Vegas venues from 12am until 5am each night. This was a desperate attempt to weary my confused and over excited brain to slumber. If only it had worked. The days were simply blurred. I have vivid memories of particular moments and events, but anything that wasn’t GSE driven has been consigned to the void.

Luck was on my side this year as I got to be a work place volunteer at SANS Network Security 2010 on Steve Sims’ Developing Exploits for Penetration Testers and Security Researchers course. This meant I got to take this amazing course and not go in to further crippling debt, which in Vegas is always a good thing. Normally, as a volunteer, there’s a muster on morning before the conference starts and all the behind the scenes work takes place. This ranges from sorting out the course materials, working out what needs to be done and then everything in between. There’s a huge amount of hard, physical work that’s done by the volunteer crew. As the GSE exam was still in full flow, I missed all this. That’s actually a shame, as you get to know the others, start the banter and camaraderie that keeps you going for the long week ahead.

Around 1200 people attended, with 41 courses, dozens of talks, presentations and break out groups happening throughout the week. This is the first time I’ve been a part of a SANS conference of this size and the sheer amount of planning, organisation and ordered chaos is stunning. I stuck my head in the early register room around 8pm on the Sunday night and was surprise to find a large group of volunteers and SANS staff still there. They had registered over 500 students, but the place still looked like only a few people had registered. I said a few quick hellos, picked up my books and the famous red apron headed off to sleep. Well, that didn’t work and after around three hours sleep I was back at the meeting point at 6am Monday morning, feeling surprisingly awake. Only problem was, I was at the wrong muster point and it took about ten minutes to work this out. Obviously I was as awake as I thought.

A quick jog to the right meeting point, walked in to the volunteer group. To see thirty plus men and women in the bright red aprons in one spot is a stirring sight to behold, especial without any form of caffeine in the blood stream. Standing at the head of the room was Katherine, the SANS volunteer general, fixer, enforcer and part time fairy godmother. Katherine was in full flow, assigning last minute tasks, correcting minor issues and checking on status points. She quickly noted my less than quiet entrance and summoned me. This is a great start to the day and week, I though groaning inwardly, busted for being late and stupid, an excellent first impression. Katherine was very kind – fortunately – and had a couple of extra duties for me to undertake during the conference. None of which were any real burden and being determined to make up for any slight, I happily took them on.

The major part of the first day duties is to get the students sorted with their course materials, welcome packs and point them in the right directions. Given some of the delightful American accents and turns of phrase I’d already encountered and had some “minor confusions” with, I quickly volunteer to be a runner to grab the books, rather be on the front desk. There’s nothing worse that some foreigner demanding you repeat yourself clearly and in the Queen’s English – it might work for Hugh Grant, but put in front of 500 Americans who haven’t had coffee, I wouldn’t like his chances.

Anyway, the hours flew by. Some six hundred students where sorted out; I got to meet some of the guys and girls and nearly crippled both Emily and Matthew, the two other SANS staffers working with Katherine. I think the accent and the floppy hair smoothed over most of the my near fatal mistakes, the professionalism of everyone else helped too J

When a supply problem popped up, I got to assist Katherine as she worked her magic fixing it, which was pretty amazing to behold, given the distances, logistics and time frames involved. I’ve worked at big events before, but I’m still amazed how the folks in the background just make things work, without anyone noticing. I think they could have stepped in to a career as an illusionist without messing their hair.

All of this in the first few hours before conference had even started. The first day is usually the busiest and when things can go a bit loopy. Still, got to the end of the day in one piece and no fires broke out in the building, so better than the last SANS conference. It’s at this point the volunteers disappear in to the “office” do some quick paper work, talk about what’s happening in the classes and hurry off to help out with one of the evening talks.

It’s during the downtime you get to socialise with the other volunteers, share experiences, swap ideas, verbally abuse each other and generally have a lot of fun. It’s all about the banter. Anyone who puts their hand up for a one of these roles there to learn and put in a good amount of hard work on top of all the mental effort while in class. In my book, that’s someone worth getting to know. Over the six days, I got to spend a bit of time with pretty much everyone in a red apron, some very unlucky people got to spend too much time with me. Brad, Sarene and Jared obviously did something terrible in a former life and so got the lion share of quality time. If you get the chance to be a volunteer, throw everything you have at the experience and drag out every last second.

The rest of the week became a predictable flow of stability and spikes of utter chaos. The spikes, caused either by near-death experiences from instructors on Segways and/or beer, kept life pretty interesting. One late night incident which culminated in a disastrous round of whiskey shots, another plonked me in the middle of the Forensic crowd, face to face with Eric Huber and his Liege, Rob Lee. I think it only best to left some of other stories in Vegas, but a good and semi-safe time was had by all.

I had some excellent random chats with other students about the GSE, SANS, security and life in general. I only wish I’d had more time to spending chatting with some of the other people there, as I’d seen their names on blogs and mail lists, but it’s better to put a face to the name. As the little red apron gives you more access to the instructors, so I managed to chat with a good number that never reach these shores, in an attempt to teach a class or two in Oz.

Some fantastic talks were given in the evenings, but invariably there would be work to do or three talks on at the same time I wanted to be at, so I got to what I could. One evening I gave a talk on TMG, which I must write a post on, where 20 odd souls turned up to hear. I was following some very tough acts, but managed to survive and hey – I can now say I was on Stage in Vegas!

Summing up, it was a crazy, non-stop nine days in Las Vegas, I meet some amazing people, took a phenomenal course, had very little sleep, was occasionally tortured and had all-round brilliant time. Okay, it took over 1200 hundred words and a huge amount of rambling to say that, but it was a massive experience and one I won’t be forgetting any time soon.

“Don’t need AV, we have a firewall”

Posted on by
2

A friend stopped by to ask if security suite x was any good or not. This led onto a conversation about a place she was working that wasn’t running any AV on windows machines. The rational behind this came from a 3rd party IT support guy  who said “you don’t need AV on the Windows machines,  the firewall will protect them”.

When I say firewall, I mean a good, old layer 3 packet filtering device. The things that cost $100 new and are, well, ADSL routers with added security aren’t able to protect a small office by themselves. Added security  equals access control lists in a pretty GUI, so not really the poster boy for defense in depth.

Amazing that some IT “professionals” actually believe having a firewall will stop pc’s from getting malicious software. Thanks goodness the USB device fad never took off.

If you do not have anti-virus software on your home or small office computer, Microsoft provides a free copy you can download from here: http://www.microsoft.com/security_essentials/

It does the job, is simple to use and doesn’t cost a penny. You want something with all the whistles and bells, pick a security suite package from any of the big names.

We now return to our regular programme.