| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAEJizbZAeSg=1r3KfvHqa=_VQAnaoncq2036kV2Qc0opTS7EpQ@mail.gmail.com> Date: Tue, 10 Apr 2012 09:05:29 +0100 From: Benji <me@...ji.com> To: nix@...roxylists.com Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Compromised VPN provider out there? > How came im not surprised that public proxies are being abused for brute > force attacks? You're just that far ahead of the curve? On Tue, Apr 10, 2012 at 5:17 AM, <nix@...roxylists.com> wrote: >> Hi >> >> To any security-aware VPN providers out there reading this: >> >> More than 800 hosts (mostly from Asia) started hitting TorVPN.com's >> webserver on HTTPS with login requests. >> >> Before blocking them all (and adding them to the proxy list section of my >> site after testing, heh) >> I decided to temporarily log the attempted usernames and passwords for a >> few seconds to see what the deal was. >> >> The usernames and passwords do not seem to be from dictionaries, more like >> someone got a hold of plaintext >> userinfo from somewhere and figured enough of them could be valid for >> TorVPN.com to make it worth >> the time to write a script and start bruteforcing (and monitor results, >> because when I changed the login >> URL, they updated their script in less than 5 minutes). >> >> I believe the most likely reason for an attacker to try check for password >> re-use on my site is if their >> accounts are from another VPN provider's database - which is why I am >> writing this. >> >> Below you will find a list of usernames (not posting the passwords) that >> were logged in those few seconds. >> (None of them are actual real users on TorVPN, they are not part of any >> public list that can be found with Google) >> >> - vlai1214 >> - BHGboat >> - haines >> - Mod95TZc >> - JJOM54 >> - johnnieak >> - hair7 >> - hair18 >> - flipperke >> - outhcent >> - haipas >> - hainline >> - anxdpphh2334 >> - rgcBCN >> - Pretty26 >> - hair11 >> - hairaP >> - cyrren >> - tomba73 >> - mikemaynard25a >> - jamesmorrow >> - lending2 >> - laynec >> - willthekiller >> - chrisn >> - chulony79 >> - firefox >> >> If someone-who-isn't-me obtains similar info from an attack, manages to >> log in to another VPN provider >> with the logged accounts, sends me an e-mail about this success, I will >> post the results. >> >> If anyone has already experienced a similar password bruteforce on their >> VPN-website, do not hesitate to post details. >> >> Whoever hammered my server, I'd like to thank you for possibly helping to >> uncover an ownage, as well as for helping me >> re-fill the list of proxies on my site with working ones. >> >> Kind regards, >> https://torvpn.com/ >> >> ps: a couple of IPs with the most attempts >> >> # 189.127.120.253 -> 927 >> # 64.79.72.52 -> 868 >> # 186.225.60.90 -> 785 >> # 217.112.128.247 -> 732 >> # 203.122.19.11 -> 699 >> # 178.132.216.182 -> 699 >> # 146.255.9.124 -> 664 >> # 222.165.175.246 -> 646 >> # 188.230.77.233 -> 632 >> # 190.90.100.103 -> 584 >> # 188.241.71.1 -> 583 >> # 201.65.25.85 -> 563 >> # 202.47.88.46 -> 561 >> # 208.94.244.15 -> 494 >> # 187.0.32.6 -> 485 >> # 210.212.144.214 -> 484 >> # 196.1.178.254 -> 474 >> # 201.234.220.99 -> 474 >> # 190.145.74.10 -> 472 >> # 184.164.142.214 -> 465 >> # 89.235.50.141 -> 461 >> # 175.111.192.12 -> 461 >> # 186.225.106.146 -> 450 >> # 188.127.231.78 -> 450 >> # 200.1.110.146 -> 449 >> # 93.99.16.254 -> 434 >> # 84.22.50.42 -> 422 >> # 93.89.84.220 -> 401 >> # 201.234.58.212 -> 396 >> # 187.60.96.7 -> 379 >> # 125.21.55.194 -> 374 >> # 121.254.133.150 -> 366 >> # 202.46.69.4 -> 363 >> # 157.181.228.181 -> 361 >> # 201.49.77.7 -> 361 >> # 46.4.33.41 -> 360 >> # 206.212.249.237 -> 358 >> # 202.29.97.2 -> 355 >> # 46.162.1.253 -> 354 >> >> > > Just due to curiosity, I picked up the first proxy (189.127.120.253) and > ran it against http://nixapi.com/ip-reputation-lookup. The result was > 'HTTP L3 (Transparent) proxy 189.127.120.253:3128 - Verified 03:49:38 > ago.' > > How came im not surprised that public proxies are being abused for brute > force attacks? About a year ago, I setup a public proxy for testing > purposes, after ~two day uptime what I can remember; > > Over 500 simultaneus connections all the time > I think there was only 0.1% human users, the rest were abuse bots/scripts > Bandwidth used constantly: 15-50Mbps/second (I remember capping it to > 50Mbps) to prevent network lag issues to other services) > > There were several hundreds of thousand connections in very short time ... > > > >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists