Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2013-10-04 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

CSAM: WebHosting BruteForce logs

Published: 2013-10-04
Last Updated: 2013-10-04 19:52:58 UTC
by Pedro Bueno (Version: 1)
3 comment(s)

The Log today came from a Web Hosting control panel software, the popular cPanel.  

While there are a couple of exploits for the control panel itself, today we will analyze a portion of log generated by the CSF. 

CSF is the ConfigServer Firewall plugin for cPanel. It basically works like a log checker for difference daemons in the system and checks the logs for different services like SSH, STMP, FTP,etc...

Once it identifies possible malicious behavior, it can take some actions like block the offending IP.

The log we received today is below:

lfd: blocked 113.78.38.218 (CN/China/-)
Time:     Fri Oct  4 02:59:09 2013 -0400
IP:       113.78.38.218 (CN/China/-)
Failures: 5 (smtpauth)
Interval: 300 seconds
Blocked:  Yes

Log entries:

2013-10-04 02:58:54 courier_login authenticator failed for (pc07) [113.78.38.218]:2622: 535 Incorrect authentication data (set_id=xedofghj)
2013-10-04 02:58:55 courier_login authenticator failed for (pc07) [113.78.38.218]:2622: 535 Incorrect authentication data (set_id=xedofghj)
2013-10-04 02:58:58 courier_login authenticator failed for (pc07) [113.78.38.218]:2622: 535 Incorrect authentication data (set_id=xedofghj)
2013-10-04 02:59:00 courier_login authenticator failed for (pc07) [113.78.38.218]:2622: 535 Incorrect authentication data (set_id=xedofghj)
2013-10-04 02:59:03 courier_login authenticator failed for (pc07) [113.78.38.218]:2622: 535 Incorrect authentication data (set_id=xedofghj)

--

Basically what it says is that this IP address: 113.78.38.218 was blocked because it had 5 invalid logins in less than 5 minutes (300 seconds).

Lets break the log message to understand it better. 

The first part if about the description of the event:

--

lfd: blocked 113.78.38.218 (CN/China/-)
Time:     Fri Oct  4 02:59:09 2013 -0400
IP:       113.78.38.218 (CN/China/-)
Failures: 5 (smtpauth)
Interval: 300 seconds
Blocked:  Yes

 --

This shows that the IP 113.78.38.218, which according the geolocation belongs to China, had 5 failure attempts to login. The service targeted is the SMTPAUTH, which is used to provide authentication to the SMTP service (email).

The time threshold set in this case is 300 seconds, and the action is to block.

This can be modified at: 

Plugins-> ConfigServer Security & Firewall-> Firewall Configuration-> Login Failure Blocking and Alerts

 If you disable it, remember that you will be unable to detect bruteforce attempts against your system, so you may want to fine tune it before think about disable.

Btw, do you recognize this IP as a bad offender?

--

Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure

3 comment(s)
If You Have Been a Victim of Cryptolocker Ransomware, Please Directly Contact John Bambenek at bambenek@gmail.com

The Adobe Breach FAQ

Published: 2013-10-04
Last Updated: 2013-10-04 13:21:19 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

You have probably seen now the stories about Adobe being breached, customer data being exposed and source code leaked. Excellent work by Brian Krebs in uncovering these breach and he has a great write-up about this here: http://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/

But what does this mean for you? Does this affect you as an Adobe customer? Here are a couple of questions that keep coming up.

1 - How did they get in?

It appears a vulnerability in Coldfusion was used to breach an Adobe site used for payment processing. The group that breached Adobe appearantly used Coldfusion exploits as one of their favorite tools to breach sites. Again, see Brian's excellent work above for more details.

2 - I am a Coldfusion user. Should I worry?

Yes

3 - How do I protect myself as a Coldfusion user?

Make sure you are patched. Coldfusion had some significant vulnerabilities that were patched a few months ago (in particular the patches released around May). If you haven't patched those problems yet, then you should probably call this an "incident". But then again, Incident Response is so much more exciting then operations.

4 - Should I chang hosting platforms from Coldfusion to something else?

Probably not. It is a ton of work to switch platforms. This time and effort is better spent shoring up your existing infrastructure. What controls do you have in place to detect a breach? How many Coldfusion servers do you have? How are they patched? Do you store confidential information on those servers that you don't really need on those servers?

5 - Do I need to change my passwords?

No. Adobe already changed your password on Adobe's site. If you are still using the same password on multiple sites: You are doing it wrong. Changing your password will help you as little as changing underwear if you don't clean it between uses.

6 - Do Ineed to worry about my credit card if I used it with Adobe?

You should always worry about your credit card. But for the most part, this is your bank's problem. Relax, watch your statements, get a new card if you see odd charges or if your bank notifies you. You used a Debit Card online? Brave! You probably also don't like seatbelts and eat supermarket puffer fish sushi.

 

------

Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

5 comment(s)
Diary Archives