[Plug-security] Sheesh - it's just too easy! 3389 Fun
Lisa Kachold
lisakachold at obnosis.com
Thu Sep 26 09:06:23 MST 2013
Nmap scan report for 192.95.38.42
Host is up (0.087s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
3389/tcp open ms-wbt-server
49154/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 12.64 seconds
[root at fly-obnosis-com asil]#
3389 LAUGH!
Using ncrack:
http://www.techchop.com/2011/10/ep8-how-to-hack-windows-remote-desktop.html
Using AngryIP: http://www.youtube.com/watch?v=J6V4Ld6HqKQ
Overview: http://www.dome9.com/security-challenges/rdp-port-3389-security
DISCLAIMER: Do not actually attack these systems; that would be illegal,
and you could meet with National and International consequences including
jail, long term federal monitoring, or worse - including becoming a target
yourself with a lifelong "parasite" on all of your systems.
Summary: We are MOCK targeting the systems that we catch in our denyhosts
trap running on a mail server:
But who "owns" this IP:
192.95.38.42 - Geo InformationIP
Address192.95.38.42<http://cqcounter.com/traceroute/?query=192.95.38.42>
Host192.95.38.42Location[image: US] US, United StatesCityNewark, NJ 07102
OrganizationOVH HostingISPOVH HostingAS NumberAS16276 OVH
SystemsLatitude40°73'55"
NorthLongitude74°17'41" WestDistance7593.96 km (4718.67 miles)
http://www.ovh.com/us/index.xml
This is a hosting account on an international hosting provider.
Probably pwned by Anonymous or Chinese hackers.
So, what would our responsible action be?
Report to the OVH with logs and time zone/time date stamp (done).
---------- Forwarded message ----------
From: DenyHosts <nobody at mail.obnosis.com>
Date: Wed, Sep 25, 2013 at 5:07 PM
Subject: DenyHosts Report from mail
To: lisakachold at obnosis.com
Added the following hosts to /etc/hosts.deny:
192.95.38.42 (unknown)
---------------------------------------------------------------------
--
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
it-clowns.com <http://it-clowns.com/c/>
Chief Clown
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-security/attachments/20130926/d5689b8b/attachment-0001.html>
More information about the Plug-security
mailing list