Security through obscurity does not work
Apr. 4th, 2012 03:46 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
tangaroaMy secret Twiki site that I haven't told anyone about got hacked into. It makes me wonder how they found me. I'm on a shared host so I should have been safe from a simple IP scan. They had to have known my hostname and then scanned the site and found a twiki installation. They also had to have cared enough about twiki to have twiki intrusion instructions in their attack kit.
The root cause is probably leaving registration open, which is the default and recommended (heh) setting. I don't even remember if I did that, and I can't find the setting to change it. I haven't decided yet if I want to go full Madagascar or mess around with them first.
Reviewing the logs, I don't see when they scanned me. They entered TwikiSiteTools and registered from there, so my site had already been scanned and logged as vulnerable in some database, and the initial intrusion was done by a script or by reading off one. After the break-ins, I see scans from EC2LinkFinder, GSLFBot, and WBSearchBot. GSLFBot operates on Amazon EC2. WBSearchBot belongs to WareBay. The scans are probably normal crawler activity for the beginning of the month.
From the logs, the first intrusion was at 2012-03-26 - 08:30 UTC and created two user accounts:
- Colum Secku ColumSecku:yupiyrMqE6iV6:columbuspeck@live.com 89.152.199.209
- Dolumbus Wecki DolumbusWecki:QDjishinMq4tw:columbuspeck@live.com 89.152.199.209
These at first seem to be generated by a grammar engine, but may be derivatives of Columbus Peck which itself is probably a fake name. The IP traces back to a /18 in Portugal which would have the user active in the morning before going to work or school, assuming that the attacker is not proxying in from elsewhere.
On 2012-03-27 - 07:50 UTC the intruder created a blank page in the TWiki group named "EasyExcessweightLossAssistyoutoHavetohaveNowadays". It sounds like something a spammer would put in an email topic, but there is no associated text.
On 2012-03-28 - 11:36 UTC the intruder, or a friend, created a third user account:
- Eugenie Baca 1 EugenieBaca1:eonqQ6kwixjtE:eugeniebaca1si5@mailinator2.com 173.208.48.19
This IP traces back to a hosting company in Dallas, Ubiquity Server Solutions. It also reverse-resolves to a Comcast DSL customer in Texas.
The user immediately created a spam page:
- Car_de_plus_en_plus_de_personnes_utilisent_Bitcoin_28 ("Because more and more people use Bitcoin 28").
The page contains random text in multiple languages, and a jpeg image. The jpeg appears to be a legitimate JFIF. Is there a jpeg-renderer zero-day out there? ImageMagick can convert it to a png without crashing. The image is just a chart with no meaningful information. Could it be steganography? Stegdetect finds nothing.
On further review, there is one link in the page to an article on a Libertarian website called The Daily Bell. The purpose of the attack was either search engine optimization or an attempt to lead me to dangerous and untrustworthy content that was inserted onto the Libertarian site, like Libertarianism. I don't see any obvious signs of the Bell being hacked, but they could have fixed any problems by now and the code loads enough different scripts that I won't bother looking closely at it. The jpeg image probably came from the Bell.
They haven't touched the site since then, so maybe they've figured out that my site is too worthless to give any attention to.
There is a Twitter user named Baca1, Szymon Leja, who lives in Chicago. No apparent relation. The guy[s] I'm looking for are probably in Western Europe.
si5 is the name of a company that offers "si5 spy missions" roleplaying for children in England. The hacker may have heard of it and thought it was cool.
They haven't yet tried to do this to me: twiki can be made to present arbitrary javascript.
Edit May 10: I turned off user registration, watched the site for a week, saw nothing happen, and have ignored it since then. The bots haven't. A bunch of new users have appeared even though registration is disabled. Fortunately, No changes seem to have been made to the site.
The new registrations came in four waves. The names are probably machine-generated.
- 2012-04-20: FronaMatos8 and ChrissieWebber
- 2012-05-04: EnriqueBauman and LemuelGriggs9 (184.82.48.2 and 108.62.88.193
- 2012-05-09: IshmaelCarson and OttilieHolley (173.208.48.23 and 70.33.250.236)
- 2012-05-10: HomerCoyle1, HuldaGlover2, LeoraGould1, TempieBlanco9 (173.208.48.11, 173.208.48.22, 173.208.48.19, 173.208.48.10)
The attackers' entry point is ... the registration page. Really?
| 2012-05-10 - 17:06 | guest | view | GIDEA.WebHome | Mozilla | 173.208.48.10 | | 2012-05-10 - 17:06 | guest | view | TWiki.TWikiRegistration | Mozilla | 173.208.48.10 |
I tried registering a fake account myself, and this was the result:
Access check on Main.TWikiRegistration failed. Action "CHANGE": access denied on web.
The more important result was that the fake user account was added to the user list like the others. This was probably what happened to the attackers: they sent registration information and ended up with a half-created account that they could not use. Since I've already "secured" registration in the documented manner and that wasn't enough, I turned off read access to the TwikiRegistration page at the filesystem level.
More investigation shows that the user accounts were in fact created in the .htpasswd file and the attackers could log in, but for reasons I am unsure of, they could not create or edit pages. Since there is no one else on the site, I revoked write access to the .htpasswd file.
More about the attackers' IP addresses:
- 173.208.48.0-32 - Hosted by Ubiquity Server Solutions in Texas.
- 184.82.48.2 - Hosted by Hostnoc in Scranton, Pennsylvania.
- 108.62.88.193 - Hosted by Ubiquity Server Solutions in Chicago.
- 70.33.250.236 - H4Y Technologies /24. The IP block is owned by Peer 1, the server is hosted by the Comcast Cloud Connection Center in Los Angeles.
(no subject)
Date: 2012-04-04 11:10 pm (UTC)I've confirmed that the problem was leaving registration open. There are no signs that the bots got any further than being able to create users and pages in twiki.