Comprimised - Hacked

[bc.gold 3,399]

Turned on my laptop this morning to discover two new user accounts have been added, Catman2020 and the ftp account which is disabled for user elmgren.

 

It would appear that my new friend left unattended would have used the FTP ports for his nefarious deed. since I do not have an FTP server as an added precaution set I'll close those ports in the firewall.

 

For the time being I've changed the password on that new account, next on my list is to have my ISP flush our IP, once that's done a new number will be dynamically assigned. The new number breaks the chain for the purpose i believe my computer will be used as an addition to a botnet.

 

DDoS for hire: Subleasing infected computers. To understand the business of DDoS-for-hire let’s take a look at what exactly the “product” is.

In a nutshell, what these DDoS services are usually selling is access to DDoS botnets: networks of malware-infected computers, which are in turn being “subleased” to subscribers.

 

Sadly, building such a botnet is simpler than you may think, considering the elaborate damage that can be caused a cluster of such “zombie” computers.

 

For instance, a quick Internet search by any would-be botnet creator will pull up several popular botnet builder kits, often complete with a set of tips and instructions.

 

Typically, such kits contain the bot payload and the CnC (command and control) files. Using these, aspiring bot masters (a.k.a. herders) can start distributing malware, infecting devices through a use of spam email, vulnerability scanners, brute force attacks and more.

With enough computers, mobile phones and other Internet-connected devices “enslaved”, a new botnet is born—ready to do the dirty work of anyone willing to pay.

 

 

 

 

 

 

 

 

 

[bottjernat1 2,189]

I use to be a hacker. I have since grown up a bit. Got kicked out of school 3 days for it. I hacked the local schools computers many years ago. Anyways what i like to do now is hack the hackers and bombard them with crap emails and harass them while they are hacking. I overwhelmed a person a few months ago they stopped. I bet i actually over whelmed the device they were using to hack. The folks who do this bad voodoo need to get out of there moms basement and go get dam jobs! LOL

[nylyon-(Admin) 7,114]

I would change your admin password as well and look into how they gained enough access to create 2 accounts.

[bc.gold 3,399]

9 minutes ago, bottjernat1 said:

I use to be a hacker. I have since grown up a bit. Got kicked out of school 3 days for it. I hacked the local schools computers many years ago. Anyways what i like to do now is hack the hackers and bombard them with crap emails and harass them while they are hacking. I overwhelmed a person a few months ago they stopped. I bet i actually over whelmed the device they were using to hack. The folks who do this bad voodoo need to get out of there moms basement and go get dam jobs! LOL

 

I studied as Whitehat, lots of information on Astalavista on how to harden up your PC or server from abuse.

[bc.gold 3,399]

5 minutes ago, nylyon said:

I would change your admin password as well and look into how they gained enough access to create 2 accounts.

 

Good idea, but I don't think the hacker will return anytime soon, he/she already added the bot script, found an open port, have my IP address to carry out the dirty deed.

 

After installing a SSD along with a fresh Ubuntu install pretty much left it as a basic install, should have installed tripwire.

 

How Tripwire works

A Tripwire check compares the current filesystem state against a known baseline state and alerts on any changes it detects. The baseline and check behavior are controlled by a policy file, which specifies which files or directories to monitor, and which attributes to monitor on them, such as hashes, file permissions, and ownership.

[bc.gold 3,399]

Changing the password gives the user peace of mind but in my opinion is a wast of time. Like I mentioned earlier years ago studied as a whitehat at the time encryption was my main interest.

 

In the early 1990's Phil Zimmerman developed PGP the United States Government took him to court for exporting the hardened encryption software classed as a munition.

 

All that's required in this case is to remove the unwanted account along with the bot script.

 

With forensics software such as Cain nothing is secret on that old hard drive even if its been through a fire.

 

What is John the Ripper?

John the Ripper is a free password cracking software tool developed by Openwall. Originally developed for Unix Operating Systems but later on developed for other platforms as well. It is one of the most popular password testings and breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker. It can be run against various encrypted password formats including several crypt password hash types commonly found in Linux or  Windows. It can also be to crack passwords of Compressed files like ZIP and also Documents files like PDF.

Edited March 26, 2020 by bcgold

[bc.gold 3,399]

Hackers using a port scan software app quickly locate open ports on a network then they set that open port into their telnet app, with john the ripper your history.

 

The hacker would scan the whole network block so don't feel that your being singled out.

 

Botnets are mostly used to compromise banks and other large data sources for credit card numbers which I hear depending on the card sell for various dollar amounts on the black market.

 

Just imagine your stolen credit card number has been sold to various buyers located around the world who quickly duplicate the card then go to work on the streets. Buying up goods to be converted into case by reselling on online auctions.\

 

Theft by conversion.

 

Telnet is one of the earliest remote login protocols on the Internet. It was initially released in the early days of IP networking in 1969, and was for a long time the default way to access remote networked computers.

 

It is a client-server protocol that provides the user a terminal session to the remote host from the telnet client application. Since the protocol provides no built-in security measures, it suffers from serious security issues that have limited its usefulness in environments where the network cannot be fully trusted. The use of Telnet over the public Internet should be avoided due to the risk of eavesdropping.

[bc.gold 3,399]

Years ago when encryption was in its infancy. my claim to fame is that I donated idle computer time with distributed.net. An encrypted message was put out, it was up the distributed groups around the world to generate keys that would eventually unlock the message.

 

As encryption was harden up to millitary grade it could take a year or more to have a key match. At the time there was a small percentage of donors.

 

Distributed computing is good way to advance technology, it's a white hat bot net made up of volunteers. From the article below you can figure the value of an illegal botnet used for hire.

 

One of the largest botnets 30 million computers, and it is estimated the BredoLab owner made up to US$139,000 per month.

#1 BredoLabBredoLab is by far the largest recorded botnet to date, as it combined the resources of over 30 million computers around the world. Russian hackers set up this malicious network to conduct viral email spam. Thankfully, law enforcement agencies managed to bring the network down in November of 2010, after they seized the command and control servers.

This particular botnet sent out a lot of emails containing malware-laden attachments. Opening this attachment turned the computer into an infected host, and also created a backdoor for hackers to download other malicious software on the computer. Large parts of the botnet were leased to third parties, and it is estimated the BredoLab owner made up to US$139,000 per month.

 

Here's  message from the distributed network site.

 

Dear friends

Great news – the OGR-28 project has now been progressing for 2000 days and has brought 60,000 people from around the world together working towards a single goal. If you have recently joined us, welcome :)

 

The combined effort of our group using commodity computer equipment is producing the same amount of work that would be produced by a major supercomputer – such as the Cray XC40 model used in Texas Advanced Computer Center’s Lonestar 5. A single Cray XC40 cabinet contains 192 nodes, each with 24 cores of Intel Xeon CPU power and costs upwards of $500,000; with a power cost of about $100,000 per year.

 

[bc.gold 3,399]

Not sure if this is my friend Catman2020, if it is the dude has sense of humor. Was going to delete the ftp account but a notification came up advising there are files in the folder.

 

Think I'll mossy on over and see what he's hiding, I'll also get to see the creation dates when those files were uploaded into that folder.

 

 

Edited March 27, 2020 by bcgold

[bc.gold 3,399]

I love Linux, no board room directors making decisions based on how many people are being compromised versus dollars to fix the problem - share holders come first.

 

The new account was set up for mailing spam, the ftp account held the flies to be attached to the outgoing messages.

 

 

[bc.gold 3,399]

Hackers have a new trick, this morning went to turn on the WIFI on the router only to discover the radio buttons were missing so there was no way  to turn on the WIFI.

 

Most people configure their router and forget about it, some may turn it off during the evening, the DNS hack would go nu-noticed for months. Since my use of the WIFI infrequent I was able to see that the router had been taken over by a third party aka hacker.

 

For the majority of people this DNS hack would go um-noticed.

 

D-Link defaults - direct your browser to 192.168.0.1 a pop up admin enter password, yes  that is the default password during the configuration you'll be given the option to change the password.

 

What the heck is DNS Hijacking?

One of these tricks is known as “DNS hijacking.” Sound complicated? Yes, it’s a little bit tricky. Let me explain.

 

A DNS, or domain name system, is often called the phone book for the internet. It translates names of websites, like Google.com, to an IP address, like 74.125.239.2. The communication between the two is critical to correctly direct web traffic.

What these clever hackers do is insert rogue DNS servers so your traffic is directed to unsafe servers, instead of the secure servers your internet service provider gives you. This means cybercriminals can redirect you to fake versions of websites you’re attempting to visit.

 

For example, if your router’s DNS settings have been hijacked, each time you visit your bank’s website, you’ll be redirected to a phishing website instead.

 

Criminals can also use DNS hijacking to modify ads you see while browsing. Instead of the regular ads you should be getting, they’re replaced with inappropriate or malicious ones. This opens you up to a whole world where all your personal information is vulnerable and so is your system.

 

 

 

Edited April 21, 2020 by bcgold

[bc.gold 3,399]

Green Castle, it's go time.

 

Edited October 6, 2020 by bcgold