Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Are you watching for brute force attacks on IPv6?

Published: 2018-01-09
Last Updated: 2018-01-16 17:13:57 UTC
by Jim Clausing (Version: 1)
1 comment(s)

For a number of years, I've had a personal blog that for the last 2 or 3 years has been pretty much dormant. A few years ago, I found a deal for a VPS instance for $5/month and decided to host my blog there using WordPress. One of the nice feature of this particular VPS setup is that it has good IPv6 connectivity, so I registered the IPv6 address in DNS. I use fail2ban to protect ssh against brute forcing, but I wanted to also protect my WordPress site, so I configured it to log all authentication attempts so that I could have fail2ban watch that log. For much of the last year, I've noticed something really odd. The vast majority of attempts against my WordPress site have come over IPv6. Here is a typical summary from the log (thank you logwatch, note, the IPs have NOT been changed to protect the guilty).

    wordpress(<redacted>): XML-RPC authentication attempt for unknown user jim from 2001:41d0:2:3ca::: 3 Time(s)
    wordpress(<redacted>): XML-RPC authentication attempt for unknown user jim from 2403:cb00:cb02:101:100:211:51:0: 1 Time(s)
    wordpress(<redacted>): XML-RPC authentication attempt for unknown user jim from 2607:f128:22:4121:312:18:412:2500: 1 Time(s)
    wordpress(<redacted>): XML-RPC authentication attempt for unknown user jim from 2607:f298:5:100b::7b:929a: 2 Time(s)
    wordpress(<redacted>): XML-RPC authentication attempt for unknown user jim from 2607:f298:5:100f::76c:545a: 1 Time(s)
    wordpress(<redacted>): XML-RPC authentication attempt for unknown user jim from 2607:f298:5:104b::fc5:7e49: 2 Time(s)
    wordpress(<redacted>): XML-RPC authentication attempt for unknown user jim from 2607:f298:5:110b::6c5:436f: 1 Time(s)
    wordpress(<redacted>): XML-RPC authentication attempt for unknown user jim from 2607:f298:5:115b::40e:3c25: 3 Time(s)
    wordpress(<redacted>): XML-RPC authentication attempt for unknown user jim from 2607:f298:5:115b::b4d:cc90: 5 Time(s)
    wordpress(<redacted>): XML-RPC authentication attempt for unknown user jim from 2607:f298:5:6000::36d:2f48: 1 Time(s)
    wordpress(<redacted>): XML-RPC authentication attempt for unknown user jim from 2607:f298:6:a066::c55:8af1: 3 Time(s)
    wordpress(<redacted>): XML-RPC authentication attempt for unknown user jim from 2a03:6f00:1::5c35:72f5: 2 Time(s)
    wordpress(<redacted>): XML-RPC authentication attempt for unknown user jim from 64.13.192.15: 1 Time(s)

We've talked for years about IPv6 and it is a growing percentage of the traffic on the internet, but we haven't really heard about many attacks over IPv6. Clearly, many of the attacks that occur over IPv4 can happen over IPv6 once the bad guys determine that it is worth the effort. Apparently, there are some folks out there who have decided that attacking WordPress is worth the effort. I don't know what kind of ROI (return on investment) they are getting out of it yet, but attacks over IPv6 are only going to increase as we move forward, so we'd better be building up our monitoring and defenses to meet the challenge.

What do you think? Are you monitoring IPv6 to the same extent as IPv4? Are you seeing attacks over IPv6? If so, what? Let us know in the comments or via our contact page.

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

Join me to learn about Malware Analysis

Upcoming Courses Taught By Jim Clausing
Type Course / Location Date

Community SANS
 
Community SANS Minneapolis FOR610 Minneapolis, MN
Mar 5, 2018 -
Mar 10, 2018

Community SANS
 
Community SANS Columbia FOR610 Columbia, MD
Mar 26, 2018 -
Mar 31, 2018
1 comment(s)

Decrypting malicious PDFs with the key

Published: 2018-01-15
Last Updated: 2018-01-15 23:12:33 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Sometimes malicious documents are encrypted, like PDFs. If you know the user password, you can use a tool like QPDF to decrypt it. If it's encypted for DRM (with an owner password), QPDF can decrypt it without you knowing the owner password.

If you don't know the user password, you can try to crack it. But if it's a long random password, that won't be feasible. But there's still a way to decrypt the PDF, if a 40-bit key was used. With Hashcat, it's possible to crack this 40-bit key (regardless of how long or complex the password is).

Until recently, it was not easy to decrypt a PDF when you just knew the key, and not the password. This has changed with the release of QPDF 7.1.0: with the new option --password-is-hex-key, one can provide the key (in stead of the password).

 

 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: encryption maldoc pdf
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Peeking into Excel files
Jan 14th 2018
2 days ago by DidierStevens (0 comments)

Flaw in Intel's Active Management Technology (AMT)
Jan 13th 2018
3 days ago by Rick (0 comments)

Those pesky registry keys required by critical security patches
Jan 12th 2018
4 days ago by Bojan (6 comments)

Mining or Nothing!
Jan 11th 2018
5 days ago by Xme (1 comment)

GitHub InfoSec Threepeat: HELK, ptf, and VulnWhisperer
Jan 10th 2018
6 days ago by Russ McRee (1 comment)

View All Diaries →

Latest Discussions

What is airbnb doing?
created Jan 9th 2018
1 week ago by Mike (0 replies)

Convert OST Emails to PST Files
created Jan 4th 2018
1 week ago by Anonymous (0 replies)

Windows Client what the hell is this?
created Jan 2nd 2018
2 weeks ago by Anonymous (0 replies)

My log Reports not displaying reported entries
created Dec 22nd 2017
3 weeks ago by Tony (0 replies)

StormCast RSS feed not supporting older SSL?
created Dec 15th 2017
1 month ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
6 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
5 months ago by Johannes (12 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 month ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
4 months ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
5 months ago by Xme (2 comments)