Saiweb » Uncategorized

Name and shame volume 1 82.98.131.66

Buzz — Tue, 12 Jul 2011 09:00:49 +0000

So I’ve decided to start some name and shame posts for “naughty” ip’s that trip an ids, turn up in my log audits etc … and who are woefully ill prepared …

Dear 82.98.131.66,

This post is for you, I’m not sure what you hope to gain by failing repeatedly to gain access to this blog (god knows I hardly have time to update it …) but doing it from a host with all your ports open probably not the best idea in the world, so here’s some information on you.

And for anyone else reading this, I usually end up ignoring the standard user enumeration and brute force attacks (As the offender get blacklisted very quickly), in this case however it was a targeted attempt …

Your ISP’s whois

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

inetnum: 82.98.128.0 - 82.98.143.255
netname: DINA-HOSTING1
descr: PROVIDER Local Registry
descr: Dinahosting S.L.
country: ES
admin-c: RB1624-RIPE
tech-c: EP2912-RIPE
status: ASSIGNED PA
mnt-by: DINAHOSTING-MNT
mnt-lower: DINAHOSTING-MNT
mnt-routes: DINAHOSTING-MNT
source: RIPE # Filtered

person: Ruben Bouso
address: Rua das Salvadas, 41
15705 - Santiago de Compostela
Spain
phone: +34900854000
fax-no: +34981577449
e-mail: HIDDEN EMAIL
nic-hdl: RB1624-RIPE
mnt-by: DINAHOSTING-MNT
source: RIPE # Filtered

person: Eladio Perez
address: Rua das Salvadas, 41
15705 - Santiago de Compostela
Spain
phone: +34 900854000
e-mail: HIDDEN EMAIL
nic-hdl: EP2912-RIPE
mnt-by: DINAHOSTING-MNT
source: RIPE # Filtered

% Information related to '82.98.128.0/18AS42612'

route: 82.98.128.0/18
descr: First Dinahosting S.L. prefix
origin: AS42612
mnt-by: DINAHOSTING-MNT
mnt-lower: DINAHOSTING-MNT
mnt-routes: DINAHOSTING-MNT
source: RIPE # Filtered

Log of you attempting to get access to ftp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

Jun 12 20:02:45 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=15007 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0
Jun 12 20:02:45 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=15008 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0
Jun 12 20:02:45 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=15009 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0
Jun 12 20:02:45 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=65 TOS=0x00 PREC=0x00 TTL=56 ID=15010 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0
Jun 12 20:02:45 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=65 TOS=0x00 PREC=0x00 TTL=56 ID=15011 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=58 TOS=0x00 PREC=0x00 TTL=56 ID=15012 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=15013 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=92 RES=0x00 ACK FIN URGP=0
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=48056 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=15014 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=48057 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=48058 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=65 TOS=0x00 PREC=0x00 TTL=56 ID=48059 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=69 TOS=0x00 PREC=0x00 TTL=56 ID=48060 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=58 TOS=0x00 PREC=0x00 TTL=56 ID=48061 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=48062 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=92 RES=0x00 ACK FIN URGP=0
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=18719 DF PROTO=TCP SPT=58295 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=48063 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=18720 DF PROTO=TCP SPT=58295 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=18721 DF PROTO=TCP SPT=58295 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=69 TOS=0x00 PREC=0x00 TTL=56 ID=18722 DF PROTO=TCP SPT=58295 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=65 TOS=0x00 PREC=0x00 TTL=56 ID=18723 DF PROTO=TCP SPT=58295 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0
Jun 12 20:02:52 132 fail2ban.actions: WARNING [vsftpd-iptables] Ban 82.98.131.66
Jun 12 20:32:53 132 fail2ban.actions: WARNING [vsftpd-iptables] Unban 82.98.131.66
...
Jun 12 20:02:46 132 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=saiweb rhost=hl45.dinaserver.com user=saiweb
Jun 12 20:02:48 132 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=saiweb rhost=hl45.dinaserver.com user=saiweb
Jun 12 20:02:51 132 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=saiwebcouk rhost=hl45.dinaserver.com
...

Can anyone say firewall?

1
2
3
4
5
6
7
8
9
10

21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
587/tcp open submission
3306/tcp open mysql

You need to read this NOW!

1
2
3
4

Server: Apache/2.2.0 (Fedora) PHP/5.2.9 with Suhosin-Patch
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1

Debian? seriously?

1	SSH-2.0-OpenSSH_5.1p1 Debian-5

mySQL seems recent at least

1	5.1.32-log?yV!>VvoI?^~"(D\$::QjC^C

For the moment I am assuming a compromised box quiet why you wanted to come after this blog is beyond me.

12/06/2011 – This blog written and evidence sent to ISP
12/07/2011 – The Scheduled publication for this post

WordPress Flowplayer subject of a study

Buzz — Thu, 04 Feb 2010 11:40:02 +0000

I was a bit taken back today after stumbling across this pdf by Dr. Wolf-Fritz Riekert http://share.ieservices.de/downloads/documents/Wordpress_Flowplayer_Plugin_pash-m_recent_version.pdf

Google translated version

Seems my plugin and the code therein has been the subject of a study, after perusing the google translation of the document I can see some very interesting concepts on how to improve the plugins integration with wordpress itself, I have sent an email Dr. Wolf-Fritz Riekert, asking if I can take his concepts and apply them to my code, so have a read and check back for version 2.1.0.0 soon,

Also of note the authors at Flowplayer.org have also granted me permission to use the latest verison of flowplayer, this will be rolled into 2.1.0.0

Remember to request features please use my Trac system.

Update:Dr. Wolf-Fritz Riekert has gotten back to me, this study is in fact the work of a group of students, the project leader of which was Martin Wörz, of ieservices.de, I’ll be liaising with him over the concepts in the study.

/bin/sh: bad interpreter

Buzz — Mon, 01 Feb 2010 11:41:58 +0000

For security newer distros of RHEL and their derivatives an mounting /tmp with the noexec option.

Now if you have ever had to clean up a compromised web app you can see why this makes a lot of sense, and if not here’s a quick example.

Yours/Clients web app becomes compromised, running kernel has a buffer overflow that can lead to privilege escalation, attack writes out their code and compiles in /tmp, then runs said app from /tmp creating a pseudo root level shell, aka you’ve just been root kitted.

However there are legitimate reasons for using /tmp to compile, well I say legitimate, what I in fact mean is things like pecl, which you use to install extensions like APC require this …

workaround:

1	export TMPDIR='/a/paTh/your/user/can/write/to'

Failing that:

service httpd stop

DO NOT ALLOW ANY WEBAPP ACCESS WHILE NOEXEC IS IN USE!

1
2
3

mount -o,remount,rw,exec /tmp
pecl install apc
mount -o,remount,rw,noexec /tmp

DO NOT REMOVE THE NOEXEC OPTION IN /ETC/FSTAB PERMANENTLY YOU WILL REGRET DOING SOTweet

Apache 2.2.3 dual extention vulnerability

Buzz — Tue, 05 Jan 2010 11:33:17 +0000

Redhat bug 537535

Take for instance this code saved as test.php.png

1
2
3

print_r($_POST);
?>

Low and behold this will render out the entire post array! and will interpret the php itself, now lets be clear here the proper use of selinux and directory structures to prevent UGC from being allowed to be access directly and / or run arbitrary code would of prevented this, however as is often the case the setup is such that the preventative conditions could not / are not deployed.

At any rate this bug comes courtesy of the apache AddHandler directive,

1	AddHandler x-httpd-php .php

The statement above seems to ‘loose’ match the .php extension meaning a file simply only contain .php anywhere in it’s filename to be interpreted as PHP.

The suggested work around for this is as follows:

1
2
3
4
5

#Workaround for bug here: https://bugzilla.redhat.com/show_bug.cgi?id=537535
<FilesMatch \.php$>
SetHandler x-httpd-php
ForceType text/html
FilesMatch>

Note this does not effect the AddType directive, after testing on the same version using:

1	AddType application/x-httpd-php .php

Is not effected by this ‘bug’.

blocked by spambag.org

Buzz — Fri, 10 Jul 2009 15:45:40 +0000

spambag.org domain appears to have not been renewed as such it is sat at a generic ‘adverts’ placeholder.

This does mean that RBL lookups against blacklist.spambag.org are returning as a ‘false positive’, (similar to the ORDB issue)

If you are concerned about being listed on some RBL’s then get a copy of my sysadmin script here at the time of writing the ‘rblcheck’ function checks 27 RBL’s.

Jing PRO MP4 quality issue

Buzz — Thu, 08 Jan 2009 13:55:52 +0000

Ok I purchased Jing PRO to do some more video posts to saiweb … unfortunately the MP4 quality is lack luster.

To be honest I’d rather have a large size MP4 I can run through my own encode (i.e. FFMPEG) and get the quality I want …

Off goes the email to support … wooo ….

NOTE: You may have to watch the vid in fullscreen to view it properly, I have scaled the player down to fit the blog page width.Tweet

Flowplayer WordPress 2.0.1.0

Buzz — Wed, 07 Jan 2009 10:36:35 +0000

Completion of the milestone listed here: http://trac.saiweb.co.uk/saiweb/milestone/wordpress-flowplayer%202.0.1.0

Means 2.0.1.0 has now been released, so go update and give it a run

I have noticed that wordpress has a habit of setting incorrect file permissions on the config file after updating, if you also run into this issue let me know.Tweet

Last Day of Voting!

Buzz — Tue, 25 Nov 2008 11:07:25 +0000

Today is the last day for votes, so please see the blog entry here: http://www.saiweb.co.uk/general/vote-buzz-for-it-superhero-2008 and vote!

Cheers

buzzTweet

One eclipse to rule them all, One eclipse to find them, One eclipse to bring them all, and in dev joy bind them …

Buzz — Fri, 31 Oct 2008 10:04:30 +0000

So … LoTR was obviously on TV a few days ago …

Onto the point, at the moment I am maintaining 2 different installations of eclipse … one for PHP, C++.

Wouldn’t it be great if I could have both of these in one happy installation? … Yeh it would however getting all the dependencies is an utter nightmare … unless you have a program do it for you.

Long story short: http://ondemand.yoxos.com/geteclipse/start

Customize your eclipse before you download it.

(Thanks Austin!)
Tweet

Lowell Portfolio 1 Ltd

Buzz — Tue, 09 Sep 2008 10:48:20 +0000

UPDATE 26/07/09 —–

READ THIS BEFORE POSTING A COMMENT OR SENDING AN EMAIL

THIS PAGE IS PROVIDED FREELY WITH INFORMATION ON HOW TO DISPUTE THE CLAIM AGAINST YOU

THIS PAGE IS NOT A REPLACEMENT FOR PROPER LEGAL ADVISE

THIS SITE IS IN NO WAY PRESENTLY, NOR EVER HAS BEEN AFFILIATED IN ANY WAY WITH LOWELL PORTFOLIO

Sorry for the excessive use of bold and caps, however some people just are not getting the message, and I am getting emails / comments (some with very colourful language I might add) from people thinking this is Lowells website … it is not now was it ever nor will it ever be, this POST was made because I am in the same “boat” as you disputing my claim

— Update 05/01/2009, seems people are not getting the message so I have made this text bright red

END UPDATE 26/07/09 —–

UPDATE 18/02/2011: I am now getting several emails a week from people who are not reading the header of this post,

I will start a “wall of shame” for those people very shortly, DO NOT be among them …

I hate scam artists … the latest today comes as “Lowell Portfolio”, apparently these guys bulk buy “bad debts” in the hope of scaring the unlucky sod that is their target into paying them without question, 99% of the time these debts don’t actualy exist …

Well I’m having none of it …

First things first DO NOT TELEPHONE THEM, they will try to extract personal information from you, and attempt you get you to admit to the debt.
Keep and file any letter from them as evidence.
If they do telephone you demand everything in writing and hang up, at no point admit to the debt, it is down to them to provide evidence of the debt, an admission on your part absolves them of any “burden of proof”
As posted here: http://www.moneysupermarket.com/COMMUNITY/forums/t/lowell-portfolio-1-16516.aspx by boyboynova respons with the following template letter RECORDED DELIVERY.

Response template:

To Whom It May Concern:

Your Reference: xxxx

I DO NOT ACKNOWLEDGE ANY DEBT TO YOUR COMPANY

With reference to the above account, I request that you send me a true copy of this credit agreement before I will correspond further on this matter.

This is my right under the legislation contained within section 77 (1) and section 78 (1) of the Consumer Credit Act 1974, and I am entitled to receive a copy of my credit agreement on request.

Your obligation also extends to providing me with a statement of account. I enclose a £1
postal order, which represents payment of the statutory fee payable under the Consumer Credit Act.

I understand that a copy of my credit agreement should be supplied within 12 working days from the date of this letter.

I understand that under the Consumer Credit Act, creditors are unable to enforce an agreement if they fail to comply with a request for a copy of the agreement under these sections of the Act.

Also, since you are a Debt Collection Agency, I would also ask that you supply a signed true copy of the executed deed of assignment for the above referenced agreement.

This is an obligation, whether you are the original creditor or not, under section 189 of the Consumer Credit Act 1974.

Non-compliance with my request is a criminal offence under the above Act and will result in a report being submitted to the relevant statutory authorities.
In summary,

I DO NOT ACKNOWLEDGE THIS DEBT AND THEREFORE REQUIRE YOU TO SUBSTANTIATE THIS BY PROVIDING THE FOLLOWING DOCUMENTATION BEFORE I CORRESPOND FURTHER:

1.True copy of original credit agreement
2.Statement of account
3.Copy of the executed deed of assignment from (INSERT COMPANY NAME HERE )
4.Fair Processing Notice.

As you are aware, a credit agreement that is not properly documented and signed by the customer is totally unenforceable under the CCA and therefore is a complete defence to any court claim that is issued.

Take note at this stage, that any legal action you may contemplate will be both vigorously defended and contested.

Further to the above, please ensure that any contact by yourselves is made in writing only to the above address. Telephone calls and personal visits will not be accepted and viewed as harassment.

As this account is now in dispute, I would also draw your attention to The Banking Code section 13.6:-

We may give information to the Credit Reference Agencies about personal debts you owe us if:

·The Amount Owed is Not in Dispute.
·The Office of Fair Trading provided a Code of Guidance that is in relation to Debt Collection: OFT 664 Response to consultation paper and final guidance on unfair business practices dated July 2003
Deceptive and/or Unfair Methods-
2.8 Examples of unfair practices are as follows:-
k. Not ceasing collection activity whilst investigating a reasonably queried or disputed debt.

If you continue in your pursuance of this account I will have no other alternative than to report you to both, The Information Commissioner and The Office of Fair Trading.

Furthermore, I shall submit a Consumer Credit Act 1974 complaint to the OFT upon the basis that you have failed to comply with the OFT’s direction of 5 April 2006 and are therefore not a ‘fit and proper person’ to hold a consumer credit license under the 1974 Act.

If you do not understand what this means then seek advice from your legal department.

I look forward to hearing from you within the statutory time limit.

Yours faithfully

<< YOUR NAME HERE >>

UPDATE 14/01/2009: I have received a letter in the post today from ScotCall Debt Collecting Services, it appears their client Lowell Portfolio 1 LTD has passed the debt onto them for recovery, no doubt in an effort to disgusie the collection as not being for Lowell no doubt due to people fighting and winning cases against them.

After a friendly telephone conversation with one of ScotCall’s agents I stated “my right under the legislation contained within section 77 (1) and section 78 (1) of the Consumer Credit Act 1974, and I am entitled to receive a copy of my credit agreement on request.” and queries whether this should be in writing to themselves or lowell, the reply came “No problem Sir, as we only receive your contact details and the debt amount, we will simply pass this account back to our client”, at which point I thanked the agent and requested confirmation in writing, “All telephone call are recorded, and you will receive a standard letter detailing this conversation in a couple of days”.

More updates to come.

UPDATE 26/01/2009: Lowell On Watchdog http://www.bbc.co.uk/blogs/watchdog/2009/01/the_chase_for_debts_not_always.html

UPDATE 23/07/2009: Claim dropped! Well I can say after sending this letter via email and a very long discussion on the phone with one of their supervisors, Lowell have said “They are unable to provide a signed credit agreement” and that “Their client in the interest of taking a commercial view, without admitting liability have agreed to clear their claim”, I have a letter confirming the amount owed is now £0.00Tweet