lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 10 Apr 2012 09:05:29 +0100
From: Benji <me@...ji.com>
To: nix@...roxylists.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Compromised VPN provider out there?

> How came im not surprised that public proxies are being abused for brute
> force attacks?

You're just that far ahead of the curve?

On Tue, Apr 10, 2012 at 5:17 AM,  <nix@...roxylists.com> wrote:
>> Hi
>>
>> To any security-aware VPN providers out there reading this:
>>
>> More than 800 hosts (mostly from Asia) started hitting TorVPN.com's
>> webserver on HTTPS with login requests.
>>
>> Before blocking them all (and adding them to the proxy list section of my
>> site after testing, heh)
>> I decided to temporarily log the attempted usernames and passwords for a
>> few seconds to see what the deal was.
>>
>> The usernames and passwords do not seem to be from dictionaries, more like
>> someone got a hold of plaintext
>> userinfo from somewhere and figured enough of them could be valid for
>> TorVPN.com to make it worth
>> the time to write a script and start bruteforcing (and monitor results,
>> because when I changed the login
>> URL, they updated their script in less than 5 minutes).
>>
>> I believe the most likely reason for an attacker to try check for password
>> re-use on my site is if their
>> accounts are from another VPN provider's database - which is why I am
>> writing this.
>>
>> Below you will find a list of usernames (not posting the passwords) that
>> were logged in those few seconds.
>> (None of them are actual real users on TorVPN, they are not part of any
>> public list that can be found with Google)
>>
>>   - vlai1214
>>   - BHGboat
>>   - haines
>>   - Mod95TZc
>>   - JJOM54
>>   - johnnieak
>>   - hair7
>>   - hair18
>>   - flipperke
>>   - outhcent
>>   - haipas
>>   - hainline
>>   - anxdpphh2334
>>   - rgcBCN
>>   - Pretty26
>>   - hair11
>>   - hairaP
>>   - cyrren
>>   - tomba73
>>   - mikemaynard25a
>>   - jamesmorrow
>>   - lending2
>>   - laynec
>>   - willthekiller
>>   - chrisn
>>   - chulony79
>>   - firefox
>>
>> If someone-who-isn't-me obtains similar info from an attack, manages to
>> log in to another VPN provider
>> with the logged accounts, sends me an e-mail about this success, I will
>> post the results.
>>
>> If anyone has already experienced a similar password bruteforce on their
>> VPN-website, do not hesitate to post details.
>>
>> Whoever hammered my server, I'd like to thank you for possibly helping to
>> uncover an ownage, as well as for helping me
>> re-fill the list of proxies on my site with working ones.
>>
>> Kind regards,
>> https://torvpn.com/
>>
>> ps: a couple of IPs with the most attempts
>>
>> # 189.127.120.253 -> 927
>> # 64.79.72.52 -> 868
>> # 186.225.60.90 -> 785
>> # 217.112.128.247 -> 732
>> # 203.122.19.11 -> 699
>> # 178.132.216.182 -> 699
>> # 146.255.9.124 -> 664
>> # 222.165.175.246 -> 646
>> # 188.230.77.233 -> 632
>> # 190.90.100.103 -> 584
>> # 188.241.71.1 -> 583
>> # 201.65.25.85 -> 563
>> # 202.47.88.46 -> 561
>> # 208.94.244.15 -> 494
>> # 187.0.32.6 -> 485
>> # 210.212.144.214 -> 484
>> # 196.1.178.254 -> 474
>> # 201.234.220.99 -> 474
>> # 190.145.74.10 -> 472
>> # 184.164.142.214 -> 465
>> # 89.235.50.141 -> 461
>> # 175.111.192.12 -> 461
>> # 186.225.106.146 -> 450
>> # 188.127.231.78 -> 450
>> # 200.1.110.146 -> 449
>> # 93.99.16.254 -> 434
>> # 84.22.50.42 -> 422
>> # 93.89.84.220 -> 401
>> # 201.234.58.212 -> 396
>> # 187.60.96.7 -> 379
>> # 125.21.55.194 -> 374
>> # 121.254.133.150 -> 366
>> # 202.46.69.4 -> 363
>> # 157.181.228.181 -> 361
>> # 201.49.77.7 -> 361
>> # 46.4.33.41 -> 360
>> # 206.212.249.237 -> 358
>> # 202.29.97.2 -> 355
>> # 46.162.1.253 -> 354
>>
>>
>
> Just due to curiosity, I picked up the first proxy (189.127.120.253) and
> ran it against http://nixapi.com/ip-reputation-lookup. The result was
> 'HTTP L3 (Transparent) proxy 189.127.120.253:3128 - Verified 03:49:38
> ago.'
>
> How came im not surprised that public proxies are being abused for brute
> force attacks? About a year ago, I setup a public proxy for testing
> purposes, after ~two day uptime what I can remember;
>
> Over 500 simultaneus connections all the time
> I think there was only 0.1% human users, the rest were abuse bots/scripts
> Bandwidth used constantly: 15-50Mbps/second (I remember capping it to
> 50Mbps) to prevent network lag issues to other services)
>
> There were several hundreds of thousand connections in very short time ...
>
>
>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ