-
Notifications
You must be signed in to change notification settings - Fork 16
/
content.json
1 lines (1 loc) · 87.9 KB
/
content.json
1
{"meta":{"title":"威胁情报与溯源分析","subtitle":null,"description":"威胁情报与溯源分析技术分享站点","author":"John Doe","url":"http://yoursite.com"},"pages":[{"title":"关于本站","date":"2017-07-03T02:26:43.000Z","updated":"2017-07-31T03:08:50.692Z","comments":true,"path":"about/index.html","permalink":"http://yoursite.com/about/index.html","excerpt":"","text":"威胁情报与溯源分析是当前信息安全领域最为火热的研究点之一,然而相关的技术的分享在互联网上并不多见,仅有的一些资料都过于分散。 所以,我们希望在这里建立一个威胁情报与溯源分析相关技术的分享平台。在这里,我们提供入门指引,分享最新资讯,我们也紧跟技术前沿,解读学术论文。 当然,我们也正在学习与研究当中。希望大家加入我们,一起交流,一起分享,一起建设这个平台。 交流群:邮箱:ti@sec-wiki.com小组成员:websecCtr1liverpoolpjyourren"},{"title":"projects","date":"2017-07-03T02:29:02.000Z","updated":"2017-07-03T07:05:23.000Z","comments":false,"path":"projects/index.html","permalink":"http://yoursite.com/projects/index.html","excerpt":"","text":""},{"title":"companies","date":"2017-07-03T07:10:37.000Z","updated":"2017-07-03T07:13:13.000Z","comments":false,"path":"companies/index.html","permalink":"http://yoursite.com/companies/index.html","excerpt":"","text":""},{"title":"papers","date":"2017-07-03T02:29:02.000Z","updated":"2017-07-03T07:58:24.000Z","comments":false,"path":"papers/index.html","permalink":"http://yoursite.com/papers/index.html","excerpt":"","text":""}],"posts":[{"title":"丝绸之路3.1被黑后宣布破产,谁敢来接手这块烫手山芋?","slug":"丝绸之路3.1被黑后宣布破产,谁敢来接手这块烫手山芋?","date":"2017-08-06T12:32:00.000Z","updated":"2017-08-10T11:45:59.027Z","comments":true,"path":"2017/08/06/丝绸之路3.1被黑后宣布破产,谁敢来接手这块烫手山芋?/","link":"","permalink":"http://yoursite.com/2017/08/06/丝绸之路3.1被黑后宣布破产,谁敢来接手这块烫手山芋?/","excerpt":"前言就在前不久,又有一个暗网市场倒下了。与其他暗网市场不同的是,这个黑市网站可以说是几乎从来没有在人们的视野中出现过。它就是丝绸之路3.1(Silk Road 3.1),很多社区用户听到这个名字时可能会感到非常惊讶,有的人会问:“真的有这个网站吗?”,还有的用户可能会说:“丝绸之路不是早就已经垮了吗?”。","text":"前言就在前不久,又有一个暗网市场倒下了。与其他暗网市场不同的是,这个黑市网站可以说是几乎从来没有在人们的视野中出现过。它就是丝绸之路3.1(Silk Road 3.1),很多社区用户听到这个名字时可能会感到非常惊讶,有的人会问:“真的有这个网站吗?”,还有的用户可能会说:“丝绸之路不是早就已经垮了吗?”。是的,你没听错。丝绸之路3.1声称自己遭到了不明身份的黑客入侵,并窃取了大量资金。不知是否是巧合,就在攻击发生的一个小时之前,Reddit上的一篇文章还曾经提醒过用户丝绸之路3.1的服务器配置存在严重的安全问题,而该文章发布后不到一个小时丝绸之路3.1便受到了黑客的攻击。 丝绸之路3.1被黑,老板竟直接宣布破产根据这位名叫“Skillzy2017”的Rediit用户所透露的信息,丝绸之路3.1所使用的Apache服务器泄露了网站的真实IP地址,并暴露了丝绸之路3.1位于法国境内的两台专用服务器。Skillzy2017在文章中提到,他曾经还跟丝绸之路3.1的管理员沟通过这个安全问题,但是之后却被禁止访问该站点了。随后,他便在Reddit上发文并将该问题告知了其他的用户。 虽然这个网站几乎很少会出现在暗网用户的视野内,虽然这个网站跟真正的暗网“丝绸之路”或丝绸之路2.0没有什么关系,但是丝绸之路3.1的管理员却声称他们的站点每一分钟就能够增加三位新用户。 Skillzy2017表示:”我可以肯定这两个IP地址绝对指向他们所使用的服务器,而且这并不是Tor IP,whois查询信息表明他们所使用的专用服务器位于法国境内。” 由于丝绸之路和丝绸之路2相继被取缔,DeepDotWeb已经禁止收录网站名称中涉及到丝绸之路(例如’丝绸之路3’或’丝绸之路重现’等名字)的暗网站点了。所以现在如果哪个暗网市场管理员还用‘丝绸之路’来给自己的市场命名的话,他们的目的很可能就是为了欺骗那些经验不足的暗网新手,并窃取他们的钱财。 Skillzy2017表示,他也认为丝绸之路3.1的管理员却是是在进行网络诈骗。就在该文章发布了两个小时之后,他修改了文章并补充道:“[丝绸之路3.1已垮]”。 现在,丝绸之路3.1的主页已经不再吹嘘自己是暗网中最有影响力的市场了,而之前的丝绸之路logo也被电影《爱丽丝梦游仙境》的截图所替换。截图后面还跟着一段公告,并描述了外部攻击这如何入侵了该网站,而这一次的攻击行为将使他们破产。 实际上,在Dream和Hansa这两个暗网市场被执法部门取缔之前,丝绸之路3.1的拥有者还曾打算将自己的网站转让给那两个网站,但前提是他们必须保证丝绸之路3.1能够持续运营下去,不过现在一切都已经不可能实现了。丝绸之路3.1管理员写给用户的信 丝绸之路3.1的管理员还专门在网站中发布了一封写给用户的信,并在信中详细描述了丝绸之路3.1目前所面临的困境(原信息经过了PGP签名处理)。信中的内容大致如下: “同志们,我们的网站遭到了不明身份的黑客入侵,并导致大量资金被盗,我们丢了好多好多钱,我们就快要破产了,而我个人也没有什么可以拿出来补偿大家的。 不过别担心,你们的个人信息并没有被盗,被盗的只有管理员账号,而攻击者用管理员账号偷光了我们的钱。存储在我们服务器中的信息都经过了加密处理,所以你们所有的数据都是安全的。 考虑到我们目前已经没有能力让丝绸之路3.1继续运营下去了,所以如果Dream市场或Hansa市场有能力并且想要接手丝绸之路3.1的话可以联系我们,我们会把网站免费转让给你们,包括服务器和onion域名在内,只要你能保证让它继续运营下去就行。 如果其他暗网市场或个人用户想要接手丝绸之路3.1的话,我们愿意将其出售给你,如果你能还清欠款的话….丝绸之路3.1就是你的了。 过去一段时间的部分营业额情况如下(以美元计): 2017-07-18 – 17278.41 2017-07-17 – 13154.89 2017-07-16 – 11638.08 2017-07-15 – 10618.92 2017-07-14 – 13745.46 2017-07-13 – 13956.82 2017-07-12 – 19023.15 2017-07-11 – 17564.18 2017-07-10 – 18812.53 网站目前每一分钟就会增加三名新的用户,每日的平均交易金额大约为一万五千美元。由于破产是我个人操作不当所导致的,因此我无法再继续运营丝绸之路3.1了。希望新接手的人能够尽可能地留住我们之前悉心培养的用户群,并给用户提供更好的服务。谢谢大家的支持。” 原文来自:https://mp.weixin.qq.com/s/1g0qUpbcK0Jxujdm9fSmYg","categories":[],"tags":[]},{"title":"疑犯追踪:谁是Mirai蠕虫的幕后黑手?","slug":"疑犯追踪:谁是Mirai蠕虫的幕后黑手?","date":"2017-07-31T02:48:00.000Z","updated":"2017-07-31T02:47:33.942Z","comments":true,"path":"2017/07/31/疑犯追踪:谁是Mirai蠕虫的幕后黑手?/","link":"","permalink":"http://yoursite.com/2017/07/31/疑犯追踪:谁是Mirai蠕虫的幕后黑手?/","excerpt":"在2016年的9月22日,我的网站因为遭受Mirai蠕虫病毒的攻击而瘫痪了4天,该病毒会将不安全的物联网设备感染为自己的僵尸网络的一部分,然后再对外发起更多的感染攻击。在这之后的一个礼拜,发动这次攻击的幕后黑手化名为”Anna-Senpai”对外发布了Mirai的源代码。","text":"在2016年的9月22日,我的网站因为遭受Mirai蠕虫病毒的攻击而瘫痪了4天,该病毒会将不安全的物联网设备感染为自己的僵尸网络的一部分,然后再对外发起更多的感染攻击。在这之后的一个礼拜,发动这次攻击的幕后黑手化名为”Anna-Senpai”对外发布了Mirai的源代码。经过几个月的深入挖掘,KrebsOnSecurity已经发现了Anna-Senpai的真实身份,还有帮他开发和修改该恶意软件的同谋的身份。下图为Anna-Senpai在2016年9月30号发布该恶意软件源码时发布的内容:KrebsOnSecurity在之前的文章中提到过,像Mirai这种恶意软件被用来对个人、企业、政府机构、非盈利组织进行攻击从而使得这些站点下线。这些攻击就被称之为“分布式拒绝服务”(DDoS),它通过对目标站点制造成千上万的垃圾流量使得其他合法访问者无法访问该网站。 现在网络上存在很多提供“付费DDoS服务”的机构,这使得不具备技术的人员也能轻易的发起DDoS攻击。正如我们将看到的,非法DDoS攻击行业为了获得更多的利润而不断的进行竞争,这可能会导致其中的一些机构做出异常的行为。 第一部分今年夏天的早些时候,我的网站遭受了物联网系统的几次重大攻击,而这些物联网系统是被恶意软件家族控制的,它是Mirai的前身,这些恶意软件主要包含以下几个名字:Bashlite、Gafgyt、Qbot、Remaiten和Torlus。 所有这些相关的物联网僵尸设备以类似于其他众所周知的互联网蠕虫的方式感染新系统,即从一个被感染的主机传播到另一个。就像那些早期的互联网蠕虫一样,通过积极的对网络进行扫描从而识别潜在的感染目标并将其加入到自己的僵尸网络中,这些目标主要包括:家庭路由器、网络摄像头、录像系统。当然这种行为会让大家回想起以前被称之为Morris Worm、NIMDA,、CODE RED、Welchia、Blaster和SQL Slammer的蠕虫。 被感染的物联网设备会扫描网络中存在默认设置或者默认密码的物联网设备并将其感染,然后这些被感染的设备会被驱使进行DDoS攻击(比较具有讽刺意味的是,许多最受Mirai和类似物联网蠕虫感染的设备是安全摄像机)。 Mirai的早前版本有很多的名字,会根据功能的改进来命名,所以每一个名字都对应一个变体。在2014年,一群以“lelddos”为口号的黑客非常公开的使用该代码发起大规模的持续攻击,从而使很多网站处于离线状态。其中最出名的攻击目标就是Minecraft的服务器,这是一个被Microsoft运营的允许任意设备从任意地点连入的流行电脑游戏。 Minecraft通过大像素块来搭建自己想要的建筑,这听起来可能很简单和无聊,但是实际上这款游戏很受人们的喜爱,尤其是青少年男性。微软已售出超过1亿份的Minecraft,并且每时每刻都有超过一百万人同时在线。玩家可以建立自己的世界,也可以通过登录到他们最喜欢的Minecraft服务器来访问其他人的领地或者和朋友一起玩。一个大型的成功的Minecraft服务器,每天有超过一千个玩家登录,可以轻松地让服务器的主人每月赚取5万美元,赚的钱主要来源于租用服务器上的空间来构建Minecraft世界、购买游戏项目和特殊能力等。 不出意料的,收入最高的Minecraft服务器最终吸引了那些像lelddos一样的敲诈勒索者的注意力。Lelddos针对Minecraft服务器发起了一个巨大的DDoS攻击,他们知道目标Minecraft服务器的所有者每天可能因为游戏频道保持离线而损失数千美元。 如果他们的服务器一直处于离线无法连接状态而得不到修复,就算忠实客户也会很快的找到其他替代的Minecraft服务器。 Robert Coelho是ProxyPipe公司的副总裁,ProxyPipe公司是一家专门保护Minecraft服务器免受攻击的旧金山公司。 Coelho说“Minecraft行业竞争非常激烈”,“如果你是一个玩家,并且你最喜欢的Minecraft服务器离线,你可以切换到另一个服务器。但对于服务器运营商来说,他永远希望自己的服务器最强化以及用户最大化。你服务器上的玩家越多,也就意味着你赚的钱就越多。但如果你的服务器一旦停止运作,你就会开始失去玩家并且流失速度非常快,但从另一个角度来说这也许也是件好事。”。 在2014年6月,ProxyPipe受到了lelddos发起的每秒300亿比特的DDoS攻击,他们还在Twitter上公开嘲讽受害者。当时,ProxyPipe正在向位于弗吉尼亚州雷斯顿的安全巨头Verisign购买DDoS保护。在2014年发布的季度报告中,Verisign称这次攻击是所见过的最大的攻击,尽管它在报告中没有提及ProxyPipe – 仅仅将其称为媒体和娱乐业务的客户。 Verisign表示,2014年的攻击是由超过100,000台运行在SuperMicro IPMI上的僵尸服务器网络发起的。在对ProxyPipe发起巨大攻击的前几天,一名安全研究人员发布了有关SuperMicro设备中的一个漏洞的信息,这个漏洞能被远程攻击并且可以利用这个漏洞再对外发起攻击。 第二部分Coelho回忆说,在2015年中期,他公司的Minecraft客户开始受到由感染了Qbot的物联网设备组成的僵尸网络的攻击。他说,这些攻击是由当时17岁的Christopher “CJ” Sculti, Jr.发起的,而他是竞争对手DDoS保护公司“Datawagon”的所有者和唯一的雇员。Datawagon也把Minecraft服务器作为客户,其服务器托管在另一家为Minecraft服务器提供DDoS防护服务的提供商ProTraf Solutions的服务器上。 Coelho说ProTraf试图让他最大的Minecraft服务器客户停用ProxyPipe的服务。Coelho在2015年年中说,Sculti在Skype上找到了他,并表示他准备让Coelho的Skype帐户被禁用。当时,Skype软件漏洞的利用方法在网络上被售卖,这个漏洞可被用于远程和即时禁用任何Skype帐户。 果然,Coelho回忆说,他的Skype帐户和同事使用的两个其他帐户在该威胁发生后几分钟即被关闭,有效地切断了ProxyPipe对客户的技术支持,当时其中许多客户都习惯于通过Skype与ProxyPipe进行联系。 “CJ在DDoS开始之前大约五分钟就给我发了消息,他说他将禁用我的skype账号”,Coelho继续说,“当这种情况发生后最可怕的事情是,你不知道你的Skype帐户是否已被黑客入侵和控制,还是它只是被禁用了。”。 在ProxyPipe的Skype帐户被禁用后,公司的服务器就遭受了大规模的,不断变化的DDoS攻击,也导致ProxyPipe无法为其客户提供服务。Coelho说,在攻击的几天内,许多ProxyPipe保护的最赚钱的Minecraft服务器都转移到了ProTraf Solutions那。 “在2015年,ProTraf使得很多我们保护的服务器下线,所以很多客户跳到了他们那边,”Coelho继续说,“我们告诉我们的客户,我们知道是ProTraf做的,但是有些客户不在乎,他们还是转移到了ProTraf,因为他们觉得在我们这因为服务器下线已经失去了很多钱了。”。 我发现Coelho的故事令人着迷,因为它令人毛骨悚然地回应了我在2016年9月遭受的620 Gbps攻击事件。我也通过Skype与Sculti联系了两次,第一次是在2015年7月7日,Sculti吹嘘说他对互联网上运行了默认用户名和密码的物联网设备进行了扫描,他还说他已经将一些程序上传到了扫描到的这些设备上,数量超过了25万。这里是一个谈话的片段:我第二次在Skype上收到来自Sculti的信息是在2016年9月20日,也就是我的网站遭受620 Gbps攻击的那一天,Sculti对于我发表的一篇提到他名字的文章感到愤怒。之后我在Skype上将他拉入了黑名单,再之后,我的Skype帐户收到了来自数以千计的垃圾Skype帐户的会话请求,导致我几乎不可能使用该软件进行电话或即时消息。 在与Sculti进行9月20日的对话6小时后,巨大的620 Gbps DDoS攻击开始了。 谁是LELDDOS?Coelho说他相信lelddos的主要成员是Sculti和ProTraf的所有者。当被问及为什么他如此确信这一点时,他讲述了在2015年初lelddos对ProxyPipe进行了一次大型的攻击,同时还发生了大量互联网地址空间被窃取的骗局。 根据ProxyPipe,一连串的互联网ip被云托管公司FastReturn劫持。Dyn,一个密切跟踪哪些互联网地址块被分配给哪些组织的公司,确认了Coelho描述的互联网ip被劫持的时间。 在攻击几个月后,FastReturn的所有者,一个名叫Ammar Zuberi来自迪拜的年轻人去做了ProTraf的软件开发人员。 在此过程中,Zuberi将分配给FastReturn的大部分互联网ip转移到了ProTraf。 Zuberi告诉KrebsOnSecurity他没有参与lelddos,但他承认他在跳槽到ProTraf之前劫持了ProxyPipe的网络。他说“这个领域的东西对我来说都是未知的和神秘的,我感兴趣的是互联网的基础生态系统到底有多么的不安全。”。 根据Zuberi说的,CJ Sculti Jr.是lelddos的成员,ProTraf的两个共同所有者也是。这很有趣,因为不久之后的2016年9月Mirai攻击使这个网站下线。一个专门从事网络犯罪论坛信息分享的人指出Bashlite / Qbot的主要作者是ProTraf的雇员:一个19岁的来自华盛顿,宾夕法尼亚州的电脑奇才Josiah White。 White在LinkedIn上的个人资料为ProTraf的“企业DDoS缓解专家”,但多年来,他更多地被黑客社区称为“LiteSpeed”。 LiteSpeed是White在Hackforums [dot] net起的昵称,这是一个聚集了大量年轻人的黑客论坛,脚本小子们可以在此轻松地购买和出售网络犯罪工具和赃物。 直到最近,该论坛也一直都是购买和销售DDoS出租服务的地方。 我联系White以了解Qbot / Bashlite作者的传闻是否属实。White承认他写了一些Qbot / Bashlite的组件,包括恶意软件用来将感染传播到新机器的代码。但White说,他从来没有打算让他的代码在网上进行销售和交易。 White声称,一位他曾经的朋友,在Hackforums上的绰号为“Vyp0r”的人背叛了他的信任还逼迫他在网上发布代码,否则就要在网上发布White的个人资料并让警察抓他。 “我写的大多数东西都是为了朋友,但是后来我意识到,HF [Hackforums]上的东西往往不会保持私密,”,White在给KrebsOnSecurity的即时消息中写道,“最终,我发现他们在暗地里售卖我写的代码,所以我将所有的都公开了以阻止他们的行为。当我年轻时,我犯了一些错误,我已经意识到了这个错误,所以现在我要摆正自己的位置继续前行。”。 谁是PARAS JHA?White的雇主ProTraf Solutions只有另外一名员工,来自新泽西州范伍德20岁的总裁Paras Jha。在他的LinkedIn个人资料中,Jha说,“Paras是一个充满激情的企业家,由创造力驱动。”简介如下:“高度自我激励,在7年级时开始自学各种语言编程。今天,他的软件开发技能包括C#,Java,Golang,C,C ++,PHP,x86 ASM,更不用说Web浏览器语言如Javascript和HTML / CSS。” Jha的LinkedIn页面还显示,他在运行Minecraft服务器方面拥有丰富的经验,多年来他一直在Minetime工作,当时最受欢迎的Minecraft服务器之一。 在第一次阅读Jha的LinkedIn简历后,有一个感觉萦绕在我的心头挥之不去,我好像在其他地方看到过这个独特的计算机语言技能组合。然后我就明白了:Jha在他的LinkedIn上写的编程技能的组合与HackForums上Mirai的作者Anna-Senpai写的技能非常相似。 在2016年9月底之前,Mirai的源代码就已经被发在了HackForums上,Anna-Senpai在Hackforums发的大多数帖子都是为了嘲笑在使用Qbot构建DDoS攻击军队的其他黑客。 最好的例子是2016年7月10日发布在Hackforums上名为“Killing All Telnets”的主题,其中Anna-Senpai大胆警告论坛成员,他的恶意代码构造的僵尸网络包含了一个特别有效的“bot杀手”,它被开发来将受感染的物联网设备中存在的Qbot删除,并且Qbot无法再感染该系统。最初,论坛成员只是把Anna的威胁当作笑话,但随着回复越来越多,其他成员肯定了他的bot杀手确实有预期的效果。[奇怪的是,对于僵尸网络代码的作者来说,很常见的是包括修补漏洞来保护他们的新僵尸主机免受其他黑客的攻击。就像任何其他市场一样,网络犯罪分子之间存在着高度的竞争,他们不断地往DDoS军队中增加更多的僵尸主机,他们经常采用非正统的战术来击败竞争对手。正如我们将看到的,这种自相残杀的战争是这个故事的主要元素。] “2016年7月该僵尸网络的所有者在黑客论坛写了一个名为[Killing all Telnets]的主题,他是对的,”来自纽约市安全公司Flashpoint的威胁研究人员Allison Nixon和Pierre Lamy写道,“我们当时的情报反映了一个从传统的gafgyt感染模式到拒绝在安全研究人员的电脑上正确执行的模式的巨大转变。这个新物种扼杀了所有其他的恶意软件。”。 直到我与Jha的商业伙伴Josiah White沟通后,我才开始重新阅读Anna-Senpai在Hackforums上的几十个帖子。2016年7月12日,即在他发布了“Killing all Telnets”主题一个星期后,他在一个自称为“Nightmare”的黑客组织发布的主题中发布了一个帖子,我这才觉得Jha的编程技能看起来很熟悉。这样的团体或黑客团体在Hackforums是常见的,论坛成员可以通过说明他们的技能和回答几个问题来申请成员资格。Anna-Senpai在他的申请帖中这样描述自己:Hackforums帖子显示Jha和Anna-Senpai具有完全相同的编程技能。此外,根据安全公司Incapsula对Mirai的分析,用于控制由Mirai驱动的僵尸网络的恶意软件是由Go(aka“Golang”)编写的,这是一个由Google在2007年开发的有点深奥的编程语言,它在2016年十分流行。Incapsula还说,安装在物联网设备bots的恶意代码由C编写。 DREADIS[NOT]COOL我开始深入了解Paras Jha在网络上的历史和足迹,发现他的父亲在2013年10月为他的儿子注册了一个域名,parasjha.info。该网站不再在线,但Archive缓存了Jha早期与各种流行的Minecraft服务器工作的简历。这里有一个来自parasjha.info的自传片段:谷歌搜索这个相当独特的用户名“dreadiscool”,发现这个账号出没在几十个专门用于计算机编程和Minecraft的论坛中。在许多这些帐户中,所有者显然对于他的Minecraft服务器不断的遭受DDoS攻击感到沮丧,并且急于寻求如何最好地应对攻击的建议。 从Dreadiscool发布的文章来看,Jha觉得对Minecraft服务器发起DDoS攻击要更为有利可图,而不是试图维护服务器本身。 Jha在他的网站上写道:“我在处理DDoS攻击方面的经验使我开始了一家服务器托管公司,专注于为客户提供解决方案来减轻这种攻击。” 一些Dreadiscool最近的帖子可以追溯到2016年11月,其中许多帖子都是对高度技术主题的冗长解释。Dreadiscool在这些帖子中的语调比多年前更加自信了,涵盖了从编程到DDoS攻击的一系列主题。例如,Dreadiscool自2013年以来一直是Minecraft论坛spigotmc.org的活跃成员。此用户在spigotmc.org上的头像(如上所示)是从1994年Quentin Tarantino的“Pulp Fiction”中截取的场景,然后将两个演员的脸替换成其他人的。 左边这个人是Vyp0r,Vyp0r就是ProTraf的Josiah White说的威胁他的那个人的Hackforums绰号。右边的是Tucker Preston,他是BackConnect Security的共同创始人之一,该公司是另一个从事DDoS缓解服务的提供商,也有过大范围劫持其他提供商网络的历史。坐在他们后面的床上的是“山田”,日本动漫(“动漫”)B Gata H Hei中的角色。 在MyAnimeList.net(可以记录他们看了什么动漫的网站)有一个Dreadiscool用户,他在这个网站说,“B Gata H Kei”是他看过的九个动漫电影系列之一。其他八个?Mirai恶意软件的名字就来源于Mirai Nikki系列。 Dreadiscool在Reddit的个人信息也很有趣,最近发布的大多数帖子都涉及当时发生的主要的DDoS攻击,包括对Rutgers大学的一系列DDoS攻击。后面有更多关于Rutgers大学的内容。 与Anna-Senpai的对话在KrebsOnSecurity遭受620 Gbps攻击的同时,法国网络托管服务巨人OVH遭受了更大的攻击,由同一个Mirai僵尸网络发起攻击。虽然这个事实已经在新闻媒体中广泛报道,但是OVH被攻击的原因可能不是那么多人知晓。 根据OVH创始人和首席技术官Octave Klaba的推文,这次大规模攻击的目标也是一个Minecraft服务器(尽管Klaba在他的推文中错误地将其称为目标“mindcraft服务器”)。事实证明,在对这个网站和OVH攻击后的几天里,Anna-Sempai在针对Coelho的ProxyPipe攻击时对Mirai进行了训练,以至于破解了他们的DDoS缓解服务并导致许多流行的Minecraft服务器下线。 无法获得更多的带宽,也不愿意与第三方DDoS缓解公司签订昂贵的年度合同,Coelho转向唯一的另一个选择来从攻击中解脱:向Mirai僵尸网络的C&C服务器所在的互联网托管公司提交滥用投诉,以下线这些主机。“我们做到了,因为我们没有其他选择,我们所有的客户都被打到下线了,”Coelho说,“即使没有其他DDoS缓解公司能够防御这些攻击[从Mirai],我们仍然需要防御,因为我们的客户开始迁移到其他吸引较少攻击的服务提供商那去了。”。 Coelho说,他在搜索到与攻击中使用的bots相关的ip地址列表后,能够将Mirai僵尸网络的控制服务器追溯到乌克兰的主机提供商。该公司,BlazingFast [dot] io,拥有托管僵尸网络控制网络的“美誉”(即使现在,Spamhaus报告了一个从2017年1月17日起运行在BlazingFast上的物联网僵尸网络控制器)。 Coelho没有从BlazingFast那里得到任何有效的反馈,他将自己的投诉升级到了Voxility,这家公司当时正在为BlazingFast提供DDoS保护。“Voxility承认控制服务器的存在,并说他们会将它路由到null[删除],但他们没有,”Coelho说, “他们基本上在骗我们,然后也不回复任何邮件了。”。 Coelho说,他随后给BlazingFast所属的ISP发邮件,但没有收到该公司或下一个ISP的帮助。Coelho说,他们找到了BlazingFast的第五个ISP Telia Sonera,他们确认了他的报告,并迅速下线Mirai的控制服务器。结果,许多感染了Mirai的系统不能再连接到僵尸网络的控制服务器,大大减少了僵尸网络的整体火力。Coelho接着说“Telia的行动将僵尸网络能发起的攻击大小降低到80 Gbps,而这在ProxyPipe内部的DDoS缓解功能范围内。”。 令人难以置信的是,9月28日,Anna-Senpai本人通过Skype联系到Coelho。 Coelho与KrebsOnSecurity分享了该聊天对话的副本。对话记录显示Anna-Senpai猜测到了是ProxyPipe进行的投诉,导致了Mirai失效。Anna-Senpai说他从KrebsOnSecurity博客的文章中看到一个评论,这个用户的名字与Coelho的客户一样,所以他猜想ProxyPipe与此事有关。 在如下的对话中,Coelho的名称为“katie.onis” 通知和撤销Anna-Senpai可能对Coelho拿下Mirai的方法感到迷惑,因为Anna-Senpai在前一个月也是用同样的方法来对待Mirai的顶级竞争对手- Qbot。 在Coelho和Anna-Senpai之间的这个聊天之前的一个月,Anna正忙于向各种托管公司发送滥用投诉,警告他们正在托管需要被关闭的大型物联网设备botnet的控制服务器。这显然只是来自Mirai管理员的一个扩展活动的一部分,以消除其他基于物联网设备的DDoS僵尸网络占有易受攻击的物联网设备池。Anna在与Coelho的聊天中证实了这一点:收到Anna-Senpai的滥用投诉的ISP或托管服务提供商都被鼓励将邮件回复给ogmemes123123@gmail.com,以回答问题或者确认是否删除bot服务器。ISP如果拒绝对Anna-Senpai投诉Qbot的电子邮件迅速采取行动,很快就发现它们遭受了来自Mirai的巨大DDoS攻击。 托管服务商Frantech的所有者Francisco Dias是第一个发现忽略Anna的滥用报告会有多大代价的人。在2016年9月中旬,Francisco不小心与Anna-Senpai进行了互联网战。当时Mirai 的幕后黑手正在使用“jorgemichaels”作为昵称,而Jorgemichaels也在LowEndTalk.com上讨论废弃物有关的话题。具体来说,Jorgemichaels要求Francisco在论坛上就他的一个Qbot滥用投诉被忽略的事情进行公开讨论。Francisco告诉Jorgemichaels如果事情非常紧急的话建议向警方提出投诉。Jorgemichaels让Francisco闭嘴,当弗朗西斯科沉默了一会儿后,Jorgemichaels得意扬扬的说你知道我住在哪。Francisco说道他会继续保持沉默,因为他忙于为客户提供服务。Jorgemichaels回答说,“听起来你有非常多的客户需要你的帮助。但是Francisco千万不要惹怒了黑社会,否则有损你的事业。”不久以后,Frantech公司在被Mirai 攻击后下线。下面是Francisco和Anna-Senpai / Jorgemichaels之间私人对话的一个片段,Francisco之后关闭了报告提到的Qbot控制服务器,以换取Anna / Jorgemichaels停止攻击。回到Anna-Senpai和Coelho在2016年9月底的聊天。Anna-Senpai告诉Coelho,对ProxyPipe的攻击不是因为个人的原因,这是业务要求。Anna说,他已经出租了这些“节点”,相当大的一个Mirai 僵尸网络,其他黑客可以自由的选定时间发动攻击。Anna说,正如他对Coelho说过的这是业务,一个大型Minecraft服务器的所有者付钱让他针对目前世界上最受欢迎的Minecraft服务器Hypixel发起一次致命的DDoS攻击。KrebsOnSecurity跟Hypixel进行了确认,他们确实在9月27日和30日之间遭受Mirai大规模攻击。Coelho告诉KrebsOnSecurity,Anna描述的对Hypixel发起的一次又一次的DDoS攻击不仅仅是为了让Hypixel不能赚钱。他说,这种攻击方法的目的是为了加剧和惹恼Hypixel的客户,这样他们的客户就可能转而投向竞争对手的Minecraft服务器。Coelho解释道:“这不只是要让它停止服务,而是要让每个在服务器上玩的人都疯掉”,“如果你每20分钟就发动一次短暂的攻击,你基本上给了玩家足够的时间再回到服务器,参与到另一个游戏中,然后接着再次断开他的连接。”。 Anna-Senpai告诉Coelho对KrebsOnSecurity进行的620 Gbps攻击的原因也是因为业务。在攻击前两周,我发布了一个长达数月的调查结果,透露“vDOS”是最大和运行时间最长的付费DDoS攻击服务之一,它被黑客给攻击了,然后所有者和客户的详细信息都遭到了泄露。vDOS为它的主人获取了超过60万美元的收入,而它是由两个18岁的以色列男子别名为“applej4ck”和“p1st0”的黑客所经营的。在那段时间后,以色列当局逮捕了这两个人,而已经运作了四年的vDOS被关闭了。[注意:如果是真的,有人会因为我报告了vDOS的故事而雇佣Anna-Senpai攻击我的网站,那简直太讽刺了。这是因为applej4ck的vDOS服务背后的火力在很大程度上是由感染了Qbot变种的物联网系统的僵尸网络产生的,这是与Mirai非常相似的僵尸网络。] Coelho告诉KrebsOnSecurity,如果他和攻击者的谈话看上去太过于温和,那是因为他担心惹怒Anna,然后又招致来一场针对proxypipe的攻击。Coelho说,Mirail对ProxyPipe的攻击导致许多客户切换到其他Minecraft服务器保护商那,Coelho估计攻击成本在40万美元到50万美元之间。两人甚至后来还讨论起了动漫,Anna-Senpai猜测Coelho可能是某种动漫类型的粉丝。Anna-Senpai说,他观看了动漫系列“Gate,”,也就是上面提到过的Dreadiscool动漫列表中的“B Gata H Hei”有借鉴过它。Anna还证实,他的bot恶意软件的名称是从动漫系列“Mirai Nikki”派生的。 DREADISCOOL = ANNA = JHA?Coelho说当Anna-Senpai在Skype上首次与他接触时,他对黑客的真实身份一点线索都没有。但是在与Anna-Senpai进行聊天会话几周后,Coelho的业务合作伙伴(上面第一个聊天部分提到的Eric)说他注意到,Mirai中的一些代码看起来非常类似于Dreadiscool发布到他的Github帐户的代码。“他开始得出结论,也许Paras就是Anna”,Coelho说,“他给了我很多想法,我做了我自己的调查后,我觉得他可能是对的。”。 Coelho说他认识Paras Jha已经四年多了,当Jha在Minetime工作时,他在网上见到了他,那时候ProxyPipe正在防止DDoS攻击。“当时我们谈了很多,我们曾经一起编写了很多项目”,Coelho说,“他现在真的很善于编程,但是当时他不是这样子的。他有点落后,我几乎教会了他一切”,“他喜欢他的知识被其他人认可和赞扬”。 Coelho说,不久之后,Minetime在2013年遭到DDoS敲诈攻击,Paras加入Hackforums,在那之后Paras就不再回应他的在线消息了。“他只不过是完全抛弃了地球的表面”,Coelho继续说到,“当他开始在Hackforums混之后,我不再认识他了,他变成了另一个人。”。Coelho还说不相信他的老朋友会希望他受到伤害,Jha可能是受到了压力才攻击的ProxyPipe。Coelho又补充到,“在我看来,他还是一个孩子,他得到了很多同行给予他的压力”,“如果他没有[发动攻击],他不仅会感到被排除在外,而且这些人也不再是他的朋友了,他们可以把他赶出去。我认为他以及和他一起的其他人的处境非常非常糟糕。”。 Rutgers大学的DDOS攻击12月16日,安全供应商Digital Shadows开展了一个网络研讨会,会议的重点在于Mirai作者现实生活的身份。根据他们的分析,在Mirai作者被称为Hackforums的Anna-Senpai之前,他使用过昵称“Ogmemes123123”(这也是联系Coelho的Skype用户名的别名)和电子邮件地址ogmemes123123@gmail.com (这个是他在要求各种托管公司删除托管在他们网络上的Qbot控制服务器时留下的联系方式)。 Digital Shadows注意到,Mirai作者似乎使用了另一个昵称:“OG_Richard_Stallman”,这可能是对自由软件基金会创始人的参考。 ogmemes123123@gmail.com帐户用于在Facebook注册以OG_Richard Stallman为名的账号。从这个Facebook来看,OG_Richard_Stallman从2015年开始在New Brunswick, NJ-based Rutgers University学习计算机工程。 那个时间点,Paras Jha是Rutgers 大学的学生。这是特别值得注意的,因为自2015年秋季学期开始,Rutgers大学一直在处理其网络上的一系列DDoS攻击,超过了6个事件。对于每次DDoS攻击,攻击者都会在在线帖子和媒体采访中嘲笑该大学,鼓励学校花钱购买某种DDoS缓解服务。攻击者在Reddit和Twitter上使用昵称“og_richard_stallman”,“exfocus”和“ogexfocus”表示对Rutgers大学大约六次的攻击表示负责。Exfocus甚至在Reddit上创建了自己的“Ask Me Anything”页面来讨论针对Rutgers大学的攻击。 Exfocus还接受了一个新泽西州的博主的采访,声称他使用多达17万的bot对大学发起攻击,每小时就能获得$ 500。这里有几个来自那次采访的片段,他对租用他僵尸网络的“客户”发起了指责:在线搜索Anna-Senpai和OG_Richard_Stallman使用的Gmail地址会在Pastebin打开一个创建时间为2016年7月1日之前的帖子,其中匿名的Pastebin用户创建了一个OG_Richard_Stallman的“dox”。Doxing是指在线发布某人的个人信息或将某人的社交账号的真实信息披露出来。dox中发出了OG_Richard_Stallman在土耳其的个人地址和电话号码,但这几乎肯定是一个意图混淆网络犯罪调查员的假dox。原因如下:Google搜索显示,这个相同的地址和电话号码显示在针对另一个人的dox上,而这个Pastebin上的帖子是早于2013年6月就创建的,这样做的原因是要暴露或混淆Hackforums上用户LiteSpeed的身份。回想一下,LiteSpeed是ProTraf的Josiah White承认在Hackforums上使用的别名。 通过og_richard_stallman敲诈这个OG_Richard_Stallman身份与另一个我们已经提到的人Anna-Senpai联系在了一起,Francisco Dias,他的Frantech ISP在9月中旬被Anna-Senpai和Mirai攻击。 Francisco告诉KrebsOnSecurity,在2016年8月初,他开始从与OG_Richard_Stallman相关联的Gmail地址收到勒索电子邮件。“这个使用Richard Stallman名字的人在Skype上添加了我,并且说”我会把你所有的互联网业务打到下线,直到你支付我金钱“,Francisco回忆说,“他告诉我,停止攻击的前期成本是10比特币[当时差不多5,000美元],如果我在攻击开始后的四个小时内没有付款,费用将翻倍到20比特币。”。Francisco说他没有满足他的要求,最终OG_Richard_Stallman取消了攻击。但他说又过了一会儿,攻击就强大到了足以给Frantech的互联网提供商带来问题。“Mirai努力的对我们的服务器发起攻击,它在消耗了大量的电力的同时还对在洛杉矶的节点造成了麻烦”,Francisco继续说,“我几乎把所有的问题都抛给了[DDoS缓解提供者] Voxility,最终熬过来了。”。 OG_Richard_Stallman的身份也与另一个托管公司相关联,在8月初他对其发起了类似的勒索攻击,而该公司在2016年曾经是ProTraf的客户之一。该公司拒绝被记录在案,但表示它在2016年中就停止了与Protraf的中间业务,因为他们对服务质量不满意。不久之后,它收到了来自“OG_Richard_Stallman”价值$5000比特币的勒索请求,付款以避免被DDoS攻击。 该公司的一名研究人员假装成是要购买DDoS服务的客户,通过电子邮件中提供的ogmemes123123@gmail.com地址与勒索者联系。OG_Richard_Stallman告诉该研究人员,他可以保证350 Gbps的攻击流量,如果目标没有被拿下的话,客户将获得全额退款。至于攻击的价格? 每五分钟攻击需付价值$100的比特币。后来托管公司表示,他的雇主拒绝支付该勒索请求,随后就受到了来自Mirai超过300 Gbps的攻击。 来自某匿名人士的话:“显然,攻击者是非常具有技术性的,因为他们会攻击子网内的每一个ip,并且在我们对此进行防护后,他们开始转而攻击上游路由器的接口”。当被问及他们认为可能谁要对此攻击负责时,我的消息来源者称他的雇主立即怀疑是ProTraf,这是因为Mirai也对公司主页的ip进行了攻击,而本来该主页的真实ip是被DDoS缓解公司Cloudflare隐藏了的,理论上是不可能被攻击的(ProTraf之前与该公司合作过,所以ProTraf知道它的真实ip)。他继续说到“我们相信攻击者是Protraf的工作人员或与该公司有关的人”。 下图为该不愿透漏名称的公司收到的来自于OG_Richard_Stallman的勒索邮件,后来他假装成是要购买DDoS服务的顾客与之进行交流,注意这里他大胆的说他要购买服务对ProTraf发起DDoS攻击。 DDoS会议经过几个月,我收集了从Ammar Zuberi(ProTraf所有者Paras Jha的同事)听来的以及Mirai的开发者的信息。 Zuberi告诉KrebsOnSecurity,Jha承认他负责管理Mirai,也是他发起了对Rutgers大学的DDoS攻击。Zuberi说2015年10月他去Jha的大学宿舍拜访时,Jha向他吹嘘自己是如何对Rutgers大学发起DDoS攻击的。Zuberi回忆说:“他笑着说,他是如何让学校的一个安全人员被解雇的,以及学校是如何因为他而提高学费的,“他没有真正说出他为什么这样做的原因,但我感觉他只是在试验,通过这些攻击测试他能做到什么程度”。 Zuberi说他没有意识到Jha用他的DDoS攻击都做了什么,直到去年底他与他面对面进行了交流。Zuberi说在2016年11月底他正在去拜访亚利桑那州祖母的路上,然后在纽约逗留了,所以他联系了Jha,并且在Jha在新泽西Fanwood的家度过了夜晚。 正如我在“Spreading the DDoS Disease and Selling the Cure”中指出的,Anna-Senpai在santasbigcandycane [dot] cx(通过Namecentral注册的域名)上泄露了Mirai的源代码。Namecentral是一个非常不出名的域名注册商,在三年内只注册了多数不多的几个域名。 根据Zuberi所说的,只有五个人知道Namecentral的存在:他自己,CJ Sculti,Paras Jha,Josiah White和Namecentral的所有者Jesse Wu(19岁的Wu在上面所给的那个链接中的故事特别突出)。 “当我看到Mirai的代码已经在Namecentral的域上泄露时,我直接问Paras说“那一切都是你做的是吗?,他微笑着说是的”,Zuberi回忆说,“然后他告诉我他最近听到说有一个联邦调查局特工正在调查Mirai,他给我展示了他和特工之间的一些讯息。他为自己感到骄傲,并且吹嘘他把邦调查局耍的团团转”。 Zuberi继续说,在11月访问过他的家以后就再没有与Jha联系。Zuberi说他相信Mirai用来控制感染的物联网设备的大部分代码是由Jha写的,因为它是用Golang写的,而Jha的合作伙伴White不擅长该编程语言。Zuberi表示,他认为White主要负责开发的是用于感染新的物联网设备的扩展代码,因为它是用C语言写的,而这是White擅长的编程语言。 在上述大多数发生的时间,之前被ProTraf占用的大量ip已被撤销,ProxyPipe的Coelho说ProTraf可能没钱为继下去了。 ProTraf的Josiah White解释了ProTraf所有的ip消失的原因是他们要重新启动公司。White告诉KrebsOnSecurity,“我们正在重组和重新调整我们正在做的事情”,Jha则完全没有回应。 1月19日,10:51 a.m更新:Jha进行了回应,他对这个故事的第一个评论是,我错误地引用了上面提到的dreadiscool列出的动漫电影。当直接询问他涉嫌操纵Mirai时,Jha说他Mirai不是他写的,也没有参与攻击Rutgers大学。“第一次发生时,我只是一个新生,我住在宿舍里”,Jha说,“在接近年底的攻击的高潮,我几乎一个星期都没办法联网,跟其他学生是一样的。我不能注册课程,而且有很多事情要处理”。Jha说Zuberi去年在他的房子过夜,但他否认Zuberi的其他言论。他知道有联邦调查局特工在调查Mirai,但当被问及自那以后他是否听说过联邦调查局特工时他表示“无可奉告”。“我不认为有足够的事实能够指控那就是我”,Jha说,“我就是一个很普通的人,过去没有做过这种事情,也没有任何反社会的行为。这篇文章的作者才是反社会的”。 Anna-Senpai和ProxyPipe的Coelho之间的对话副本在这里。 转载自:http://www.4hou.com/special/3108.html","categories":[],"tags":[]},{"title":"Who Ran Leakedsource.com?","slug":"Using Logs to Investigate a Web Application Attack","date":"2017-07-31T02:16:14.000Z","updated":"2017-07-31T02:45:04.438Z","comments":true,"path":"2017/07/31/Using Logs to Investigate a Web Application Attack/","link":"","permalink":"http://yoursite.com/2017/07/31/Using Logs to Investigate a Web Application Attack/","excerpt":"A log file is an extremely valuable piece of information which is provided by a server. Almost all servers, services, and applications provide some sort of logging. But what is a log file? A log file records events and actions that take place during the runtime of a service or application.","text":"A log file is an extremely valuable piece of information which is provided by a server. Almost all servers, services, and applications provide some sort of logging. But what is a log file? A log file records events and actions that take place during the runtime of a service or application. So why are log files so important? Log files provide us with a precise view of the behavior of a server as well as critical information about when, how and “by whom” a server is being accessed. This kind of information can help us monitor the performance, troubleshoot and debug applications, as well as help forensic investigators unfold the chain of events that may have led to a malicious activity. Let’s take as an example a web server. Most commonly, Apache HTTP Server will provide two main log files – access.log and the error.log. The access.log records all requests for files. If a visitor requests www.example.com/main.php, the following entry will be added in the log file. 188.54.124.17 - - [16/Apr/2016:07:44:08 +0100] "GET /main.php HTTP/1.1" 200 203 "-" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" The above log describes that a visitor with an IP address of 88.54.124.178 requested main.php file on April 16th, 2016 07:44 and the request was successful. This information might not be too interesting, but what if the log file described that a visitor with IP 88.54.124.178 requested dump_database.php file on April 16th, 2016 07:44 and the request was successful? In the absence of that log file, you might have never known that someone discovered and ran a secret or restricted script you have on your website that dumps the database. Having established that a log file is a critical asset, let’s look at an everyday example of how a log file would help identify when, how and “by whom”a website was hacked. InvestigationLet’s assume that a website we administer got defaced. Let’s also assume that the site was a simple and up-to-date WordPress website running on a fully patched Ubuntu Server. After reaching out for help, the forensic team took the server “offline” in order to be able to proceed with the investigation. Isolating the server is done to preserve the current state of the system and its logs, block remote access to the attacker (in the case a backdoor was installed), as well as prevent interaction with any other network machines. In order to fulfill the scope of the investigation, which is to identify malicious activity on the web server, the methodology would require the creation of a forensically sound copy of the server and then proceed with the investigation, however, since there are no plans to pursue legal action against the attacker, the forensic team can work on the original data. Evidence to Look for in an InvestigationIn order to start an investigation, the investigator needs to identify what evidence to look for. Usually, evidence of an attack involves direct access to “hidden” or unusual files, access to the administration area with or without authentication, remote code execution, SQL injection, file inclusion, cross-site scripting (XSS) and other unusual behavior that might indicate vulnerability scanning or reconnaissance. Let us assume that for our example, the web-server’s access.log is available. 1root@secureserver:/var/log/apache2# less access.log The access.log tends to be quite a large file, often containing thousands of recorded requests. 123484.55.41.57 - - [16/Apr/2016:20:21:56 +0100] "GET /john/index.php HTTP/1.1" 200 3804 "-" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"84.55.41.57 - - [16/Apr/2016:20:21:56 +0100] "GET /john/assets/js/skel.min.js HTTP/1.1" 200 3532 "http://www.example.com/john/index.php" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"84.55.41.57 - - [16/Apr/2016:20:21:56 +0100] "GET /john/images/pic01.jpg HTTP/1.1" 200 9501 "http://www.example.com/john/index.php" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"84.55.41.57 - - [16/Apr/2016:20:21:56 +0100] "GET /john/images/pic03.jpg HTTP/1.1" 200 5593 "http://www.example.com/john/index.php" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" Checking every single line would be impractical, so what we’ll want to do is to filter out data that would most probably be of no interest. That usually includes resources such as images and CSS stylesheets. Some investigators also prefer to strip out JavaScript files too. In this case, however, since the website is running WordPress, we will use a slightly different approach. Instead of ruling out some data, we will filter access.log for WordPress-specific characteristics. 1root@secureserver:~#cat /var/log/apache2/access.log | grep -E "wp-admin|wp-login|POST /" The above command, will filter access.log and show only records that contain strings containing wp-admin which is the default administration folder of WordPress, wp-login which is part of the login file of WordPress (wp-login.php) and finally, POST which will show HTTP requests sent to the server using the POST method, which are most likely login form submissions. The output returns a number of results. After sifting through them, we’ll concentrate on the following single record: 184.55.41.57 - - [17/Apr/2016:06:52:07 +0100] "GET /wordpress/wp-admin/ HTTP/1.1" 200 12349 "http://www.example.com/wordpress/wp-login.php" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" We see that the IP ++84.55.41.57++ accessed the WordPress administration successfully. Let’s see what else the user with this IP address did. We’ll use grep once again to filter the access.log with that IP. 1root@secureserver:~#cat /var/log/apache2/access.log | grep 84.55.41.57 This results in the following interesting records. 123456789101112131484.55.41.57 - - [17/Apr/2016:06:57:24 +0100] "GET /wordpress/wp-login.php HTTP/1.1" 200 1568 "-"84.55.41.57 - - [17/Apr/2016:06:57:31 +0100] "POST /wordpress/wp-login.php HTTP/1.1" 302 1150 "http://www.example.com/wordpress/wp-login.php"84.55.41.57 - - [17/Apr/2016:06:57:31 +0100] "GET /wordpress/wp-admin/ HTTP/1.1" 200 12905 "http://www.example.com/wordpress/wp-login.php"84.55.41.57 - - [17/Apr/2016:07:00:32 +0100] "POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1" 200 454 "http://www.example.com/wordpress/wp-admin/"84.55.41.57 - - [17/Apr/2016:07:00:58 +0100] "GET /wordpress/wp-admin/theme-editor.php HTTP/1.1" 200 20795 "http://www.example.com/wordpress/wp-admin/"84.55.41.57 - - [17/Apr/2016:07:03:17 +0100] "GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme=twentysixteen HTTP/1.1" 200 8092 "http://www.example.com/wordpress/wp-admin/theme-editor.php"84.55.41.57 - - [17/Apr/2016:07:11:48 +0100] "GET /wordpress/wp-admin/plugin-install.php HTTP/1.1" 200 12459 "http://www.example.com/wordpress/wp-admin/plugin-install.php?tab=upload"84.55.41.57 - - [17/Apr/2016:07:16:06 +0100] "GET /wordpress/wp-admin/update.php?action=install-plugin&plugin=file-manager&_wpnonce=3c6c8a7fca HTTP/1.1" 200 5698 "http://www.example.com/wordpress/wp-admin/plugin-install.php?tab=search&s=file+permission"84.55.41.57 - - [17/Apr/2016:07:18:19 +0100] "GET /wordpress/wp-admin/plugins.php?action=activate&plugin=file-manager%2Ffile-manager.php&_wpnonce=bf932ee530 HTTP/1.1" 302 451 "http://www.example.com/wordpress/wp-admin/update.php?action=install-plugin&plugin=file-manager&_wpnonce=3c6c8a7fca"84.55.41.57 - - [17/Apr/2016:07:21:46 +0100] "GET /wordpress/wp-admin/admin-ajax.php?action=connector&cmd=upload&target=l1_d3AtY29udGVudA&name%5B%5D=r57.php&FILES=&_=1460873968131 HTTP/1.1" 200 731 "http://www.example.com/wordpress/wp-admin/admin.php?page=file-manager_settings"84.55.41.57 - - [17/Apr/2016:07:22:53 +0100] "GET /wordpress/wp-content/r57.php HTTP/1.1" 200 9036 "-"84.55.41.57 - - [17/Apr/2016:07:32:24 +0100] "POST /wordpress/wp-content/r57.php?14 HTTP/1.1" 200 8030 "http://www.example.com/wordpress/wp-content/r57.php?14"84.55.41.57 - - [17/Apr/2016:07:29:21 +0100] "GET /wordpress/wp-content/r57.php?29 HTTP/1.1" 200 8391 "http://www.example.com/wordpress/wp-content/r57.php?28"84.55.41.57 - - [17/Apr/2016:07:57:31 +0100] "POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1" 200 949 "http://www.myw ebsite.com/wordpre ss/wp-admin/admin.php?page=file-manager_settings" Let’s analyze these records a bit further.The attacker accessed the login screen. 184.55.41.57 - GET /wordpress/wp-login.php 200 The attacker submitted the login form (HTTP request using the POST method) and was redirected (302 HTTP status code). 184.55.41.57 - POST /wordpress/wp-login.php 302 The attacker was redirected to wp-admin (the WordPress dashboard) which means authentication was successful. 184.55.41.57 - GET /wordpress/wp-admin/ 200 The attacker navigated to the theme editor. 184.55.41.57 - GET /wordpress/wp-admin/theme-editor.php 200 The attacker tried to edit file 404.php, which is a very common tactic used to inject malicious code into the file. The attacker most probably failed in doing so due to a lack of write permissions. 184.55.41.57 - GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme= twentysixteen 200 The attacker accessed the plugin installer. 184.55.41.57 - GET /wordpress/wp-admin/plugin-install.php 200 The attacker installed and activated the file-manager plugin. 1284.55.41.57 - GET /wordpress/wp-admin/update.php?action=install-plugin&plugin= file-manager &_wpnonce=3c6c8a7fca 20084.55.41.57 - GET /wordpress/wp-admin/plugins.php?action=activate&plugin=file-manager%2Ffile-manager.php&_wpnonce=bf932ee530 200 The attacker used the file-manager plugin to upload r57.php, which is a PHP webshell script. 184.55.41.57 - GET /wordpress/wp-admin/admin-ajax.php?action=connector& cmd= upload&target=l1_d3AtY29udGVudA&name%5B%5D=r57.php&FILES=&_=1460873968131 200 The log indicates that the attacker ran an r57 shell script. The query strings ?1 (the attacker ran phpinfo();) and ?28 (the attacker got a list of services) indicate navigation through the different sections of the shell script. It appears that he didn’t find anything interesting. 12384.55.41.57 - GET /wordpress/wp-content/r57.php 20084.55.41.57 - POST /wordpress/wp-content/r57.php?1 20084.55.41.57 - GET /wordpress/wp-content/r57.php?28 200 The attacker’s last action was to edit the index file of the theme through the file-manager plugin and replaced its contents with the word “HACKED!” 1284.55.41.57 - POST /wordpress/wp-admin/admin-ajax.php 200 - http://www.example.com/wordpress/wp-admin/admin.php?page=file-manager_settings Based on the above information, we now have a timeline of the attacker’s actions that led to the defacement of the website. However, there is a missing piece in the puzzle. How did the attacker get the login credentials in the first place? Assuming that we are certain that the administrator password was not leaked or bruteforced, let’s go back and see if we can find anything regarding this matter The current access.log did not contain any clues on what might have happened. However, there is more than just the one access.log file we were investigating. Apache HTTP Server’s log rotation, archived old log files. Listing the /var/log/apache2/ directory lists 4 additional log files. Let’s investigate. Firstly, we’ll filter the logs to see if any actions were taken by IP 84.55.41.57. One of the logs was bombarded with records that clearly indicate a SQL injection attack on what seems to be a custom plugin. 123484.55.41.57- - [14/Apr/2016:08:22:13 0100] "GET /wordpress/wp-content/plugins/custom_plugin/check_user.php?userid=1 AND (SELECT 6810 FROM(SELECT COUNT(*),CONCAT(0x7171787671,(SELECT (ELT(6810=6810,1))),0x71707a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) HTTP/1.1" 200 166 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)"84.55.41.57- - [14/Apr/2016:08:22:13 0100] "GET /wordpress/wp-content/plugins/custom_plugin/check_user.php?userid=(SELECT 7505 FROM(SELECT COUNT(*),CONCAT(0x7171787671,(SELECT (ELT(7505=7505,1))),0x71707a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) HTTP/1.1" 200 166 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)"84.55.41.57- - [14/Apr/2016:08:22:13 0100] "GET /wordpress/wp-content/plugins/custom_plugin/check_user.php?userid=(SELECT CONCAT(0x7171787671,(SELECT (ELT(1399=1399,1))),0x71707a7871)) HTTP/1.1" 200 166 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)"84.55.41.57- - [14/Apr/2016:08:22:27 0100] "GET /wordpress/wp-content/plugins/custom_plugin/check_user.php?userid=1 UNION ALL SELECT CONCAT(0x7171787671,0x537653544175467a724f,0x71707a7871),NULL,NULL-- HTTP/1.1" 200 182 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)" Let’s assume that this plugin was created by copy-and-pasting some which the system administrator found online. The script was meant to check for a user’s validity based on a given ID. The plugin had a form exposed on the main page of the website which was sending an AJAX GET request to /wordpress/wp-content/plugins/custom_plugin/check_user.php. By analyzing check_user.php it is immediately obvious that the script is poorly written and vulnerable to a SQL injection attack. 123456789<?php//Include the WordPress headerinclude('/wordpress/wp-header.php');global $wpdb;// Use the GET parameter ‘userid’ as user input$id=$_GET['userid'];// Make a query to the database with the value the user supplied in the SQL statement $users = $wpdb->get_results( "SELECT * FROM users WHERE user_id=$id");?> The amount of records in the access.log and the pattern indicate that the attacker used a SQL injection exploitation tool to exploit the SQL injection vulnerability. We will not dig deeper into the SQL injection attack, or how to fix SQL injection vulnerabilities as this is outside the scope of this article, however, the records in the log would resemble the following. 1/wordpress/wp-content/plugins/my_custom_plugin/check_user.php?userid=-6859 UNION ALL SELECT (SELECT CONCAT(0x7171787671,IFNULL(CAST(ID AS CHAR),0x20),0x616474686c76,IFNULL(CAST(display_name AS CHAR),0x20),0x616474686c76,IFNULL(CAST(user_activation_key AS CHAR),0x20),0x616474686c76,IFNULL(CAST(user_email AS CHAR),0x20),0x616474686c76,IFNULL(CAST(user_login AS CHAR),0x20),0x616474686c76,IFNULL(CAST(user_nicename AS CHAR),0x20),0x616474686c76,IFNULL(CAST(user_pass AS CHAR),0x20),0x616474686c76,IFNULL(CAST(user_registered AS CHAR),0x20),0x616474686c76,IFNULL(CAST(user_status AS CHAR),0x20),0x616474686c76,IFNULL(CAST(user_url AS CHAR),0x20),0x71707a7871) FROM wp.wp_users LIMIT 0,1),NULL,NULL-- The above is a very strong indication that the WordPress database has been compromised and that any data in that database has potentially been stolen. AnalysisThrough this investigation, we can now create the chain of events that have led to this attack. Some questions still remain, such as who was behind the attack. At this point, it is only possible to know the attacker’s IP address. It is very difficult, and probably infeasible, to attempt to attribute most attacks unless the attacker left concrete evidence that ties to a real person’s identity. Bear in mind that attackers frequently make use of proxies and anonymity networks such as Tor to conduct most attacks in order to mask their real location. The bottom line is that unsafe code that led to a SQL injection attack was present in a custom WordPress plugin. Had the site been tested for security vulnerabilities before being deployed in a production environment, it would not have been possible for the attacker to take advantage of the security vulnerability which caused the defacement. The attacker of the above fictitious example was very sloppy and left a significant amount of evidence and tracks which would have aided an investigator and made the investigation very easy. This, however, is not always the case, especially when dealing with more sophisticated attacks. Refere:https://dzone.com/articles/using-logs-to-investigate-a-web-application-attack https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/","categories":[],"tags":[]},{"title":"Talos--威胁情报的王者","slug":"Talos--威胁情报的王者","date":"2017-07-30T07:48:00.000Z","updated":"2017-07-30T08:01:02.414Z","comments":true,"path":"2017/07/30/Talos--威胁情报的王者/","link":"","permalink":"http://yoursite.com/2017/07/30/Talos--威胁情报的王者/","excerpt":"情报,对于现实社会犯罪活动的打击至关重要。而威胁情报,则是网络虚拟空间对付网络犯罪和网络威胁的核心“抓手”之一。","text":"情报,对于现实社会犯罪活动的打击至关重要。而威胁情报,则是网络虚拟空间对付网络犯罪和网络威胁的核心“抓手”之一。 2015年,一个名叫AnglerEK的网络犯罪钓鱼攻击恶意程序,横行全球网络,以每天9万用户的攻击速度,绑架用户电脑,向用户收取赎金,每年不法收入近6000万美元。当人们茫然无措的时候,思科内部的一个神秘团队开始出手。他们密切分析了Angler EK,发现其使用漏洞利用工具的代理服务器主要地址,深度分析到该地址的系统中的工具包操作之后,思科通过更新其网络产品重定向链接,实现对攻击行为的封锁,直接保护了50%以上的消费者免受感染。同时思科与执法部门合作,提供收集到的犯罪线索,帮助有效打击犯罪分子。 只此一役,便让这个名叫“Talos”的神秘团队,在业界浮出水面,声名鹊起。在去年的思科网络安全报告中,它更是准确地预测了今年刚肆虐全球的勒索病毒相关特征与传播趋势。这个名为“Talos”的安全团队,已经成为负责维护思科生态系统内所有安全数据的情报团队。它每天阻止200亿次威胁和8000万次恶意DNS查询,接收160亿网站请求 Talos一天的安全分析量 什么是Talos? 思科Talos由一流的威胁研究人员组成,借助思科的复杂高端系统支撑,通过分析恶意软件、漏洞、入侵行为,以及最新趋势,提供已知和未知的威胁信息,并将其对威胁情况的理解融入到思科的所有安全产品中。简而言之,思科Talos的使命是基于智能大数据分析技术,为用户提供最为全面,最为实时的威胁防御。 Talos拥有超过250名研究人员和600名软件工程师,堪称网络安全行业最大的安全研究团队之一,其中不乏业界知名的网络安全大牛。Snort、ClamAV等开源工具和平台就是他们所写。其主要分为五个骨干团队:威胁情报、检测研究、引擎开发、漏洞研发以及外延服务。 思科Talos团队的工作是处理大量的原始数据,从中提炼有价值和准确的威胁情报。然后将这些情报传送给检测研究团队,由后者转换为检测规则。这些规则会被引擎开发团队中的软件工程师用于开发安全产品中的检测恶意软件及攻击威胁的引擎。 而漏洞研发团队的主要工作是研究零日攻击,并与一些流行软件厂商合作,抢在网络犯罪分子之前,快速解决因漏洞带来的风险。 最后是Talos的外延团队,它的主要工作是分享其了解的总体网络威胁情况,把信息整理归纳并传递给外界,类似某些机构的通报中心。而且,任何客户只要购买了任何一款思科的安全产品,都可以免费获得思科Talos的威胁情报信息 以今年5月份全球爆发的勒索病毒WannaCry为例: 3月14日,微软安全公告发布SMB漏洞补丁(MS17-010) 同一天,Talos发布Snort签名防御MS17-010漏洞 4月14日,影子经纪人发布永恒之蓝与双子星漏洞利用 4月25日,Talos发布Snort签名防御双子星和匿名共享 5月12日,WannaCry开始出现大规模传播趋势 当日上午7:30,思科Talos博客宣布发现WannaCry攻击 7:43,在全球将 kill switch 域推送到新的可见域类别 9:33,首次得到样本60分钟内,AMP在终端、电子邮件、Web 网关以及网络安全产品中实现成功检测和阻止 10:12,思科将其添加到勒索软件类别 Talos的威胁情报能力在安全牛之前发布的文章中曾写道,“思科Talos采用自动化安全大数据方法分析来自全球的邮件、网站和超过1亿5千万网络终端设备的威胁情报。每天分析全球1/3的邮件总量(6千亿封邮件/每天),每天分析超过150万独立恶意软件样本,每天收集大约160亿网站的请求。举一个形象的例子,Google 每天搜索量大约为35亿次,思科Talos收集分析的量是这个数字的4.5倍。” 之后,思科Talos与跨国电信运营商 Level 3 以及其他互联网供应商合作,使用黑洞法屏蔽了全球网络上所有 SSHPsychos 流量。对 SHPsychos 的反击成为该年度对黑客进行追缉的最大行动之一。由于其在阻止网络犯罪方面的贡献,Talos在网络安全这个圈子里备受称赞。 除了250名全职威胁情报研究人员以外,思科在全球还部署了上百万个遥测代理、1100个威胁追捕程序,拥有4个全球数据中心和超过100家威胁情报合作伙伴。根据ESG去年发布的调查报告,在全球18家网络安全威胁情报最佳提供商中,思科位列第一: 1.Cisco 2.IBM Security 3.Microsoft 4.Symantec(including Blue Coat) 5.McAfee 6.AWS 7.Dell SecureWorks 8.Check Point 9.Kaspersky 10.Palo Alto Networks 11.RSA Security 12.FireEye 13.Forcepoint 14.Fortinet 15.Imperva 16.Trend Micro Proofpoint Sophos (Source: ESG Research Survey, October 2016) Talos威胁情报细分 强大的终端遥测今年另一次大规模的恶意软件爆发,是Nyetya勒索软件。在病毒传播早期,由于监测到该活动影响的范围较广,Talos启动了称为TaCERS(Talos 重要事件响应系统)的内部研究和响应流程。TaCERS 将活动分为情报、遥测分析、反向工程、通信和检测研究,世界各地的Talos 研究人员和工程师共同应对此威胁。 根据终端遥测的结果,明确了名为“M.E.Doc”的乌克兰会计软件数据包便是攻击活动的中心源,Nyetya正是通过所有M.E.Doc更新系统的安装实现传播。M.E.Doc 是由乌克兰一家名为 Intellect Service 的公司创建的会计数据包,它部署广泛,被用于与乌克兰税务系统进行交互。 思科Talos主动直接联系到这家会计公司并建议提供援助,会计公司非常乐意的接受援助,并向前来调查的分析人员提供了日志文件和代码的使用权限。事件响应小组结合情报分析、逆向工程升级和遥测分析,确认了以下重要信息: 攻击者窃取了 M.E.Doc 管理员的证书,得以登录服务器获得根权限,并修改了 NGINX Web 服务器的配置文件,导致访问 upd.me-doc.com.ua 的任何流量将通过更新服务器代理以及关联到 IP 为 176.31.182.167 的 OVH IP 空间内的主机。 通过服务器上初次和最后的上游错误信息与现场终端遥测信息进行比较,Talos确定了攻击活动主动感染阶段的开始和结束时间,之后又确定了Nyetya的传播机制。 当 M.E.Doc 设备执行初始样本时,命令行参数与在终端遥测所观察到数据完美匹配。 思科致力于为人们带来更加安全的高智能、高性能IT设备和产品。而以Talos团队威胁情报分析为核心的前沿技术,则成为思科网络安全产品发展的路径和趋势:构建以威胁防御为中心的安全集成架构。这种安全模式将覆盖整个攻击过程,减少各种各样的产品以及互相脱节的解决方案所造成的安全复杂性。 原文来自安全牛,侵权立删http://www.aqniu.com/tools-tech/26940.html","categories":[],"tags":[]},{"title":"威胁情报资源整合——awesome-threat-intelligence","slug":"威胁情报资源整合","date":"2017-07-23T07:48:00.000Z","updated":"2017-07-23T09:47:19.995Z","comments":true,"path":"2017/07/23/威胁情报资源整合/","link":"","permalink":"http://yoursite.com/2017/07/23/威胁情报资源整合/","excerpt":"awesome-threat-intelligence是一个托管在github上的开源项目,收集各种与威胁情报相关的资源。","text":"awesome-threat-intelligence是一个托管在github上的开源项目,收集各种与威胁情报相关的资源。整个项目分为5个部分: SourcesSources部分收集了各种开源的威胁情报数据提供者,包括Alexa Top 1 Million sites,C&C Tracker,Cymon,Hail a TAXII等。提供了IP、域名、DNS、URL,甚至结构化后的STIX、OpenIOC等等数据,并且很多数据源还在持续更新。但是这些开源威胁情报都显得纬度比较单一,难以构建攻击链。 FormatsFormats介绍了威胁情报的共享标准,在众多标准中,STIX已经成为了大家比较认可的事实标准。 Frameworks and PlatformsFrameworks and Platforms介绍了用于创建、收集、分析、分享威胁情报的各种框架。如比较知名的AlienVault的OTX,开源的MISP等。框架只是骨骼,还需要数据输送血液。很多框架都支持导入开源威胁情报数据,也就是第一部分提到的那些情报提供者。当然,开源情报的关联性较差,导入框架后还不能发挥它们关联分析的威力,所以使用自己创建或者使用partner分享的威胁情报是个更好的选择。 ToolsTools介绍了一些小工具,包括一些ioc的编辑器:IOC Editor、ioc_writer,TAXII协议的python封装,大名鼎鼎的Cuckoo Sandbox等。。 Research, Standards & Books最后一部分是一些关于威胁情报的论文,和APT攻击的whitepapers。","categories":[{"name":"projects","slug":"projects","permalink":"http://yoursite.com/categories/projects/"}],"tags":[]},{"title":"paper_test","slug":"a","date":"2017-07-02T03:16:14.000Z","updated":"2017-07-03T12:01:14.000Z","comments":true,"path":"2017/07/02/a/","link":"","permalink":"http://yoursite.com/2017/07/02/a/","excerpt":"","text":"","categories":[{"name":"papers","slug":"papers","permalink":"http://yoursite.com/categories/papers/"}],"tags":[]},{"title":"company_test","slug":"sss","date":"2017-07-02T03:16:14.000Z","updated":"2017-07-03T12:01:42.000Z","comments":true,"path":"2017/07/02/sss/","link":"","permalink":"http://yoursite.com/2017/07/02/sss/","excerpt":"","text":"","categories":[{"name":"companies","slug":"companies","permalink":"http://yoursite.com/categories/companies/"}],"tags":[]},{"title":"Who Ran Leakedsource.com?","slug":"who-ran-leakedsource-com","date":"2017-02-18T03:16:14.000Z","updated":"2017-07-06T09:45:54.000Z","comments":true,"path":"2017/02/18/who-ran-leakedsource-com/","link":"","permalink":"http://yoursite.com/2017/02/18/who-ran-leakedsource-com/","excerpt":"Late last month, multiple news outlets reported that unspecified law enforcement officials had seized the servers for Leakedsource.com, perhaps the largest online collection of usernames and passwords leaked or stolen in some of the worst data breaches — including billions of credentials for accounts at top sites like LinkedIn and Myspace.","text":"Late last month, multiple news outlets reported that unspecified law enforcement officials had seized the servers for Leakedsource.com, perhaps the largest online collection of usernames and passwords leaked or stolen in some of the worst data breaches — including billions of credentials for accounts at top sites like LinkedIn and Myspace. In a development that could turn out to be deeply ironic, it seems that the real-life identity of LeakedSource’s principal owner may have been exposed by many of the same stolen databases he’s been peddling. The now-defunct LeakedSource service. LeakedSource in October 2015 began selling access to passwords stolen in high-profile breaches. Enter any email address on the site’s search page and it would tell you if it had a password corresponding to that address. However, users had to select a payment plan before viewing any passwords. LeakedSource was a curiosity to many, and for some journalists a potential source of news about new breaches. But unlike services such as BreachAlarm and HaveIBeenPwned.com — which force users to verify that they can access a given account or inbox before the site displays whether it has found a password associated with the account in question — LeakedSource did nothing to validate users. This fact, critics charged, showed that the proprietors of LeakedSource were purely interested in making money and helping others pillage accounts. I also was curious about LeakedSource, but for a different reason. I wanted to chase down something I’d heard from multiple sources: That one of the administrators of LeakedSource also was the admin of abusewith[dot]us, a site unabashedly dedicated to helping people hack email and online gaming accounts. Abusewith[dot]us began in September 2013 as a forum for learning and teaching how to hack accounts at Runescape, a massively multiplayer online role-playing game (MMORPG) set in a medieval fantasy realm where players battle for kingdoms and riches. The currency with which Runescape players buy and sell weapons, potions and other in-game items are virtual gold coins, and many of Abusewith[dot]us’s early members traded in a handful of commodities: Phishing kits and exploits that could be used to steal Runescape usernames and passwords from fellow players; virtual gold plundered from hacked accounts; and databases from hacked forums and Web sites related to Runescape and other online games. The administrator of Abusewith[dot]us is a hacker who uses the nickname “Xerx3s.” The avatar attached to Xerx3s’s account suggests the name is taken from Xerxes the Great, a Persian king who lived during the fifth century BC. Xerx3s the hacker appears to be especially good at breaking into discussion forums and accounts dedicated to Runescape and online gaming. Xerx3s also is a major seller of Runescape gold — often sold to other players at steep discounts and presumably harvested from hacked accounts. Xerx3s’s administrator account profile at Abusewith.us. I didn’t start looking into who might be responsible for LeakedSource until July 2016, when I sought an interview by reaching out to the email listed on the site (leakedsourceonline@gmail.com). Soon after, I received a Jabber chat invite from the address “leakedsource@chatme.im.” The entirety of that brief interview is archived here. I wanted to know whether the proprietors of the service believed they were doing anything wrong (we’ll explore more about the legal aspects of LeakedSource’s offerings later in this piece). Also, I wanted to learn whether the rumors of LeakedSource arising out of Abusewith[us] were true. “After many of the big breaches of 2015, we noticed a common public trend…’Where can I search it to see if I was affected?’,” wrote the anonymous person hiding behind the leakedsource@chatme.im account. “And thus, the idea was born to fill that need, not rising out of anything. We are however going to terminate the interview as it does seem to be more of a witch hunt instead of journalism. Thank you for your time.” Nearly two weeks after that chat with the LeakedSource administrator, I got a note from a source who keeps fairly close tabs on the major players in the English-speaking cybercrime underground. My source told me he’d recently chatted with Xerx3s using the Jabber address Xerx3s has long used prior to the creation of LeakedSource — xerx3s@chatme.im. Xerx3s told my source in great detail about my conversation with the Leakedsource administrator, suggesting that either Xerx3s was the same person I spoke with in my brief interview with LeakedSource, or that the LeakedSource admin had shared a transcript of our chat with Xerx3s. Although his username on Abusewith[dot]us was Xerx3s, many of Xerx3s’s closest associates on the forum referred to him as “Wade” in their forum postings. This is in reference to a pseudonym Xerx3s frequently used, “Jeremy Wade.” An associate of Xerx3s tells another abusewith[dot]us user that Xerx3s is the owner of LeakedSource. That comment was later deleted from the discussion thread pictured here. One email address this Jeremy Wade identity used pseudonymously was imjeremywade@gmail.com. According to a “reverse WHOIS” record search ordered through Domaintools.com, that email address is tied to two domain names registered in 2015: abusing[dot]rs, and cyberpay[dot]info. The original registration records for each site included the name “Secure Gaming LLC.” [Full disclosure: Domaintools is an advertiser on this blog].The “Jeremy Wade” pseudonym shows up in a number of hacked forum databases that were posted to both Abusewith[dot]us and LeakedSource, including several other sites related to hacking and password abuse. For example, the user database stolen and leaked from the DDoS-for-hire service “panic-stresser[dot]xyz” shows that a PayPal account tied to the email address eadeh_andrew@yahoo.com paid $5 to cover a subscription for a user named “jeremywade;” The leaked Panicstresser database shows the Jeremywade account was tied to the email address xdavros@gmail.com, and that the account was created in July 2012. The leaked Panicstresser database also showed that the first login for that Jeremywade account came from the Internet address 68.41.238.208, which is a dynamic Internet address assigned to residential customers of Comcast Communications in Michigan. According to a large number of forum postings, it appears that whoever used the xdavros@gmail.com address also created several variations on that address, including alexdavros@gmail.com, davrosalex3@yahoo.com, davrosalex4@yahoo.com, as well as themarketsales@gmail.com. The Gmail account xdavros@gmail.com was used to register at least four domain names almost six years ago in 2011. Two of those domains — daily-streaming.com and tiny-chats.com — were originally registered to a “Nick Davros” at 3757 Dunes Parkway, Muskegon, Mich. The other two were registered to a Nick or Alex Davros at 868 W. Hile Rd., Muskegon, Mich. All four domain registration records included the phone number +12313430295. I took that 68.41.238.208 Internet address that the leaked Panicstresser database said was tied to the account xdavros@gmail.com and ran an Internet search on it. The address turned up in yet another compromised hacker forum database — this time in the leaked user database for sinister[dot]ly, ironically another site where users frequently post databases plundered from other sites and forums. The leaked sinister[dot]ly forum database shows that a user by the name of “Jwade” who registered under the email address trpkisaiah@gmailcom first logged into the forum from the same Comcast Internet address tied to the xdavros@gmail.com account at Panicstresser. I also checked that Michigan Comcast address with Farsight Security, a security firm which runs a paid service that tracks the historic linkages between Internet addresses and domain names. Farsight reported that between 2012 and 2014, the Internet address 68.41.238.208 was tied to no-ip.biz, popular “dynamic IP” service. No-ip.biz and other dynamic IP address services are usually free services that allow users to have Web sites hosted on servers that frequently change their Internet addresses. This type of service is useful for people who want to host a Web site on a home-based Internet address that may change from time to time, because services like No-ip.biz can be used to easily map the domain name to the user’s new Internet address whenever it happens to change. Unfortunately, these dynamic IP providers are extremely popular in the attacker community, because they allow bad guys to keep their malware and scam sites up even when researchers manage to track the attacking IP address and convince the ISP responsible for that address to disconnect the malefactor. In such cases, dynamic IP services allow the owner of the attacking domain to simply re-route the attack site to another Internet address that he controls. Farsight reports that the address 68.41.238.208 maps back to three different dynamic IP domains, including “jwade69.no-ip.biz,” “wadewon.no-ip.biz,” and “jrat6969.zapto.org.” That first dynamic address — jwade69.no-ip.biz — was included among several hundred others in a list published by the Federal Bureau of Investigation as tied to the distribution of Blackshades, a popular malware strain that was used as a password-stealing trojan by hundreds of paying customers prior to May 2014. XERX3S HACKED?In January 2017, when news of the alleged raid on LeakedSource began circulating in the media, I began going through my notes and emails searching for key accounts known to be tied to Xerx3s and the administrator of Abusewith[dot]us. Somehow, in the previous three months I’d managed to overlook an anonymous message I received in mid-September from a reader who claimed to have hacked the email account themarketsales@gmail.com, one of several addresses my research suggested was tied to Xerx3s. The anonymous source didn’t say exactly how he hacked this account, but judging from the passwords tied to Xerx3s’s other known accounts that were included in the various forum database leaks listed above it may well have been because Xerx3s in some cases re-used the same password across multiple accounts. My anonymous source shared almost a dozen screenshots of his access to themarketsales@gmail.com, which indicate the name attached to the account was “Alex Davros.” The screenshots also show this user received thousands of dollars in Paypal payments from Leakedsource.com over a fairly short period in 2015. The screenshots also showed that themarketsales@gmail.com was tied to a PayPal account assigned to a Secured Gaming LLC. Recall that this is the same company name included in the Web site registration records back in 2011 for daily-streaming.com and tiny-chats.com. A screenshot shared with me in Sept. 2016 by an anonymous source who said he’d hacked the Gmail address “themarketsales@gmail.com”. In addition, the screenshot above and others shared by my source indicate that the same Paypal account tied to themarketsales@gmail.com was habitually used to pay a monthly bill from Hyperfilter.com, a company that provides DDoS protection and hosting and which has long been the provider used by Abusewith[dot]us. Finally, the anonymous hacker shared screenshots suggesting he had also hacked into the email account desiparker18@gmail.com, an account apparently connected to a young lady in Michigan named Desi Parker. The screenshots for Ms. Parker suggest her hacked Gmail account was tied to an Apple iTunes account billed to a MasterCard ending in 7055 and issued to an Alexander Davros at 868 W. Hile, Muskegon, Mich. The screenshots show the desiparker18@gmail.com address is associated with an Instagram account for a woman by the same name from Muskegon, Mich. (note that the address given in the WHOIS records for Alex Davros’s daily-streaming.com and tiny-chats.com also was Muskegon, Mich). Desi Parker’s Instagram lists her “spouse” as Alex Davros, and says her phone number is 231-343-0295. Recall that this is the same phone number included in the Alex Davros domain registration records for daily-streaming.com and tiny-chats.com. That phone number is currently not in service. Desi Parker’s Facebook account indeed says she is currently in a relationship with Alexander Marcus Davros, and the page links to this Facebook account for Alex Davros. Alex’s Facebook profile is fairly sparse (at least the public version of it), but there is a singular notation in his entire profile that stands out: Beneath the “Other Names” heading under the “Details about Alexander” tab, Alex lists “TheKing.” Parker’s Instagram account includes a photo of an illustration she made including her beau’s first name with a crown on top. Interestingly, two email addresses connected to domains associated with the Jeremy Wade alias — matt96sk@yahoo.com and skythekiddy@yahoo.com — are tied to Facebook accounts for Michigan residents who both list Alex Davros among their Facebook friends. Below is a rough mind map I created which attempts to show the connections between the various aliases, email addresses, phone numbers and Internet addresses mentioned above. At a minimum, they strongly indicate that Xerx3s is indeed an administrator of LeakedSource. I managed to reach Davros through Twitter, and asked him to follow me so that we could exchange direct messages. Within maybe 60 seconds of my sending that tweet, Davros followed me on Twitter and politely requested via direct message that I remove my public Twitter messages asking him to follow me. After I did as requested, Davros’s only response initially was, “Wow, impressive but I can honestly tell you I am not behind the service.” However, when pressed to be more specific, he admitted to being Xerx3s but claimed he had no involvement in LeakedSource. “I am xer yes but LS no,” Davros said. He stopped answering my questions after that, saying he was busy “doing a couple things IRL.” IRL is Internet slang for “in real life.” Presumably these other things he was doing while I was firing off more questions had nothing to do with activities like deleting profiles or contacting an attorney. Even if Davros is telling the truth, the preponderance of clues here and the myriad connections between them suggest that he at least has close ties to some of those who are involved in running LeakedSource. A “mind map” I created to illustrate the apparent relationships between various addresses and pseudonyms referenced in this story. THE LEGALITY OF LEAKEDSOURCEOn the surface, the rationale that LeakedSource’s proprietors have used to justify their service may seem somewhat reasonable: The service merely catalogs information that is already stolen from companies and that has been leaked in some form online. But legal experts I spoke with saw things differently, saying LeakedSource’s owners could face criminal charges if prosecutors could show LeakedSource intended for the passwords that are for sale on the site to be used in the furtherance of a crime. Orin Kerr, director of the Cybersecurity Law Initiative at The George Washington University, said trafficking in passwords is clearly a crime under the Computer Fraud and Abuse Act (CFAA). Specifically, Section A6 of the CFAA, which makes it a crime to “knowingly and with intent to defraud traffic in any password or similar information through which a computer may be accessed without authorization, if…such trafficking affects interstate or foreign commerce.” “CFAA quite clearly punishes password trafficking,” Kerr said. “The statute says the [accused] must be trafficking in passwords knowingly and with intent to defraud, or trying to further unauthorized access.” Judith Germano, a senior fellow at the Center on Law and Security at New York University’s School of Law, said LeakedSource might have a veneer of legitimacy if it made an effort to check whether users already have access to the accounts for which they’re seeking passwords. “If they’re not properly verifying that when the user goes to the site to get passwords then I think that’s where their mask of credibility falls,” Germano said. LeakedSource may be culpable also because at one point the site offered to crack hashed or encrypted passwords for a fee. In addition, it seems clear that the people who ran the service also advocated the use of stolen passwords for financial gain. source linkhttps://krebsonsecurity.com/2017/02/who-ran-leakedsource-com/ 中文翻译http://www.freebuf.com/articles/web/127544.html","categories":[],"tags":[]}]}