How To Spot A Malicious Email

Today I get an email that looks like it came from GoDaddy except for a few things that don’t look right…
Email Headers are not correct, this was obviously a shitty job as the malicious user tried to make the email look like it was coming from godaddy but was actually coming from a compromised wordpress install on Hostgator.

From: Godaddy <donotreply@m.godaddy.com>
Message-Id: <E1YXF6r-0008QX-BX@gator4163.hostgator.com>

The Email:

Dear Customer MIGUEL VALLEJO. Confirm Your Identify.

An unknown user was trying to login your GoDaddy account with an incorrect password on Sunday 15 March , 2015 1:05 GMT, and with an unknown DNS IP Location:
(China) ip=36.250.74.87, as a result of that we partially blocked your GoDaddy accounts due to major security protocols.

Kindly visit our GoDaddy account Re-Activation Center Click here :
https://accounts.godaddy.com/do.php?check=e3251075554389fe91d17a794861d47be3251075554389fe91d17a794861d47b

We are sincerely sorry for any inconvenience.
GoDaddy Customer Support.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Copyright (c) 1999-2015 GoDaddy.com, LLC. All rights reserved.

 

Except for the fact that there is no administrative contact info, phone, business address in the signature it looks somewhat legit. Now Lets look at body of the email specifically at the url and where the link points to…
http://someweirddomain.com/wp-includes/css/nvldigkoua.htm?nvldigkoua=e3251075554389fe91d17a794861d47b

So this is obviously a malicious email, a targeted one because the user had to go through some effort to put this type of attack together. Sadly this is someone trying to dupe you into coughing up your password or in my case a sad attempt at doing so.
It’s a good idea to go over some security logs after events like this as it could be a sign of someone already in your network and trying to escalate their access.
In my case it was just some noob who though he was dealing with a end user, my response… <^>-_-.

Comments

comments

How I Fell In Love With My NVIDIA Shield Tablet…

So I totally ripped myself off, it wasn’t suppose to be that way lol… I traded my ps4 with 2 controllers and two games for what was suppose to be a #nvidia shield tablet  from some guy on craigslist with all accessories. I chatted with the guy for about half an hour and sounded totally legit. When I got home I had more time and light to inspect the tablet which ended up being a 16GB tablet instead of the 32GB version so I was like fml… as I continued I came to two corners which were also cracked, it looked like it had been dropped… FML~… Once I had it reset I tried to play a song and the damn speaker is blown, which sounded fine at low volume… Of course this sucked, I tried calling him back and texting and would get no answer. After about 30 minutes I found out who his name was and where he lived. I decided to say fuck it it’s not worth the drama and the cops would be like “dude! seriously for a ps4?”. So far the tablet is one of my favorite of all tablets I’ve ever owned it’s super fast and running the lollipop OS which is super smooth and responsive. I really want to upgrade to the 32GB so I can have some more room to do some native application development. It sucks that I got jacked but I am happy that I ended up with this tablet it’s perfect :*)

P.S. Hook me up with a 32GB version NVIDIA, I heard it rains tablets at HQ ;) @nvidia #nvidia

 

nvidia shield tablet

Comments

comments

Another Flash Project Originally Designed For Web Semantics in 2008

I was going through an old hosting account making sure I had backed up everything before it deletion and found some old work. This is was a flash project I originally created for Web Semantics (Web Symantecs) during its early conception. Considering this was done in 2005 and then updated in 2008 I have to say it’s still a pretty cool animation design. I’m just glad I was able to find it, I still can’t believe I was doing this with Macromedia Flash 7 and 8 (Macromedia was later bought out by Adobe), you can view the actual flash animation by clicking here.

Comments

comments

Checking Total Disk Usage in Ubuntu Or Debian From Terminal

If you need to check how much space is used up on all Filesystems/Drives You can simply run

df -h

Don’t forget to sudo or be root.

Comments

comments

Increase In Brute Force Attacks on American Networks By Chinese Networks on 4th of July.

I started to track my security logs a lot more since I began to notice the amount of alerts I was getting via email on holidays. There is definitely a connection, American networks are under attack during American holidays specifically from 00:00 to 14:00, this time the attacks weren’t just coming from Chinese networks but Mexico & France.

Here is a list of the latest culprits…

inetnum:        61.174.51.192 – 61.174.51.255
netname:        HANGZHOU-SRT-TECHNOLOGY-CO-LTD
country:        CN
descr:          HANGZHOU SRT TECHNOLOGY CO., LTD

 

inetnum:        115.239.248.0 – 115.239.248.255
netname:        MOVEINTERNET-NETWORK
country:        CN
descr:          MoveInternet Network Technology Co.,Ltd.
descr:
admin-c:        CJ1872-AP
tech-c:         CS64-AP
mnt-irt:        IRT-CHINANET-ZJ

 

inetnum:        183.0.0.0 – 183.63.255.255
netname:        CHINANET-GD
descr:          CHINANET Guangdong province network
descr:          Data Communication Division
descr:          China Telecom
country:        CN
admin-c:        IC83-AP
tech-c:         IC83-AP

 

inetnum:        111.72.0.0 – 111.79.255.255
netname:        CHINANET-JX
descr:          CHINANET JIANGXI PROVINCE NETWORK
descr:          China Telecom
descr:          No.31,jingrong street
descr:          Beijing 100032
country:        CN

 

inetnum:        117.21.0.0 – 117.21.255.255
netname:        CHINANET-JX
descr:          CHINANET Jiangxi province network
descr:          China Telecom
descr:          No.31,jingrong street
descr:          Beijing 100032
country:        CN

 

inetnum:        202.109.128.0 – 202.109.191.255
netname:        CHINANET-JX
descr:          CHINANET Jiangxi province network
descr:          Data Communication Division
descr:          China Telecom
country:        CN

 

inetnum:        89.248.162.128 – 89.248.162.255
netname:        NL-ECATEL
descr:          AS29073, Ecatel LTD
country:        NL

 

inetnum:        212.83.128.0 – 212.83.153.255
netname:        FRWOL
descr:          Tiscali France
country:        FR

NetRange:       168.243.0.0 – 168.243.255.255
CIDR:           168.243.0.0/16
OriginAS:
NetName:        LACNIC-ERX-168-243-0-0
NetHandle:      NET-168-243-0-0-1

 

Its probably nothing to worry about…

Comments

comments

It’s Official, China Is Undeniably Attacking US Networks 400% Increase In Network Attacks Over Holiday Weekends.

Ok so I am not here to point fingers because both governments pretty much do the same thing duh… I will also add that Chinese attacks on US networks have increased in the past few months since the conflicts in Ukraine. Over this memorial weekend I have been monitoring many server nodes across different data centers and have definitely had in increase in brute force and scan attacks.

Today I have noticed a 400% increase in additional log records related to these attacks. Coincidence I think not, how else do you explain an increase in attacks a day before a major US holiday? Chinese PLA will obviously deny anything but if you analyze the data it definitely looks like a coordinated attack on US networks .Chinese Intelligence Assumes that no IT personal will be working over the weekend so they amp their attacks. Let let me say something to Chinese Intel… YES WE WORK ON HOLIDAYS TOO!… lol

P.S. I have logs to prove that too… xD

Here is a list of their most popular attack networks…

inetnum:        61.174.51.192 – 61.174.51.255
netname:        HANGZHOU-SRT-TECHNOLOGY-CO-LTD
country:        CN
————————————————————————–
inetnum:        42.62.0.0 – 42.62.127.255

netname:        Forest-Eternal
descr:          Forest Eternal Communication Tech. co.ltd
descr:          Rm.902,North Real Estate Building, Build. No.3,
descr:          #81Yuan,Haidian District,Beijing
country:        CN

————————————————————————–

inetnum:        116.8.0.0 – 116.11.255.255
netname:        CHINANET-GX
descr:          CHINANET Guangxi province network
descr:          Data Communication Division
descr:          China Telecom
country:        CN

————————————————————————–

inetnum:        61.191.0.0 – 61.191.255.255
netname:        CHINANET-AH
descr:          CHINANET Anhui province network
descr:          China Telecom
descr:          A12,Xin-Jie-Kou-Wai Street
descr:          Beijing 100088
country:        CN

————————————————————————–

inetnum:        117.79.80.0 – 117.79.95.255
netname:        SANXIN
descr:          Beijing Sanxin Shidai Co.Ltd
descr:          1513 Xinjishu building Beijing link west road
descr:          Haidian District, Beijing, PRC
country:        CN

 

 

Comments

comments

Adding “client denied by server configuration” Filter To Fail2Ban: Ubuntu 12.04 LTS

Ok so here is another useful filter for fail2ban. Once this plugin is installed it will prevent malicious visitors from trying to brute-force folder and file discovery. After 5 attempts to visit a non existing file/folder the visitor is banned…

like always… BASH IN! :D

sudo bash

First Lets create a new entry in our jail.local file…

vim /etc/fail2ban/jail.local

 

copy the following text after the last apache entry…

[apache-clientd]
enabled = true
port = http,https
filter = apache-client-denied
logpath = /var/log/apache*/*error.log
maxretry = 5

 

Now that we have added the entry into our jail.local we proceed, change to the filter.d directory, in this folder you will see lots of other pre-configured filters

cd /etc/fail2ban/filter.d

 

instead of creating a new filter file simply copy another, this will make the next step easier…

cp /etc/fail2ban/filter.d/apache-auth.conf /etc/fail2ban/filter.d/apache-client-denied.conf

 

find the line identical to the one below (Line 23)

failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$

 

replace it with the following one.

failregex = [[]client <HOST>[]] client denied by server configuration:

 

At this point your pretty much done, close the file and restart fail2ban

service fail2ban restart

 

Comment if you have questions, like my post if you find it helpful :)

 

 

 

 

Comments

comments

Adding “File Does Not Exist” Filter To Fail2Ban: Ubuntu 12.04 LTS

Ok so here is a quick post to a common question… adding a filter to fail2ban for bot/scanners searching for files, folders or simply doing recon which can result in exploit discovery, this filter will automatically block a visitor/bot after 4 attempts to scan for a file that does not exist on your domain/server.

like always… BASH IN! (lol…)

sudo bash

First Lets create a new entry in our jail.local file…

vim /etc/fail2ban/jail.local

 

copy the following text after the last apache entry…

[apache-nofile]
enabled = true
port = http,https
filter = apache-nofile
logpath = /var/log/apache*/*error.log
maxretry = 4

 

Now that we have added the entry into our jail.local we proceed, change to the filter.d directory, in this folder you will see lots of other pre-configured filters

cd /etc/fail2ban/filter.d

 

instead of creating a new filter file simply copy another, this will make the next step easier…

cp /etc/fail2ban/filter.d/apache-auth.conf /etc/fail2ban/filter.d/apache-nofile.conf

 

find the line identical to the one below (Line 23)

failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$

 

replace it with the following one.

failregex = [[]client <HOST>[]] File does not exist:

 

At this point your pretty much done, close the file and restart fail2ban

service fail2ban restart

 

Comment if you have questions, like my post if you find it helpful :)

 

 

 

 

Comments

comments

The Future Of Decentralized Computing And It’s Impact On Social Justice On The World Wide Web

 

Get ready people we are living once again in exciting times for the internet, it’s evolving! We are living in times where information can no longer be suppressed which will have a major impact in overall society. People all around the world are becoming involved in the preservation of privacy and social justice. Here are some ideas of how I think decentralized computing will change the world.

 

1) Open Source Decentralized Political Registry

Everyone who is a political or public official should be registered on this site, their entire public record could be open sourced and controlled by a community, decentralized platform would eliminate illegal confiscation of infrastructure or prevent censorship. rendering covert corruption difficult.

2) Open Source Decentralized Criminal Registry

Every person on this planet would now be able to report any crime about any person including a public official (police, federal, military officer etc…) at any time and keep it in public domain. This would eliminate extortion, threats and possible cover-ups by any person/group or agency in the world. This platform would also be decentralized to eliminate confiscation or hack.

3) Open Source Decentralized News Registry

Every person on this planet would now be able to report any crime about any person including a public official (police, federal, military officer etc…) at any time and keep it in public domain. This would eliminate extortion, threats and possible cover-ups by any person/group or agency in the world. This platform would also be decentralized to eliminate confiscation or hack.

4) Open Source Decentralized Education Registry

Every Person in the world would now have access to any knowledge without propaganda, lies, manipulation, managed by a global community on a credit system so popular vote always wins.

 

The overall idea is to create an infrastructure that anyone can post any information without censorship, but the information must remain check able, other “wallets” with “coins” or credits should have the ability to change or revise any post, as the post is modified the amount of credits required to modify the post increases, groups of wallets/users could donate amounts to a pool key to also use their limited credits to help causes they might believe in, this will discourage the act of one person acquiring many credits and overwhelming a specific record or trying to hijack its content, a group of wallets/users would always be able to override a single user modifications.

Comments

comments