lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 31 Mar 2012 22:03:50 +0200 (CEST) From: "T" <fulldisc@....hu> To: "Full Disclosure" <full-disclosure@...ts.grok.org.uk> Subject: Compromised VPN provider out there? Hi To any security-aware VPN providers out there reading this: More than 800 hosts (mostly from Asia) started hitting TorVPN.com's webserver on HTTPS with login requests. Before blocking them all (and adding them to the proxy list section of my site after testing, heh) I decided to temporarily log the attempted usernames and passwords for a few seconds to see what the deal was. The usernames and passwords do not seem to be from dictionaries, more like someone got a hold of plaintext userinfo from somewhere and figured enough of them could be valid for TorVPN.com to make it worth the time to write a script and start bruteforcing (and monitor results, because when I changed the login URL, they updated their script in less than 5 minutes). I believe the most likely reason for an attacker to try check for password re-use on my site is if their accounts are from another VPN provider's database - which is why I am writing this. Below you will find a list of usernames (not posting the passwords) that were logged in those few seconds. (None of them are actual real users on TorVPN, they are not part of any public list that can be found with Google) - vlai1214 - BHGboat - haines - Mod95TZc - JJOM54 - johnnieak - hair7 - hair18 - flipperke - outhcent - haipas - hainline - anxdpphh2334 - rgcBCN - Pretty26 - hair11 - hairaP - cyrren - tomba73 - mikemaynard25a - jamesmorrow - lending2 - laynec - willthekiller - chrisn - chulony79 - firefox If someone-who-isn't-me obtains similar info from an attack, manages to log in to another VPN provider with the logged accounts, sends me an e-mail about this success, I will post the results. If anyone has already experienced a similar password bruteforce on their VPN-website, do not hesitate to post details. Whoever hammered my server, I'd like to thank you for possibly helping to uncover an ownage, as well as for helping me re-fill the list of proxies on my site with working ones. Kind regards, https://torvpn.com/ ps: a couple of IPs with the most attempts # 189.127.120.253 -> 927 # 64.79.72.52 -> 868 # 186.225.60.90 -> 785 # 217.112.128.247 -> 732 # 203.122.19.11 -> 699 # 178.132.216.182 -> 699 # 146.255.9.124 -> 664 # 222.165.175.246 -> 646 # 188.230.77.233 -> 632 # 190.90.100.103 -> 584 # 188.241.71.1 -> 583 # 201.65.25.85 -> 563 # 202.47.88.46 -> 561 # 208.94.244.15 -> 494 # 187.0.32.6 -> 485 # 210.212.144.214 -> 484 # 196.1.178.254 -> 474 # 201.234.220.99 -> 474 # 190.145.74.10 -> 472 # 184.164.142.214 -> 465 # 89.235.50.141 -> 461 # 175.111.192.12 -> 461 # 186.225.106.146 -> 450 # 188.127.231.78 -> 450 # 200.1.110.146 -> 449 # 93.99.16.254 -> 434 # 84.22.50.42 -> 422 # 93.89.84.220 -> 401 # 201.234.58.212 -> 396 # 187.60.96.7 -> 379 # 125.21.55.194 -> 374 # 121.254.133.150 -> 366 # 202.46.69.4 -> 363 # 157.181.228.181 -> 361 # 201.49.77.7 -> 361 # 46.4.33.41 -> 360 # 206.212.249.237 -> 358 # 202.29.97.2 -> 355 # 46.162.1.253 -> 354 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists