Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today!

If you have any problems with the registration process or your account login, please contact us.

Post New Thread Reply

Register GFY Rules Calendar
Go Back   GoFuckYourself.com - Adult Webmaster Forum > >
Paysite password cracking "network" Paysite password cracking "network"
Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed.

 
Thread Tools
Old 02-03-2002, 06:07 PM   #1
Phil21
Confirmed User
 
Join Date: May 2001
Location: ICQ: 25285313
Posts: 993
Paysite password cracking "network"
Hmm, had two attempts by this guy at gaining access to two completely unrelated paysites we host.

Providers should look into firewalling these guys off, it will save you a hell of a lot of bandwidth (in both cases, they were eating ~8mbit/sec just from all the login attempts. I.e. just the 401 error pages were eating that much).

Below is some stuff you can cut/paste into a linux server that supports ipchains. I did this at our ingress points.

ipchains -I input -p all -d 0/0 -s 194.117.133.196 -j DENY # 20 attempts.
ipchains -I input -p all -d 0/0 -s 172.166.188.97 -j DENY # 20 attempts.
ipchains -I input -p all -d 0/0 -s 205.216.137.82 -j DENY # 28 attempts.
ipchains -I input -p all -d 0/0 -s 24.147.10.83 -j DENY # 32 attempts.
ipchains -I input -p all -d 0/0 -s 172.158.156.172 -j DENY # 33 attempts.
ipchains -I input -p all -d 0/0 -s 200.218.156.3 -j DENY # 38 attempts.
ipchains -I input -p all -d 0/0 -s 195.92.198.73 -j DENY # 39 attempts.
ipchains -I input -p all -d 0/0 -s 194.117.133.118 -j DENY # 48 attempts.
ipchains -I input -p all -d 0/0 -s 195.92.67.65 -j DENY # 71 attempts.
ipchains -I input -p all -d 0/0 -s 24.205.98.167 -j DENY # 91 attempts.
ipchains -I input -p all -d 0/0 -s 192.116.235.110 -j DENY # 126 attempts.
ipchains -I input -p all -d 0/0 -s 200.242.216.150 -j DENY # 421 attempts.
ipchains -I input -p all -d 0/0 -s 208.17.144.86 -j DENY # 1096 attempts.
ipchains -I input -p all -d 0/0 -s 192.117.167.145 -j DENY # 1186 attempts.
ipchains -I input -p all -d 0/0 -s 212.29.245.226 -j DENY # 1259 attempts.
ipchains -I input -p all -d 0/0 -s 194.108.112.226 -j DENY # 1268 attempts.
ipchains -I input -p all -d 0/0 -s 194.69.31.92 -j DENY # 1286 attempts.
ipchains -I input -p all -d 0/0 -s 212.27.207.8 -j DENY # 1288 attempts.
ipchains -I input -p all -d 0/0 -s 200.214.253.110 -j DENY # 1289 attempts.
ipchains -I input -p all -d 0/0 -s 192.117.153.9 -j DENY # 1297 attempts.
ipchains -I input -p all -d 0/0 -s 24.31.3.9 -j DENY # 1308 attempts.
ipchains -I input -p all -d 0/0 -s 199.90.209.36 -j DENY # 1310 attempts.
ipchains -I input -p all -d 0/0 -s 210.160.73.210 -j DENY # 1311 attempts.
ipchains -I input -p all -d 0/0 -s 212.155.190.249 -j DENY # 1313 attempts.
ipchains -I input -p all -d 0/0 -s 200.193.46.18 -j DENY # 1314 attempts.
ipchains -I input -p all -d 0/0 -s 203.59.54.35 -j DENY # 1315 attempts.
ipchains -I input -p all -d 0/0 -s 210.136.165.133 -j DENY # 1316 attempts.
ipchains -I input -p all -d 0/0 -s 211.6.228.50 -j DENY # 1317 attempts.
ipchains -I input -p all -d 0/0 -s 210.201.31.226 -j DENY # 1318 attempts.
ipchains -I input -p all -d 0/0 -s 217.57.9.114 -j DENY # 1321 attempts.
ipchains -I input -p all -d 0/0 -s 200.27.182.30 -j DENY # 1321 attempts.
ipchains -I input -p all -d 0/0 -s 194.206.139.70 -j DENY # 1322 attempts.
ipchains -I input -p all -d 0/0 -s 211.21.1.19 -j DENY # 1322 attempts.
ipchains -I input -p all -d 0/0 -s 210.135.3.1 -j DENY # 1324 attempts.
ipchains -I input -p all -d 0/0 -s 203.199.37.6 -j DENY # 1324 attempts.
ipchains -I input -p all -d 0/0 -s 204.210.202.19 -j DENY # 1325 attempts.
ipchains -I input -p all -d 0/0 -s 210.175.52.100 -j DENY # 1326 attempts.
ipchains -I input -p all -d 0/0 -s 210.162.242.194 -j DENY # 1327 attempts.
ipchains -I input -p all -d 0/0 -s 208.137.183.55 -j DENY # 1327 attempts.
ipchains -I input -p all -d 0/0 -s 210.149.84.27 -j DENY # 1327 attempts.
ipchains -I input -p all -d 0/0 -s 195.56.65.48 -j DENY # 1328 attempts.
ipchains -I input -p all -d 0/0 -s 205.147.53.162 -j DENY # 1329 attempts.
ipchains -I input -p all -d 0/0 -s 210.232.100.146 -j DENY # 1329 attempts.
ipchains -I input -p all -d 0/0 -s 211.0.113.202 -j DENY # 1331 attempts.
ipchains -I input -p all -d 0/0 -s 206.21.27.99 -j DENY # 1331 attempts.
ipchains -I input -p all -d 0/0 -s 211.16.244.211 -j DENY # 1332 attempts.
ipchains -I input -p all -d 0/0 -s 210.248.220.18 -j DENY # 1333 attempts.
ipchains -I input -p all -d 0/0 -s 199.72.195.20 -j DENY # 1334 attempts.
ipchains -I input -p all -d 0/0 -s 66.21.39.52 -j DENY # 1336 attempts.
ipchains -I input -p all -d 0/0 -s 216.77.56.82 -j DENY # 1338 attempts.
ipchains -I input -p all -d 0/0 -s 196.28.82.114 -j DENY # 1338 attempts.
ipchains -I input -p all -d 0/0 -s 193.66.190.34 -j DENY # 1343 attempts.
ipchains -I input -p all -d 0/0 -s 200.46.109.85 -j DENY # 1343 attempts.
ipchains -I input -p all -d 0/0 -s 211.17.156.2 -j DENY # 1346 attempts.
ipchains -I input -p all -d 0/0 -s 200.199.249.66 -j DENY # 1348 attempts.
ipchains -I input -p all -d 0/0 -s 200.35.86.165 -j DENY # 1349 attempts.
ipchains -I input -p all -d 0/0 -s 61.133.71.205 -j DENY # 1350 attempts.
ipchains -I input -p all -d 0/0 -s 61.0.133.6 -j DENY # 1353 attempts.
ipchains -I input -p all -d 0/0 -s 63.64.144.7 -j DENY # 1355 attempts.
ipchains -I input -p all -d 0/0 -s 213.70.189.2 -j DENY # 1356 attempts.
ipchains -I input -p all -d 0/0 -s 210.199.164.51 -j DENY # 1358 attempts.
ipchains -I input -p all -d 0/0 -s 216.72.87.254 -j DENY # 1360 attempts.
ipchains -I input -p all -d 0/0 -s 217.13.133.226 -j DENY # 1364 attempts.
ipchains -I input -p all -d 0/0 -s 200.203.134.210 -j DENY # 1367 attempts.
ipchains -I input -p all -d 0/0 -s 210.190.110.13 -j DENY # 1368 attempts.
ipchains -I input -p all -d 0/0 -s 210.241.122.65 -j DENY # 1370 attempts.
ipchains -I input -p all -d 0/0 -s 207.43.97.2 -j DENY # 1376 attempts.
ipchains -I input -p all -d 0/0 -s 64.123.93.3 -j DENY # 1388 attempts.
ipchains -I input -p all -d 0/0 -s 198.109.239.4 -j DENY # 2391 attempts.
ipchains -I input -p all -d 0/0 -s 212.31.252.228 -j DENY # 2624 attempts.


Hope it helps someone.

-Phil
Phil21 is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 02-03-2002, 07:10 PM   #2
pr0
rockin tha trailerpark
 
pr0's Avatar
 
Industry Role:
Join Date: May 2001
Location: ~Coastal~
Posts: 23,088
If you want to help someone

Make that into a webpage where people can add their ip ranges & #'s.

That way we can make a proxy blacklist to stop these kiddiez.
pr0 is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 02-03-2002, 08:02 PM   #3
waste
Confirmed User
 
Join Date: Nov 2001
Location: Baltimore
Posts: 770
Quote:
Originally posted by pr0
If you want to help someone

Make that into a webpage where people can add their ip ranges & #'s.

That way we can make a proxy blacklist to stop these kiddiez.
or you can just go around scanning port 1080
waste is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 02-03-2002, 11:38 PM   #4
Phil21
Confirmed User
 
Join Date: May 2001
Location: ICQ: 25285313
Posts: 993
Naw, we have our own software we made in-house that automagically kills shared accounts, that's not an issue.

I just never saw a bigass attempt like this at brute-forcing usernames/passwords before. Pennywize or anything wouldn't have helped out, since the bandwidth usage was insane just from the error codes. Yeah, false positives would probably piss the guys off when they get back from their movie after letting the thing run, but my bandwidth is still spiked to hell during the meantime.

Going to write some stuff that will watch log files intermitedly and detect this stuff in the future, and automagically have it firewalled off.

Keep in mind we're a host. We need stuff that performs quickly on loaded servers. Having something piping logfiles places is not going to work, even locally examining each and every hit would be more CPU work than I want to put on our machines. We allready have intelligent solutions for the password trading stuff, I just need to spend some time to integrate the anti-brute-force attack code into our insane billing/stats system.

Our anti password trading stuff works a lot differently than most. We don't examine every logfile we generate. We essentially have a daemon that sits on each server which looks at log file growth every 5 minutes or whatnot, if it's so many percent out of a median value from the last 48 hours (or whatever) it then invokes the parser which looks for a traded account. If it finds it, it kills the account and e-mails the site owner what it did. We then credit the amount of bandwidth usage used to the site owner, (which is usually negligable, since we nail it so fast.. usually under 50MB) as we guarantee no extra bandwidth charges on traded accounts. This way it takes very, very, little CPU compared to anything else, and protects just as well. Perhaps later we'll add code to re-direct traded accounts elsewhere, etc. But for now it works very well for our needs.

Being able to write stuff in-house is good. ;)

Also, the above list do not appear to be open proxies. Probably just a bunch of machines some kiddie got a backdoor/trojan in. In any case I found it interesting, since I've never experienced a brute force attack like that before, and figured I'd share. In a couple days the system that kills that type of attack will be automated. ;)

-Phil
Phil21 is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 02-03-2002, 11:39 PM   #5
Plugger
Confirmed User
 
Industry Role:
Join Date: Jul 2001
Location: North Coast
Posts: 592
8MB/sec off 401s? What is yor 401 page?

it seems as if they would have to be hitting you at about the rate of 2,000,000 hits a day, or somewhat less than 200,000 and hour. They must have one killer connection.

It looks like at least one of those IPs is in Japan, and the response times seem slow. 200,000 attempts in an hour? Who knows?

Am I missing something here?
Plugger is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 02-04-2002, 12:06 AM   #6
Phil21
Confirmed User
 
Join Date: May 2001
Location: ICQ: 25285313
Posts: 993
Sounds about right, those are not being accessed one at a time. Theres what, 50 there? All accessing once a second or more, about.

Just looked at my apache stats history for that box, 184,000 hits/hr about. So you were pretty close. ;)

standard 401 page. No fancy things here.

-Phil
Phil21 is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Post New Thread Reply
Go Back   GoFuckYourself.com - Adult Webmaster Forum > >
Paysite password cracking "network" Paysite password cracking "network"
« Previous Thread | Next Thread »

Bookmarks



Advertising inquiries - marketing at gfy dot com

Contact Admin - Advertise - GFY Rules - Top

©2000-, AI Media Network Inc



Powered by vBulletin
Copyright © 2000- Jelsoft Enterprises Limited.