Skip to main content

Joined #TOKUGAWA

The first track-back (reversal) I did was on some Japanese hackers who staged out of South America. Here's an excerpt from the log of the server they attacked:

200.165.33.242 - - [18/Jun/2006:19:16:50 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 51
200.165.33.242 - - [18/Jun/2006:20:32:28 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 62
200.165.33.242 - - [18/Jun/2006:20:32:34 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 6568
200.165.33.242 - - [18/Jun/2006:20:33:04 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:20:33:08 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 6564
200.165.33.242 - - [18/Jun/2006:20:33:14 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:20:33:19 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 6574
200.165.33.242 - - [18/Jun/2006:20:33:25 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:20:34:00 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:20:34:16 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:20:34:32 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:20:34:36 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 56
(***) 200.165.33.242 - - [18/Jun/2006:20:34:43 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
(***) 200.165.33.242 - - [18/Jun/2006:20:34:59 -0500] "GET /cartaoUOL/ HTTP/1.1" 200 43611

200.165.33.242 - - [18/Jun/2006:20:35:24 -0500] "GET /cartaoUOL/ HTTP/1.1" 200 43611
200.165.33.242 - - [18/Jun/2006:20:35:41 -0500] "GET /cartaoUOL/ HTTP/1.1" 200 43611
200.165.33.242 - - [18/Jun/2006:20:39:47 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 62
200.165.33.242 - - [18/Jun/2006:20:39:55 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 6574
200.165.33.242 - - [18/Jun/2006:20:40:00 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 52
200.165.33.242 - - [18/Jun/2006:20:40:09 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:21:07:48 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 62
200.165.33.242 - - [18/Jun/2006:21:08:25 -0500] "GET /cartaoUOL/ HTTP/1.1" 404 133

Note the tell-tale "ikonboard" which in 2006 had all sorts of security problems. What you should immediately see in this listing is the test of "cartaoUOL" with a 404, then some CGI work, then suddenly "cartaUOL" exists. That was the start of the exploit.

They went on to add their IRC bot for the C&C and start exploring the file system. They defaced the web site and caused all sorts of embarrassment. Their target was an athletic association that helped kids. Way to go h4x0r! 1337 skillz with milkshakes.

200.165.33.242 - that's a Brazilian IP, naked just like a brazilian. The IRC bot called back to irc.irchighway.net and connected to the #TOKUGAWA room. There it looked like the bot was trying to upload some 30MB file:

** 2005-11-08-20:38:29: DCC Send Accepted from Named: [animesquest]_imyme01.rm (30622KB)
** 2005-11-08-20:38:29: Upload Connection Established
** 2005-11-08-20:38:32: Upload: Connection closed: Connection Lost

All of this was happening on:

** 2005-11-08-20:37:55: NOTICE: :Named!named@76b3cfb.3d716d1f.telesp.net.br NOTICE TK|Sasuke :DCC Chat (200.158.244.210)

200.158.244.210 was also Brazil. It's Telefonica now.

The ISP hosting the site ran a scan of the virtual host and found some compromised files. 

www/cgi-bin/
bindz : Backdoor.Trojan
php : replacement script for PHP executable
sn : unknown script/executable
sitevars : help script
www/
new.cmd : Infostealer.Bancos

They were able to do this because the web process was running elevated and had permission to write over itself. Something more common in 2005 than in 2016, thankfully.

They left their "snarf.c" and its compiled executable. Mostly these were amateur hackers who were just experimenting with a site that was very unsecured. I remember digging into their irc traffic and finding some irc logs published on the internet. That's where I learned that they were Japanese and had been using another relay "jump" node out of Uruguay. I don't have records on that anymore.

The owners of those IP addresses back in 2006:

inetnum: 201.14/16
aut-num: AS8167
abuse-c: BTA17
owner: Brasil Telecom S/A - Filial Distrito Federal
ownerid: 076.535.764/0326-90
responsible: Brasil Telecom S. A. - CNRS
address: SEPS 702/092 Cj. B - Bl B 3 andar Gen. Alencastro, S/N,
address: 70390-025 - Brasilia - DF

inetnum: 200.165/16
aut-num: AS7738
abuse-c: CGR13
owner: Telemar Norte Leste S.A.
ownerid: 002.558.134/0001-58
responsible: Marlemar Telgon
address: Rua Humberto de Campos, 425, 7ยบ andar
address: 22430-190 - Rio de Janeiro - RJ


Popular posts from this blog

Clustered Foolishness

I had morning coffee with a well respected friend of mine recently. Aside from chatting about the usual wifery and family, we touched on the subject of clustered indices and SQL Server performance. A common misconception in the software industry is that a clustered index will make your database queries faster. In fact, most cases will demonstrate the polar opposite of this assumption. The reason for this misconception is a misunderstanding of how the clustered index works in any database server. A clustered index is a node clustering of records that share a common index value. When you decide on an index strategy for your data, you must consider the range of data to be indexed. Remember back to your data structures classes and what you were taught about hashtable optimizations. A hashtable, which is another way of saying a database index, is just a table of N values that organizes a set of M records in quickly accessible lists that are of order L, where L is significantly less than M. ...
Read more

Deadly Information

Remember back to 2006 when a young girl killed herself [1] , [4] after being tricked and harassed by a faux boy she found on the Web using MySpace. The trial against the faux boy, an adult woman (Lori Drew), did not result in prosecution for the death of Megan, much to the dismay of many.  Yet, today we read about another trial where someone is being accused of second degree murder because they may have mentioned something slanderous about another person who was later killed by a hit man [2] . In this case, though, the person on trial is a former FBI agent who was working deep cover to infiltrate organized crime. In both cases, someone released information to third parties that resulted in the death of another person.  Neither defendant in either of these cases actually committed the act of murder, though. In the case of the FBI agent, though, the murder charge is being taken seriously. Yet, in the MySpace slander case, the murder charge was not taken seriously. How are t...
Read more

Faster Climate Change

CNN reports that a WWF study has found that global climate change is happening faster than predicted in 2007 and that there will not be any arctic ice by 2013, or 2040. [1] Then it goes on to say that global sea level will increase by 1.08 meters by the end of the century, which is 2100, 92 years from now. Quite honestly, nobody really cares what is going to happen to the planet in 98 years. Why? Because in 98 years we (as humans) will either: (1) Obliterate ourselves because God told us to do it. (2) Eat eachother because there will no longer be any land available to grow crops and sustain living quarters for our 50 billion people. (3) Suffocate because our planet will no longer smell nice thanks to 50 billion people producing lots of solid waste in our oceans. (4) Leave the planet because there will no longer be enough fresh water to sustain our lives. Wait a minute. Consider (4) for a moment. Where can we get an abundance of fresh water TODAY? Anyone? Yeah, the arctic! It's goin...
Read more