Românii, spammeri de top. FTP şi keyloggere
Am trecut week-endul acesta pe la
ProjectHoneypot şi văd că România e bine mersi în topurile ruşinii:
- locul 4 (după China, USA şi Spania) la “harvester countries”
- locul 20 la “spam server countries”
- locul 18 la “comment spammer countries”
- locul 16 la “dictionary attack countries”
Dacă raportăm rezultatele şi la rata de penetrare a tehnologiei IT în ţară, aş spune că reţeaua IT din România e una profund sifilitică.
Topul îl găsiţi
aici.
Pe de altă parte, în weekend-ul ce a trecut am avut parte de trei cazuri de injecţii cu cod maliţios (iframe cu link către site-uri dubioase).
În toate cele trei cazuri vectorul de infectare a fost FTP. Atacatorii ştiau parola de acces şi se conectau de pe adrese IP diferite, câte 1 IP pentru fiecare fişier infectat.
Odată
infectat un web site, toţi vizitatorii vor fi direcţionaţi (în marea lor majoritate fără să ştie asta) către site-uri ce le pot infecta calculatorul în mod absolut transparent.
Numărul de adrese IP de unde se iniţiază atacurile este extrem de mare, cel mai probabil fiind folosite calculatoare-zombie. Iată cum arată o secvenţă din log-ul de acces FTP în timpul unui atac:
Aug 14 10:46:03 server.name pure-ftpd: (?@121.166.105.94) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:46:05 server.name pure-ftpd: (?@89.28.98.15) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:46:10 server.name pure-ftpd: (?@200.83.8.57) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:46:13 server.name pure-ftpd: (?@80.98.134.250) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:46:25 server.name pure-ftpd: (?@114.58.105.136) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:46:32 server.name pure-ftpd: (?@115.184.118.249) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:46:40 server.name pure-ftpd: (?@123.201.73.24) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:46:49 server.name pure-ftpd: (?@61.224.100.215) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:46:53 server.name pure-ftpd: (?@68.106.143.104) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:46:58 server.name pure-ftpd: (?@190.247.32.11) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:47:07 server.name pure-ftpd: (?@99.252.249.221) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:47:21 server.name pure-ftpd: (?@141.225.71.170) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:47:26 server.name pure-ftpd: (?@24.37.224.241) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:47:30 server.name pure-ftpd: (?@200.125.126.194) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:47:34 server.name pure-ftpd: (?@85.232.127.210) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:47:47 server.name pure-ftpd: (?@190.49.36.2) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:48:10 server.name pure-ftpd: (?@61.229.157.135) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:48:14 server.name pure-ftpd: (?@88.77.15.19) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:48:19 server.name pure-ftpd: (?@85.64.83.33) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:48:24 server.name pure-ftpd: (?@85.65.4.90) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:48:34 server.name pure-ftpd: (?@98.156.73.191) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:48:42 server.name pure-ftpd: (?@219.77.79.187) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:48:45 server.name pure-ftpd: (?@62.85.122.186) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:48:52 server.name pure-ftpd: (?@190.230.197.107) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:01 server.name pure-ftpd: (?@61.230.216.5) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:06 server.name pure-ftpd: (?@87.55.58.65) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:09 server.name pure-ftpd: (?@86.105.116.78) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:14 server.name pure-ftpd: (?@115.98.200.62) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:21 server.name pure-ftpd: (?@77.40.88.124) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:23 server.name pure-ftpd: (?@88.174.28.147) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:28 server.name pure-ftpd: (?@92.68.94.237) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:33 server.name pure-ftpd: (?@219.68.112.158) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:39 server.name pure-ftpd: (?@89.218.162.122) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:42 server.name pure-ftpd: (?@81.9.254.175) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:45 server.name pure-ftpd: (?@92.53.8.48) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:56 server.name pure-ftpd: (?@119.95.210.171) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:59 server.name pure-ftpd: (?@62.21.28.149) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:50:02 server.name pure-ftpd: (?@83.25.27.152) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:50:09 server.name pure-ftpd: (?@69.1.54.242) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:50:14 server.name pure-ftpd: (?@89.138.141.115) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:50:27 server.name pure-ftpd: (?@75.116.238.110) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:50:33 server.name pure-ftpd: (?@98.183.238.90) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:50:43 server.name pure-ftpd: (?@112.200.184.87) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:50:46 server.name pure-ftpd: (?@79.118.202.160) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:50:51 server.name pure-ftpd: (?@69.242.156.192) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:50:56 server.name pure-ftpd: (?@87.223.212.1) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:50:59 server.name pure-ftpd: (?@79.119.19.247) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:51:03 server.name pure-ftpd: (?@93.113.147.31) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:51:10 server.name pure-ftpd: (?@201.246.48.238) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:51:15 server.name pure-ftpd: (?@92.82.209.28) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:51:21 server.name pure-ftpd: (?@124.85.10.209) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:51:27 server.name pure-ftpd: (?@123.205.242.88) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:51:34 server.name pure-ftpd: (?@189.172.143.68) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:51:39 server.name pure-ftpd: (?@84.47.17.70) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:51:47 server.name pure-ftpd: (?@218.163.249.66) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:51:50 server.name pure-ftpd: (?@147.31.141.101) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:51:55 server.name pure-ftpd: (?@94.72.116.45) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:51:59 server.name pure-ftpd: (?@93.113.83.249) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:03 server.name pure-ftpd: (?@79.186.233.198) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:10 server.name pure-ftpd: (?@190.49.54.235) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:14 server.name pure-ftpd: (?@85.67.127.191) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:17 server.name pure-ftpd: (?@87.96.190.149) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:22 server.name pure-ftpd: (?@97.106.139.229) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:28 server.name pure-ftpd: (?@117.204.96.231) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:31 server.name pure-ftpd: (?@89.77.160.32) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:36 server.name pure-ftpd: (?@80.70.4.240) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:39 server.name pure-ftpd: (?@85.152.90.105) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:42 server.name pure-ftpd: (?@212.96.62.1) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:45 server.name pure-ftpd: (?@62.21.28.149) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:47 server.name pure-ftpd: (?@86.124.193.126) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:51 server.name pure-ftpd: (?@85.226.34.183) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:54 server.name pure-ftpd: (?@85.196.178.36) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:58 server.name pure-ftpd: (?@94.170.134.123) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:53:04 server.name pure-ftpd: (?@140.109.91.195) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:53:08 server.name pure-ftpd: (?@82.131.188.228) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:53:10 server.name pure-ftpd: (?@212.73.173.32) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:53:17 server.name pure-ftpd: (?@201.239.94.117) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:53:23 server.name pure-ftpd: (?@81.196.86.165) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:53:27 server.name pure-ftpd: (?@78.63.178.94) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:53:33 server.name pure-ftpd: (?@115.186.16.35) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:53:46 server.name pure-ftpd: (?@84.73.109.21) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:53:51 server.name pure-ftpd: (?@89.35.155.29) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:53:59 server.name pure-ftpd: (?@119.95.210.171) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:54:04 server.name pure-ftpd: (?@187.131.221.187) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:54:09 server.name pure-ftpd: (?@188.24.114.186) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:54:15 server.name pure-ftpd: (?@89.138.141.115) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:54:22 server.name pure-ftpd: (?@190.189.65.124) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:54:23 server.name pure-ftpd: (?@95.64.86.65) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:54:34 server.name pure-ftpd: (?@59.117.173.204) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:54:46 server.name pure-ftpd: (?@122.125.37.227) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:54:56 server.name pure-ftpd: (?@77.81.227.59) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:55:04 server.name pure-ftpd: (?@201.255.56.239) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:55:08 server.name pure-ftpd: (?@83.11.204.102) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Ţintele au fost de fiecare dată site-uri ce rulau WordPress (probabil atacatorii au pregătit foarte bine algoritmul de modificare al fişierelor).
(inserarea asta de cod html e destul de benignă, dar principiul poate fi folosit şi pentru atacuri mult mai urâte).
Later note: o dicuţie interesanta despre acest tip de atac este disponibilă pe forumul
gazduire.info.
Ce putem învăţa din asta ?
- e foarte posibil ca propriul tău calculator să fie infectat cu un keyloger; kezloger-ul nu distruge fişiere, nu corupe programe, ci stă cuminte şi transmite undeva din când în când ce parole ai tastat.
Soluţia ? nu e una singură, am scris
acum mai bine de un an despre câteva măsuri. - protocolul FTP este total nesigur; datele de acces sunt transmise în text clar şi nu este extraordinar de greu pentru un “black hat” să “asculte” reţeaua şi să obţină parole importante; o primă soluţie ar fi folosirea de modalităţi de transfer securizate (vezi protocolul SFTP, protocol ce este disponibil şi sub Windows, atât ca şi client, cât şi ca server); în plus, parolele ar trebui excluse total, autentificarea făcându-se măcar pe bază de chei publice-private. Problema e însă destul de ilară: la ce bun să foloseşti modalităţi supersecrete de autentificare, atâta timp cât calculatorul tău e infectat şi “big brother” vede tot ce faci ?
- reţeaua de calculatoare infectate este extrem de mare; în cazul unui scop precis, nicio reţea nu este protejată; dacă nu mă credeţi, aduceţi-vă aminte că acum vreo o săptămână Facebook şi Twitter au fost blocate timp de câteva ore şi nici Google nu s-a simţit prea bine.
- devenim din ce în ce mai dependenţi de tehnologie şi deschidem din ce în ce mai multe portiţe de atac, fără să ne gândim niciun moment la consecinţe: site-uri de socializare, toolbar-uri colorate, addon-uri cu emoticoane, pisicuţe pe săgeata de mouse, playere sau codec-uri ciudate, messenger-e abracadabrante şi lista nu se opreşte aici.
Comentariile sunt binevenite.
August 17, 2009 - 11:57
pentru cine foloseste TC, a se instala intr-un director non-default, iar fisierele ini sa stea in Program Files, nu in Windows.
asemeni, evident, este de preferat ca parolele sa nu fie stocate in clientul de FTP. se poate face un fisier separat pe desktop din care se face copy&paste. pentru cei cu doar 1-2 site-uri chiar este indicata aceasta metoda.
August 17, 2009 - 12:17
@gigix, in loc sa tii un fisier cu parola, mai bine tii un fisier cu certificatul (cheie privata).
Altfel, cata lume floseste keyboard-ul virtual ca sa nu scrie efectiv parolele ?
August 17, 2009 - 16:11
Să zicem merci că atacul era automatizat, şi nu era o persoană reală care să se ocupe de tot, cine ştie ce ieşea…
Nu am nici un toolbar pe Firefox, tocmai ca să nu permit sniffing acces la terţe aplicaţii.
Virusul este rusesc şi transformă computerul într-un zombie, pare dintr-un botnet.