emselves compromised by SSH dictionary attacks. One of these
was a root account. In all cases the customer was running sshd on
port 22 with password authentication enabled.
- 2 cases of customer VPSes engaged in direct denial of service
attacks (packeting).
One was broken into through an insecure Joomla template.
The other was cause unknown since the customer never responded,
but was probably fraudulently purchased from the beginning since
the PayPal transaction was also disputed.
- 2 customers participating in a DDoS through their open DNS
resolvers:
http://bitfolk.com/orns.html
- 4 customers hosting bank phishing sites (i.e. they're hosting
pages that are made to look like bank sites which people are
directed to, and then after their info is filled in, the info is
sent to the attacker).
Cause as-yet unknown for one of these because it happened only
last night.
Cause for one was a Wordpress exploit that allowed the attacker to
upload a page of their own content. Not sure whether that was a
case of an out of date Wordpress install or a bad plugin.
Cause for one was an unknown CMS which customer left admin
unpassworded.
Cause for last one was never determined and customer did not give
permission for us to examine. VPS was reinstalled.
- At least 20 reports of drones connecting to their C&C=C2=B9 channels
through Tor exit nodes hosted by BitFolk customers.
It's still abuse but there's nothing that can be done since it's
Tor.
There'll probably be a couple more that I was unable to find, but
that's the gist of it.
Cheers,
Andy
=C2=B9 Command and Control -
http://www.shadowserver.org/wiki/pmwiki.php/In=
formation/Botnets#commandandcontrolmechanisms
--=20
http://bitfolk.com/ -- No-nonsense VPS hosting
"I'd be happy to buy all variations of sex to ensure I got what I wanted."
=E2=80=94 Gary Coates (talking about cabling)
--nSm7qnGuElBFM7UH
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEAREDAAYFAlDBrgQACgkQIJm2TL8VSQs+7wCeMncVnzec7NYH4oUbDFjY3hU9
shcAn3hmJcXkLrmsKDSQ9lj+aED7NR60
=Eo06
-----END PGP SIGNATURE-----
--nSm7qnGuElBFM7UH--
From mike@??? Fri Dec 07 09:01:34 2012
Received: from mail-bk0-f48.google.com ([209.85.214.48])
by mail.bitfolk.com with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16)
(Exim 4.72) (envelope-from <mike@???>) id 1TgtoL-0008Lt-PW
for users@???; Fri, 07 Dec 2012 09:01:34 +0000
Received: by mail-bk0-f48.google.com with SMTP id jc3so112265bkc.21
for <users@???>; Fri, 07 Dec 2012 01:01:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zanker.org; s=google;
h=message-id:date:from:user-agent:mime-version:to:subject:references
:in-reply-to:content-type:content-transfer-encoding;
bh=0NRKDc3Oxg7ETUY3xwscfkGtpLnXJ5h0a1rYvcrt9bE=;
b=MJGS+W2H+GdFCQPbxSk5rEjWRU8DkdksxbPW1th3R6ReN1uIs9JypJ4wmFsJKucnq+
5bGP6yMFtB4m9dCaQRaN5Xn7ljoVdyeFjCEm9wT3trvAuYOJRuyeUSFyKz2KS9emAasA
RcB3CMoTs1GvM2C9mWS30U2ygwg70xUwo3RBM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20120113;
h=message-id:date:from:user-agent:mime-version:to:subject:references
:in-reply-to:content-type:content-transfer-encoding
:x-gm-message-state;
bh=0NRKDc3Oxg7ETUY3xwscfkGtpLnXJ5h0a1rYvcrt9bE=;
b=SkPxyX0ALxkozJfaL7MQIZCAOnfdPhZ/FInA/qaH8PTAVhAj3d+Y9eACHUEPDU6PwK
tpCMLfw0xeo+maF+3HcR1RwVlm8dlbVOmfvunYvD6WwKHIjYuv6CZ1Ka5YCxEBl6zF3g
ZV5GPJVar+N5pR+cZjYs6hpshqW4ci3alFBizX/8dwkZOZoSzCmfX5vVZnRIS490HLt6
4IV/KGe7ysThvNg0cgDvLcZ7wI+tvvmoQ5ct6yfWA9Q2uEfqIXDZzh6KkYlO0Cy48FDf
LZ7ygs2eyMMg32FFc2EqPFnqVWgQoylt9t8dixsXtHHEM95iS9FCLB2qI8ByljW681gi
OL9g==
Received: by 10.204.147.7 with SMTP id j7mr1694160bkv.125.1354870887624;
Fri, 07 Dec 2012 01:01:27 -0800 (PST)
Received: from [192.168.1.34] (wan-gw.zanker.org. [95.172.233.196])
by mx.google.com with ESMTPS id d16sm8238935bkw.2.2012.12.07.01.01.25
(version=SSLv3 cipher=OTHER); Fri, 07 Dec 2012 01:01:26 -0800 (PST)
Message-ID: <50C1B062.3060203@???>
Date: Fri, 07 Dec 2012 09:01:22 +0000
From: Mike Zanker <mike@???>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: users@???
References: <20121207021942.GT3867@???>
In-Reply-To: <20121207021942.GT3867@???>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Gm-Message-State: ALoCoQnnCA6SRz9/MwsiI3QXQuAFfo+gqB1yDiK1gtl1WWSKc8v2UH0smUPis0F82xh5SYNZXL41
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Fri,
07 Dec 2012 09:01:34 +0000
X-SA-Exim-Connect-IP: 209.85.214.48
X-SA-Exim-Mail-From: mike@???
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
spamd1.lon.bitfolk.com
X-Spam-Level:
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Status: No, score=-0.8 required=5
