Your Fly Is Open

Netmenaces and other Internet Stupidity

If I Can't See It, It Isn't a Problem...

Here’s a (reconstructed from memory) transcript of a telphone call that I made earlier today to the owner of a hacked website. Please note: This is a business website. I’ve deliberately left out some portions of the conversation to protect… well, I really want to say “the innocent” here, but I’ll just go with “the na├»ve.” The overall gist of the conversation remains:

TL: Hi there... The receptionist put me through to you. There's a problem with your company's website... are you the person I should be speaking to about that?
Mr. X: I'm one of the partners in the firm. You can speak with me.
TL: Ok, good. Well, I've sent your company several emails trying to get someone to do something about your website. It's been hacked.
Mr. X: Yes. I've seen your emails.
TL: You have? Oh, good... and...?
Mr. X: I've been unable to find any evidence that the site has been "hacked."
Note: I could, literally, hear the quotes around "hacked" when he said it...
TL: Oh. Well... uh... did you do the Google search that I sent in the email? You're not, actually, going to see anything just by looking at your site. The people who compromised it added new pages, but didn't alter anything on your existing pages.
Mr. X: Well, if they didn't change anything and I can't see it on the site, it isn't really a problem, is it?
TL: Ok. I'm not really sure how to answer that. You seem like you're somewhat "put out" at me. Is there a problem?
Mr. X: I'm very busy, and you told me that my site is hacked. I spent time looking through the whole site, and I didn't see anything wrong. Now you're telling me that our site wasn't hacked...
TL: Whoa... I didn't say that...
Mr. X: You said that they didn't change any of our content.
TL: Yes, but that doesn't mean your site wasn't hacked...
Mr. X: It hasn't affected our site. I can't see it. Please stop bothering us about this. Goodbye.


And there you have it. This is why we can’t have nice things.

Ubiquiti Device? Patch Now...

If you have any Ubiquiti devices that aren’t running at the most current patch level, if those devices are reachable from the Internet, you should patch them IMMEDIATELY. According to this thread on Ubiquiti’s forum site, there is a worm exploiting unpatched AirOS and other devices (I’ve seen at least one EdgeOS device, but I can’t yet confirm that it’s part of the same issue…). I can, however, confirm that over the past 24 hours, I’ve seen several Ubiquiti devices hitting my SSH honeypots.

-TL
Tom Liston
Consultant - Cyber Network Defense
DarkMatter, LLC
Twitter: @tliston
May 15, 2016

The Russian Linking Rings

There is a classic magic trick known as The Chinese Linking Rings where apparently solid metal rings appear to link together, unlink, and are made into chains and various fancy patterns. Everyone knows that all the rings aren’t solid, but the fun is in how the magician dupes us into not seeing the “gimmicked” ring.

This is a story of a different kind of linking ring, but just like the magic trick, the fun part is all about how we’re duped into not seeing something that is clearly there.

Doh!

It was hubris.

There’s no other way to describe it: Stupid, dumbass hubris.

This morning, I tried to SSH into one of my honeypots to continue some work I was doing last night before going to bed. I opened my laptop, fired off an SSH connection to the box, aaaand… nothing.

What the hell?

Those Crazy Belgians*

* I believe it is important to point out that I see myself as a kindered spirit to the Great Lyle Zapato, and that I fully ascribe to his strongly held belief that Belgium doesn’t exist. Therefore, while I will - for convenience sake - describe the following attack as “having originated from Brussels Hoofdstedelijk Gewest, Belgium,” we all know that Belgium is, and has always been, a leftist ruse.

It all began with some Python code that wouldn’t run…

I have a bunch of Python code that I use to extract various information from my honeypots. One of those scripts dumps out a list of URIs being “advertised” by comment spammers on some of the fake comment pages in my web app honeypot. Generally, those URIs point to pages that have been added to unsuspecting websites (mostly those running WordPress, The WebApp Hacker’s BFF™). Generally, I try to notify as many of those folks as I can and, one day, I fully expect to be cannonized as the Patron Saint of the Hacked Website.

This morning, my script didn’t work. More precisely, it just hung…

Toyz From China

Earlier today, I was “given” some toyz from China.

Some people look at network attackers and think that they’re just here to take, take, take… however, if you look at things from a different perspective (and you’ve got a convincing enough SSH honeypot) you may find that they’re actually very giving people.

Mirror, Mirror on the 'Net...

…just how stupid can they get?

I am a generous and thoughful person.

Really. I am. (Seriously… would a generous and thoughtful person lie to you about that?)

I’ve taken it upon myself to create and provide the Internet with a much-needed service that I like to call Tom’s Telnet Mirror™

It works like this:

Welcome

Welcome to my blog!

“‘Your fly is open?’ What’s that all about?”

We’ve all been there - either on the “giving” or “receiving” end. It’s something you do… because, well… because it’s how decent people behave. If you see someone walking around and, unbeknownst to them, the ol' barndoor is open, you… well, you say something:

      “Hey…,” you whisper, “X-Y-Z!”
      (The universal code for “eXamine Your Zipper.”)

That’s sort of what I do… except I do it on the scale of the entire Internet…