WordPress Password Attacks for the last few days IP addresses

There’s been a number of news stories on mass password guessing attacks on WordPress sites – none of which is anything new or exciting. The possibility some of these attacks are being done by a large botnet has seemed to shaken some folks.

http://blog.hostgator.com/2013/04/11/global-wordpress-brute-force-flood/

http://blog.sucuri.net/2013/04/mass-wordpress-brute-force-attacks-myth-or-reality.html

http://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/

Well, being the chummy, log sharing chap I am here’s a list of the naughty machines that have been trying to logging with the admin username on my lovely blog site.

My top security tip is rename the admin account to something less obvious: Elvis, pancake, tree, duh! or metalmicky would thwart this rather simplistic attack. A decent passphrase would be another fine option too…

Needless to say most of the attacking IP addresses are from the land of the free and the home of the weak password: The  United States of America.65 out of the 151 in the table below.

Thank you compromised US systems!

Thank you compromised US systems!

I found a niffy web site that allowed me to make this pretty visual map of the attackers location http://batchiplocator.webatu.com/

Shame they only allow 110 addresses to be entered for display on the geo-ip map, but it very handy for putting together a blog post like this.

Attackers this week 18Apr2013

Add the following naught password guessing IPs to block lists, see if these have hit your logs too or even report them to their abuse@ ISP emails. It’s up to you.

These IP addresses are from the 14th of April up to today (18th of April).

ip country
193.180.115.113 Austria
85.158.215.36 Belgium
177.180.13.250 Brazil
187.85.82.38 Brazil
78.142.63.82 Bulgaria
199.204.214.208 Canada
184.107.150.58 Canada
108.163.128.206 Canada
108.163.188.186 Canada
198.144.157.117 Canada
24.64.120.194 Canada
190.98.219.99 Chile
210.14.78.21 China
223.87.0.177 China
111.13.87.150 China
218.203.105.26 China
61.234.146.186 China
61.175.223.134 China
211.167.112.14 China
14.17.29.112 China
41.222.196.37 Congo, The Democratic Republic of the
185.15.196.72 Europe
94.23.234.227 France
188.165.202.45 France
5.135.158.104 France
109.1.137.192 France
81.252.211.149 France
194.231.138.35 Germany
194.116.187.25 Germany
83.243.57.33 Germany
87.253.162.6 Germany
188.40.166.133 Germany
31.22.104.28 Germany
85.10.195.141 Germany
176.9.78.117 Germany
85.214.27.40 Germany
46.165.198.100 Germany
85.25.73.37 Germany
188.40.69.202 Germany
78.46.34.77 Germany
180.188.194.54 Hong Kong
124.244.59.238 Hong Kong
94.199.51.8 Hungary
210.210.178.20 Indonesia
115.124.72.62 Indonesia
118.99.79.123 Indonesia
42.62.176.150 Indonesia
180.244.193.110 Indonesia
77.237.73.3 Iran, Islamic Republic of
85.119.183.223 Italy
202.232.236.66 Japan
210.188.201.41 Japan
115.187.79.147 Japan
202.214.8.82 Japan
2.135.238.162 Kazakhstan
176.123.0.114 Moldova, Republic of
176.123.0.105 Moldova, Republic of
91.214.200.45 Moldova, Republic of
176.123.0.237 Moldova, Republic of
176.123.0.231 Moldova, Republic of
176.123.0.94 Moldova, Republic of
77.235.47.247 Netherlands
194.247.30.126 Netherlands
80.95.160.178 Netherlands
146.0.79.23 Netherlands
89.44.200.154 Romania
92.114.86.81 Romania
93.187.140.18 Romania
89.38.207.234 Romania
80.86.105.174 Romania
80.78.247.92 Russian Federation
178.208.91.196 Russian Federation
151.248.123.211 Russian Federation
212.49.116.20 Russian Federation
119.31.233.40 Singapore
80.35.80.139 Spain
80.28.254.179 Spain
61.19.248.138 Thailand
95.173.186.104 Turkey
31.210.86.205 Turkey
37.247.99.82 Turkey
94.138.206.66 Turkey
37.57.25.225 Ukraine
31.202.217.135 Ukraine
95.154.234.101 United Kingdom
80.68.95.137 United Kingdom
216.224.169.123 United States
184.154.36.210 United States
67.205.24.238 United States
96.127.139.170 United States
74.208.66.177 United States
65.254.40.154 United States
70.32.112.125 United States
64.202.240.136 United States
209.51.142.178 United States
199.195.143.121 United States
24.234.3.189 United States
184.105.235.28 United States
66.36.228.123 United States
207.58.185.126 United States
184.154.115.10 United States
69.163.164.44 United States
199.180.252.22 United States
66.55.144.244 United States
173.245.6.132 United States
65.254.168.168 United States
67.215.243.250 United States
216.224.175.71 United States
72.29.68.51 United States
74.207.224.242 United States
69.174.254.88 United States
74.117.61.88 United States
174.127.117.77 United States
72.32.68.101 United States
69.195.198.111 United States
198.1.127.222 United States
208.113.170.83 United States
204.93.60.103 United States
204.93.60.174 United States
207.58.139.238 United States
204.93.60.208 United States
204.93.60.84 United States
216.172.147.251 United States
204.93.60.164 United States
204.93.60.75 United States
50.22.236.98 United States
204.93.60.12 United States
50.117.80.66 United States
204.93.60.58 United States
216.172.147.234 United States
184.168.112.26 United States
199.223.214.154 United States
8.29.131.248 United States
184.168.109.23 United States
23.27.237.205 United States
208.116.36.230 United States
198.98.113.47 United States
65.60.19.242 United States
72.167.13.19 United States
50.117.80.168 United States
216.172.147.57 United States
198.144.116.91 United States
184.168.114.10 United States
204.93.60.9 United States
208.115.125.60 United States
204.93.60.207 United States
23.27.238.51 United States
198.144.116.100 United States
50.117.80.38 United States
50.31.98.92 United States
209.73.151.229 United States

 

 

 

Outlook Tweaks

I continually forget these Outlook settings to make reading lovely HTML emails just that little bit safer. Then I also like to be able to read the message headers on those odd emails In Outlook 2010 File – Quick Access Toolbar add in Message Header from the all option drop down tab.

Taken from http://support.microsoft.com/kb/831607

To turn on the Read all standard mail in plain text option in Outlook 2003, follow these steps:

  1. Start Outlook 2003.
  2. On the Tools menu, click Options.
  3. On the Preferences tab, in the E-mail area, click E-mail Options.
  4. In the Message handling area, click to select the Read all standard mail in plain text check box.
    Note By default, the Read all standard mail in plain text option is turned off.

To turn on the Read all standard mail in plain   textoption in Outlook 2007, follow these steps:

  1. Start Outlook 2007.
  2. On the Tools menu, click Trust Center, and then click E-mail Security.
  3. Under Read as Plain Text, click to select  the Read all standard mail in plain text check box.
  4. To include messages that are signed with a digital signature, click to select the Read all digitally signed mail in plain text check box.

When the Read all standard mail in plain text  option is turned on, you receive the following notification on the InfoBar at   the top of the e-mail message:

This message was converted to plain text.

Note If you decide to view the plain text message in its original format, click the InfoBar, and then select Display as HTML or Display as Rich Text.
To turn on the Read all standard mail in plain textoption in Outlook 2010, follow these steps:

  1. Start Outlook 2010.
  2.   Click the File tab in the Ribbon, and then click Options on the menu.
  3. Click Trust Center on the Options menu.
  4. Click the Trust Center Settings tab.
  5. Click E-mail Security.
  6. Under Read as Plain Text, click to select  the Read all standard mail in plain text check box.
  7. To include messages that are signed with a digital signature, click to select the Read all digitally signed mail in plain text check box.

When the Read all standard mail in plain text  option is turned on, you receive the following notification on the InfoBar at   the top of the e-mail message:

This message was converted to plain text.

“Defending Your Weakest Link…End Users” presentation from Bryce Galbraith

SANS is collaborating with the Australian Information Security Association (AISA) Melbourne branch to bring Bryce Galbraith, SANS Certified Instructor, live to the ANZ Centre for one night only.

This may sound suspiciously like a Vegas show, by I can assure you Bryce is a great speaker and it will be well worth the time to go and listen to his presentation on “Defending Your Weakest Link…End Users”.

Get along there, especially if you’re a AISA member and soak up what he has to say. Don’t be afraid to ask questions and get involved.

 

Details

Date: Monday, July 11
Time: 17:30 – 19:30
Venue: ANZ Centre – Core B Upper Ground Conference Suites, 833 Collins Street, Melbourne

Abstract:
In most organizations, a single end-user’s click is all it takes to put critical assets at risk. Hackers mercilessly leverage our ignorance, arrogance and apathy. Traditional defenses are failing us. We’re being hit from every angle: anti-virus evasion, full disk encryption bypass, flash drives, drive-by downloads, social networking, resumes, smart phones, web portals (e.g. Outlook Web Access), open wireless networks, attachments, social-engineering and so much more.

We must understand the true risk we face in today’s threatscape if we are to have a chance to defend ourselves.

This presentation will highlight some of the most salient threats our end users face both in and out of the office and what can be done to mitigate them.

Logs: for more that filling disk space

One of the fun facts of logs, if you don’t set up, configure and check ‘em, you’ll never know what’s going on with your systems.

Even with quiet, little blogs such as this, it’s well worth having logging set up and enabled.

For a while now, starting on 13th of June 2011 at 07:18:02, there’s been a consistant slow brute force password attack. Roughly three attempts per hour at guessing the on WordPress admin account. The attack is being redirected from a German hosted open proxy site with the IP address of 95.168.191.160.

It’s been fun for a while to watch, but it’s time to add a block in the ol’ .htaccess file.

There’s a very detail guide on how to use the .htaccess file to lock out those naughtly IP addresses, plus a bunch of over very funky things:

http://www.javascriptkit.com/howto/htaccess.shtml

I expect our friend to find another proxy – if it’s not a bot, or a smarter bot - and continue on.

Part of the joys of being a part of the internet.

Detecting Hackers Using Event Log Monitoring

In today’s competitive market, IIS (Internet Information Services) servers have become necessary for companies and business organizations. IIS is a web server application and a set of feature extension modules serving roughly 21% of websites on the internet – with over a whopping six million installations worldwide. As a result, your IIS web servers have become a big target when it comes to hackers and cyber-terrorists. The solution for this ever-growing problem is event log monitoring. Event log monitoring is a process of collecting, analyzing and signalling event occurrences on IIS web servers. These occurrences may stem from hardware and software; however the primary concern is hackers.

The problem is that new developments which compromise your organisations’ IIS web servers keep emerging. The simple truth is it doesn’t take an IT expert to penetrate through your web server security and access your private corporate information. Competitors and past employees might have their reasons for accessing your confidential information – and there are a number of ways through which that goal may be achieved.

Methods for hacking and hijacking web servers have become easier and more accessible. Nowadays someone with no prior infiltrating experience can cause a lot of damage for you by using specifically targeted programs which overload or exploit IIS web servers. When it comes to hacking IIS web servers, one of the simplest methods is through buffer overflows. This occurs when a code is sent to your server which ‘confuses’ the IIS and grants root access to the server. First, hackers would have to find an unpatched IIS server through a program like ‘Dreamscape IISscanner’, which allows hackers to scan individual IP addresses. Once the program identifies that your web server is IIS, then the hacker can go to work by corrupting, defacing or stealing your data and information. Alternatively hackers can use a program which exploits your systems’ vulnerability known as IPP Exploit.

Such methods of hacking are designed to completely bypass typically configured security precautions. Like standard firewall rules and similar safety measures you might have set up. So the question remains – if every Tom, Dick and Harry can access your private corporate information, how can you defend your organization? The answer is simple, ‘keep an eye on it’ and that’s pretty much what event log monitoring does.

Most attacks come in the form of exploiting tools of IIS servers by making use of your system files. By monitoring the activity of such files, you would be able to see all points of access, including if users are tampering with your files, because event log monitoring records and analyzes the event logs of all your network machines. Therefore, if a hacker pops in unannounced, then any changes these hackers try to implement will instantaneously cause an alert to be sent directly to you in real time. In order for this to occur your version of Windows needs to be configured to monitor intrusions, otherwise known as “Object Access”. You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\

What’s extraordinary about this system is that it is simple. Event log monitoring is user-friendly and will enable your organisation to monitor all users attempting to access system files, also personalizing the program to your specific needs. This means that through event log monitoring you will be able to create alerts for specific occurrences, back up or even clear event logs, and a whole lot more. Your goal should be ensuring security and through event log monitoring, this can be easily achieved.

This guest post was provided by Chris DeMicoli on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information: GFI events log monitoring solution.

All product and company names herein may be trademarks of their respective owners.

Mentoring SANS Hacker Techniques, Exploits & Incident Handling in Sydney June 2011

I was offered the opportunity to lead mentoring for SANS Hacker Techniques, Exploits & Incident Handling (SEC-504), here in Sydney, and I leapt at the chance!

I love this course and it helped me reach a deeper understanding a number of aspects of my role as the IT security person charged with incident response and give me the real world, practical skills and tools you need to do this job.

Why SANS Mentor Training?

The SANS Mentor classes are a great training option, in my opinion, for several reasons:

Pace:

The material is covered over a 10 week period which provides lots of time for you to read on your own time and come back to the mentor meetings with questions and get answers. This helps to digest the massive amount of material in smaller, manageable doses. We study 2 or 3 modules each week and that material can be applied immediately on the job. 

Cost:

The cost is significantly reduced. the cost is lower than any other form of SANS training making it very accessible to those who are budget constrained – which these days is many of us. There is an automatic 25% price reduction from the cost of courses delivered at the conferences.  There is no travel or accommodations, so that massive saving in costs.  And finally, I can generally offer an additional discount if you contact me prior to registration.

Networking: 

Don’t overlook this one.  When you are in the 6-day conference courses, you definitely get a change to meet others, talk about your experiences and issues in the field, and maybe even keep in touch via email.  But when meeting for 10 weekly classes with your peers in the same community, that networking experience is enhanced significantly.  You have the chance to really get to know the others in the class by the shared experiences, work through the material and bounce ideas of each other; that’s a great benefit to being part of a local Mentor class.

Size:

Class sizes are typically small – much smaller than what you would find at a SANS conference, which means we can focus more closely on those areas which are difficult for the group

Material:

You get all the same material as you would from the conference course, including the same books, CDs, and even audio files of the full 6-day course lectures.
Hopefully this gives you an idea of why I think the SANS Mentor classes are a terrific training option.  If you live in the Sydney area and are interested in attending SANS classes, please do contact me to get more details!
 

Free free to e-mail me with any questions, or visit the course website here:
http://www.sans.org/mentor/details.php?nid=24644
 

A great guy and friend Wouter, managed to get a room in Sydney’s CBD to hold the training. It’s easy to get to, has parking nearby.

Mentor training location details

Dates: Thursday, June 2, 2011 – Thursday, August 4, 2011
Meeting Time: 6:00 PM – 8:00 PM
Where:
Ernst & Young Centre
680 George Street
Sydney, Australia 2000

Useful Web sites for Study

Oops, left this sitting in drafts rather than publish this last month.

Some useful web sites I use to keep me up to date and  help out studying Security and all things SANS.

The SANS Reading Room www.sans.org/reading_room/
The Honeypot Challenges www.honeynet.org/challenges
The Ethical Hacker www.ethicalhacker.net
Pauldotcom http://pauldotcom.com/wiki/index.php/Main_Page

Darkreading room www.darkreading.com
SANS forensic blog http://computer-forensics.sans.org/

Metasploit unleased www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training
Internet Storm Center http://isc.sans.edu/index.html
Security Tube www.securitytube.net

Preparing for the GSE multiple choice written exam

My approach to the multiple choice exam, was to treat it like any normal 500 level SANS exam.

My target – life-, work- and proctor-willing, is to take the exam on Saturday the 20th March 2010; which is exactly 42 days from now. As we all know 42 is the mean of Life or is that just a spooky coincidence?

I’m going to use an individual index system of each of the 3 courseware (401, 503 and 504). I have a brand new, lined A4 wire bound note book in which I’m handwriting the index of each book.

My goal is to have the 503 books indexed in seven days, then 504 indexed in seven days followed by the monstrous 401 fully indexed in ten days.

The rationale behind this is

1)      To make me read each page of each book and work out if that page should be indexed

2)      To make me read and think about each topic on the page

3)      For me to make side notes on tools, topics or subjects that are unclear

4)      I want to retain and use the knowledge for the practical exam

5)      I like using pen and paper

To make sure I don’t become just book smart, I plan to also run through the practical questions and exercises throughout the courseware books.

I been pretty active with hands on training from studying and passing SANS Advanced Security Essentials – Enterprise Defender (SEC501) and Offensive Security’s Pentesting with Backtrack, but intend to use some of the following sites to keep sharp:

Pauldotcom’s links to challenges, tools and a variety of other madness http://www.pauldotcom.com/wiki/index.php/Main_Page and not to mention actually listening to the podcast

The web site of the three Spanish GSE http://www.radajo.com/ they set a huge benchmark to reach

The internet storm centre for what’s going down in the real world http://isc.sans.org/

The ethical hacker forums can post up some interesting links to other challenges http://www.ethicalhacker.net/

Ed Skoudis and friends various devious, mind-twisting and nefarious challenges http://www.counterhack.net/Counter_Hack/Challenges.html

Mr Skoudis and friends again with command line kung fu in all shapes and flavours  http://blog.commandlinekungfu.com/

Laura Chappell is always fantastic for packets and wireshark http://laurachappell.blogspot.com/

Richard Bejtlich still pops up some great snort and packet stuff despite being a boss now ;-) http://taosecurity.blogspot.com

The SANS reading room for a brilliant reading resource and new ideas http://www.sans.org/reading_room/

Why use old tools in the GSE?

A great question was posted to one of the SANS’ lists on the practical requirements

I felt it was worth while publishing as it covers and answers a question I though about but never asked.

The Question:

I’ve just had a quick look at the site you link to and would be interested to know why this was chosen as the attack platform:

<quote>

* Backtrack version 4

* Fedora Core 12

* Windows  Server

To ensure a level playing field for all candidates, you will not be permitted to use any pre-installed favourite tools that you may have on your laptop. To complete the exercises you must exclusively use the tools and virtual machines provided by GIAC. Failure to comply will result in dismissal from the examination.

</quote>

What does this prove, that you are a pen-tester from 4 years ago (BT1 released May 26, 2006)?

Surely if this exam is meant to show that you have current skills then it should allow you to use current tools.

A great response came back from Mark Baggett, one of the most recently minted GSE.

Mark’s response:

I think of it more like “Hey McGuyver, here is your paperclip and bubble gum, now dodge this.”

I found the old tools added VMWare compatibility complications to the test.

Having newer tools would have been nice. (or not deviating from the system requirements, no matter how smart I thought I was)  That said, the compatibility problems I experienced added to the “pressure cooker” which I think is part of it.  Also, I don’t think that being able to attack ms08-067 requires a different skill set than ms04-011.  Certainly pen-testing has changed a bit since then, but the GSE covers 504 not 560.  All aspects of pen-testing are not part of this.  A very solid understanding of the fundamentals of an attack are required.

“Don’t need AV, we have a firewall”

A friend stopped by to ask if security suite x was any good or not. This led onto a conversation about a place she was working that wasn’t running any AV on windows machines. The rational behind this came from a 3rd party IT support guy  who said “you don’t need AV on the Windows machines,  the firewall will protect them”.

When I say firewall, I mean a good, old layer 3 packet filtering device. The things that cost $100 new and are, well, ADSL routers with added security aren’t able to protect a small office by themselves. Added security  equals access control lists in a pretty GUI, so not really the poster boy for defense in depth.

Amazing that some IT “professionals” actually believe having a firewall will stop pc’s from getting malicious software. Thanks goodness the USB device fad never took off.

If you do not have anti-virus software on your home or small office computer, Microsoft provides a free copy you can download from here: http://www.microsoft.com/security_essentials/

It does the job, is simple to use and doesn’t cost a penny. You want something with all the whistles and bells, pick a security suite package from any of the big names.

We now return to our regular programme.