lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <003ed0e5d9ab89d9897138c0e87c6b8c.squirrel@gameframe.net>
Date: Tue, 10 Apr 2012 07:17:09 +0300
From: nix@...roxylists.com
To: "T" <fulldisc@....hu>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Compromised VPN provider out there?

> Hi
>
> To any security-aware VPN providers out there reading this:
>
> More than 800 hosts (mostly from Asia) started hitting TorVPN.com's
> webserver on HTTPS with login requests.
>
> Before blocking them all (and adding them to the proxy list section of my
> site after testing, heh)
> I decided to temporarily log the attempted usernames and passwords for a
> few seconds to see what the deal was.
>
> The usernames and passwords do not seem to be from dictionaries, more like
> someone got a hold of plaintext
> userinfo from somewhere and figured enough of them could be valid for
> TorVPN.com to make it worth
> the time to write a script and start bruteforcing (and monitor results,
> because when I changed the login
> URL, they updated their script in less than 5 minutes).
>
> I believe the most likely reason for an attacker to try check for password
> re-use on my site is if their
> accounts are from another VPN provider's database - which is why I am
> writing this.
>
> Below you will find a list of usernames (not posting the passwords) that
> were logged in those few seconds.
> (None of them are actual real users on TorVPN, they are not part of any
> public list that can be found with Google)
>
>   - vlai1214
>   - BHGboat
>   - haines
>   - Mod95TZc
>   - JJOM54
>   - johnnieak
>   - hair7
>   - hair18
>   - flipperke
>   - outhcent
>   - haipas
>   - hainline
>   - anxdpphh2334
>   - rgcBCN
>   - Pretty26
>   - hair11
>   - hairaP
>   - cyrren
>   - tomba73
>   - mikemaynard25a
>   - jamesmorrow
>   - lending2
>   - laynec
>   - willthekiller
>   - chrisn
>   - chulony79
>   - firefox
>
> If someone-who-isn't-me obtains similar info from an attack, manages to
> log in to another VPN provider
> with the logged accounts, sends me an e-mail about this success, I will
> post the results.
>
> If anyone has already experienced a similar password bruteforce on their
> VPN-website, do not hesitate to post details.
>
> Whoever hammered my server, I'd like to thank you for possibly helping to
> uncover an ownage, as well as for helping me
> re-fill the list of proxies on my site with working ones.
>
> Kind regards,
> https://torvpn.com/
>
> ps: a couple of IPs with the most attempts
>
> # 189.127.120.253 -> 927
> # 64.79.72.52 -> 868
> # 186.225.60.90 -> 785
> # 217.112.128.247 -> 732
> # 203.122.19.11 -> 699
> # 178.132.216.182 -> 699
> # 146.255.9.124 -> 664
> # 222.165.175.246 -> 646
> # 188.230.77.233 -> 632
> # 190.90.100.103 -> 584
> # 188.241.71.1 -> 583
> # 201.65.25.85 -> 563
> # 202.47.88.46 -> 561
> # 208.94.244.15 -> 494
> # 187.0.32.6 -> 485
> # 210.212.144.214 -> 484
> # 196.1.178.254 -> 474
> # 201.234.220.99 -> 474
> # 190.145.74.10 -> 472
> # 184.164.142.214 -> 465
> # 89.235.50.141 -> 461
> # 175.111.192.12 -> 461
> # 186.225.106.146 -> 450
> # 188.127.231.78 -> 450
> # 200.1.110.146 -> 449
> # 93.99.16.254 -> 434
> # 84.22.50.42 -> 422
> # 93.89.84.220 -> 401
> # 201.234.58.212 -> 396
> # 187.60.96.7 -> 379
> # 125.21.55.194 -> 374
> # 121.254.133.150 -> 366
> # 202.46.69.4 -> 363
> # 157.181.228.181 -> 361
> # 201.49.77.7 -> 361
> # 46.4.33.41 -> 360
> # 206.212.249.237 -> 358
> # 202.29.97.2 -> 355
> # 46.162.1.253 -> 354
>
>

Just due to curiosity, I picked up the first proxy (189.127.120.253) and
ran it against http://nixapi.com/ip-reputation-lookup. The result was
'HTTP L3 (Transparent) proxy 189.127.120.253:3128 - Verified 03:49:38
ago.'

How came im not surprised that public proxies are being abused for brute
force attacks? About a year ago, I setup a public proxy for testing
purposes, after ~two day uptime what I can remember;

Over 500 simultaneus connections all the time
I think there was only 0.1% human users, the rest were abuse bots/scripts
Bandwidth used constantly: 15-50Mbps/second (I remember capping it to
50Mbps) to prevent network lag issues to other services)

There were several hundreds of thousand connections in very short time ...



>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists