Wednesday, February 08, 2017

Ahhh 10Gbps

That feeling with you see the green light on the 10Gbps switch?

https://www.youtube.com/watch?v=2zNSgSzhBfM

Then you see the 40 second builds and, wow, all worth the $4k for the upgrades. Builds are mostly time spent downloading source and uploading artifacts. That 2 minute build down to 40 seconds is priceless.


Monday, February 06, 2017

Western Digital and IP 78.137.100.54

We have an RX4100 and a DX400 series Sentinel device in two separate networks. Every week I get an IPS hit on 78.137.100.54 for a buffer overflow:

Watchguard IPS Notice

I've ignored this in the past because I couldn't find much information about it. Plus, the IPS is denying it, so I didn't pay much attention to it.

Today, though, I dug a little bit deeper.Turns out 78.137.100.54 is Star Wind, which is a virtual storage software provider (in Germany).

https://www.starwindsoftware.com/

I couldn't find the offending header that was triggering the IPS. We don't track that level of detail in the IPS detection, unfortunately. That would be a nice thing to have.

Why the WD devices are contacting StarWind on a weekly basis is unknown to me. I don't recall any disclosures about that activity when I bought these devices.

We're retiring that RX4100 soon. It's network cards always go offline for no apparent reason. Other IT people have reported a similar experience with the RX4100. That usually happens at night, which is no big deal, but sometimes it happens at the start of the business day. That's happened enough times to warrant immediate retirement.

We've purchased a Synology to replace it. Hopefully the Synology does't make unexpected outbound connections to a German ISV.

Friday, February 03, 2017

YMLP vs AWeber

Aweber was easy to block because it had well defined block ranges. They play nice, but at the cost of being easily identified.

YMLP was a little bit harder, but a google search of YMLPUF and you get to see the inside world of their spamming campaigns. Once there, you just lookup smtp15.ymlpsrvr.com and get the netblock of their Belgian servers (185.83.48.0/22). Done.

I still like you guys. I just don't want to get your spam. That German list observer you are using, though, is pretty darn clever. That one I won't share, except to those of the close inner circle.

Haven't found the ad network block for YMLP though, so that's different than AWeber.

Next time, Madison Lee, use gmail instead.

Tuesday, January 24, 2017

Formerly Known As ...

You know my name. I have a new name now. It's not as cool as Prince's new name, when he changed it. No, it's not cool. It's random:

397970A0A6ACAF240351AC3AFB833ACB

I see you using this. I see where you call home too.


The splunk query for this was another fun exercise in 'rex':

"397970A0A6ACAF240351AC3AFB833ACB"| rex field=_raw ".tcp\s(?\d{0,3}\.\d{0,3}\.\d{0,3}\.\d{0,3})\s(?\d{0,3}\.\d{0,3}\.\d{0,3}\.\d{0,3})."
Splunk is so much fun. I bought the next 1 Gig indexer add-on for my splunk. I see you pushing activity and driving my 1 gig threshold out of orbit.

Being able to aggregate logs across disparate sources is a huge advantage. I still have to figure out what to look for, but when I do, then I can quickly see trends.

I've blocked about 99% of advertising in my perimeter. Someone tried to send me some aweber links, which was funny. Those will never work. My family hates that I block advertising because they have to actively search on known sites to find products instead of clicking random paid-links on google. Yeah. I care.

Watchguard has that Dimension product, which is super cool. I like that product, but it's only a trunk aggregator. There is so much more interesting data in the veins and capillaries of the network. The trunk is where you find the Mac trucks and buses. What you really want to find are the little VW bugs squeaking through the capillaries. *honk* *honk*

Monday, January 16, 2017

Talking To The Future

We are able to talk to our children, not as they are today, but tomorrow. Google, Microsoft, Alexa and Amazon, whatever search engine out there, the data of the web is being archived in permanence. In 30 years this blog will be searchable as an archive. My children will be able to read it and glimpse into their father's present, a time that is their present.

Today also marks the day that I realized how to do this. How to communicate "privately" with them. Just know that you will be able to communicate, one-way, with your kids by publishing messages to them in a blog. Just keep the blog active.

If you see wacky messages on this blog then you will see me communicating with the future. I know they are reading them.


Friday, January 13, 2017

Knock Knock

There was a girl, her name was Lucy. She was a samurai.


Although, my favorite Deep Purple is Hush:


Wednesday, December 14, 2016

Joined #TOKUGAWA

The first track-back (reversal) I did was on some Japanese hackers who staged out of South America. Here's an excerpt from the log of the server they attacked:

200.165.33.242 - - [18/Jun/2006:19:16:50 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 51
200.165.33.242 - - [18/Jun/2006:20:32:28 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 62
200.165.33.242 - - [18/Jun/2006:20:32:34 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 6568
200.165.33.242 - - [18/Jun/2006:20:33:04 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:20:33:08 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 6564
200.165.33.242 - - [18/Jun/2006:20:33:14 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:20:33:19 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 6574
200.165.33.242 - - [18/Jun/2006:20:33:25 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:20:34:00 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:20:34:16 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:20:34:32 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:20:34:36 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 56
(***) 200.165.33.242 - - [18/Jun/2006:20:34:43 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
(***) 200.165.33.242 - - [18/Jun/2006:20:34:59 -0500] "GET /cartaoUOL/ HTTP/1.1" 200 43611
200.165.33.242 - - [18/Jun/2006:20:35:24 -0500] "GET /cartaoUOL/ HTTP/1.1" 200 43611
200.165.33.242 - - [18/Jun/2006:20:35:41 -0500] "GET /cartaoUOL/ HTTP/1.1" 200 43611
200.165.33.242 - - [18/Jun/2006:20:39:47 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 62
200.165.33.242 - - [18/Jun/2006:20:39:55 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 6574
200.165.33.242 - - [18/Jun/2006:20:40:00 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 52
200.165.33.242 - - [18/Jun/2006:20:40:09 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:21:07:48 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 62
200.165.33.242 - - [18/Jun/2006:21:08:25 -0500] "GET /cartaoUOL/ HTTP/1.1" 404 133
Note the tell-tale "ikonboard" which in 2006 had all sorts of security problems. What you should immediately see in this listing is the test of "cartaoUOL" with a 404, then some CGI work, then suddenly "cartaUOL" exists. That was the start of the exploit.

They went on to add their IRC bot for the C&C and start exploring the file system. They defaced the web site and caused all sorts of embarrassment. Their target was an athletic association that helped kids. Way to go h4x0r! 1337 skillz with milkshakes.

200.165.33.242 - that's a Brazilian IP, naked just like a brazilian. The IRC bot called back to irc.irchighway.net and connected to the #TOKUGAWA room. There it looked like the bot was trying to upload some 30MB file:

** 2005-11-08-20:38:29: DCC Send Accepted from Named: [animesquest]_imyme01.rm (30622KB)
** 2005-11-08-20:38:29: Upload Connection Established
** 2005-11-08-20:38:32: Upload: Connection closed: Connection Lost
All of this was happening on:

** 2005-11-08-20:37:55: NOTICE: :Named!named@76b3cfb.3d716d1f.telesp.net.br NOTICE TK|Sasuke :DCC Chat (200.158.244.210)
200.158.244.210 was also Brazil. It's Telefonica now.

The ISP hosting the site ran a scan of the virtual host and found some compromised files. 

www/cgi-bin/
  bindz : Backdoor.Trojan
  php : replacement script for PHP executable
  sn : unknown script/executable
  sitevars : help script
www/
  new.cmd : Infostealer.Bancos
They were able to do this because the web process was running elevated and had permission to write over itself. Something more common in 2005 than in 2016, thankfully.

They left their "snarf.c" and its compiled executable. Mostly these were amateur hackers who were just experimenting with a site that was very unsecured. I remember digging into their irc traffic and finding some irc logs published on the internet. That's where I learned that they were Japanese and had been using another relay "jump" node out of Uruguay. I don't have records on that anymore.

The owners of those IP addresses back in 2006:

inetnum: 201.14/16
aut-num: AS8167
abuse-c: BTA17
owner: Brasil Telecom S/A - Filial Distrito Federal
ownerid: 076.535.764/0326-90
responsible: Brasil Telecom S. A. - CNRS
address: SEPS 702/092 Cj. B - Bl B 3 andar Gen. Alencastro, S/N,
address: 70390-025 - Brasilia - DF

inetnum: 200.165/16
aut-num: AS7738
abuse-c: CGR13
owner: Telemar Norte Leste S.A.
ownerid: 002.558.134/0001-58
responsible: Marlemar Telgon
address: Rua Humberto de Campos, 425, 7ยบ andar
address: 22430-190 - Rio de Janeiro - RJ