Re: [Full-disclosure] Compromised VPN provider out there?



How came im not surprised that public proxies are being abused for brute
force attacks?

You're just that far ahead of the curve?

On Tue, Apr 10, 2012 at 5:17 AM, <nix@xxxxxxxxxxxxxxxx> wrote:
Hi

To any security-aware VPN providers out there reading this:

More than 800 hosts (mostly from Asia) started hitting TorVPN.com's
webserver on HTTPS with login requests.

Before blocking them all (and adding them to the proxy list section of my
site after testing, heh)
I decided to temporarily log the attempted usernames and passwords for a
few seconds to see what the deal was.

The usernames and passwords do not seem to be from dictionaries, more like
someone got a hold of plaintext
userinfo from somewhere and figured enough of them could be valid for
TorVPN.com to make it worth
the time to write a script and start bruteforcing (and monitor results,
because when I changed the login
URL, they updated their script in less than 5 minutes).

I believe the most likely reason for an attacker to try check for password
re-use on my site is if their
accounts are from another VPN provider's database - which is why I am
writing this.

Below you will find a list of usernames (not posting the passwords) that
were logged in those few seconds.
(None of them are actual real users on TorVPN, they are not part of any
public list that can be found with Google)

  - vlai1214
  - BHGboat
  - haines
  - Mod95TZc
  - JJOM54
  - johnnieak
  - hair7
  - hair18
  - flipperke
  - outhcent
  - haipas
  - hainline
  - anxdpphh2334
  - rgcBCN
  - Pretty26
  - hair11
  - hairaP
  - cyrren
  - tomba73
  - mikemaynard25a
  - jamesmorrow
  - lending2
  - laynec
  - willthekiller
  - chrisn
  - chulony79
  - firefox

If someone-who-isn't-me obtains similar info from an attack, manages to
log in to another VPN provider
with the logged accounts, sends me an e-mail about this success, I will
post the results.

If anyone has already experienced a similar password bruteforce on their
VPN-website, do not hesitate to post details.

Whoever hammered my server, I'd like to thank you for possibly helping to
uncover an ownage, as well as for helping me
re-fill the list of proxies on my site with working ones.

Kind regards,
https://torvpn.com/

ps: a couple of IPs with the most attempts

# 189.127.120.253 -> 927
# 64.79.72.52 -> 868
# 186.225.60.90 -> 785
# 217.112.128.247 -> 732
# 203.122.19.11 -> 699
# 178.132.216.182 -> 699
# 146.255.9.124 -> 664
# 222.165.175.246 -> 646
# 188.230.77.233 -> 632
# 190.90.100.103 -> 584
# 188.241.71.1 -> 583
# 201.65.25.85 -> 563
# 202.47.88.46 -> 561
# 208.94.244.15 -> 494
# 187.0.32.6 -> 485
# 210.212.144.214 -> 484
# 196.1.178.254 -> 474
# 201.234.220.99 -> 474
# 190.145.74.10 -> 472
# 184.164.142.214 -> 465
# 89.235.50.141 -> 461
# 175.111.192.12 -> 461
# 186.225.106.146 -> 450
# 188.127.231.78 -> 450
# 200.1.110.146 -> 449
# 93.99.16.254 -> 434
# 84.22.50.42 -> 422
# 93.89.84.220 -> 401
# 201.234.58.212 -> 396
# 187.60.96.7 -> 379
# 125.21.55.194 -> 374
# 121.254.133.150 -> 366
# 202.46.69.4 -> 363
# 157.181.228.181 -> 361
# 201.49.77.7 -> 361
# 46.4.33.41 -> 360
# 206.212.249.237 -> 358
# 202.29.97.2 -> 355
# 46.162.1.253 -> 354



Just due to curiosity, I picked up the first proxy (189.127.120.253) and
ran it against http://nixapi.com/ip-reputation-lookup. The result was
'HTTP L3 (Transparent) proxy 189.127.120.253:3128 - Verified 03:49:38
ago.'

How came im not surprised that public proxies are being abused for brute
force attacks? About a year ago, I setup a public proxy for testing
purposes, after ~two day uptime what I can remember;

Over 500 simultaneus connections all the time
I think there was only 0.1% human users, the rest were abuse bots/scripts
Bandwidth used constantly: 15-50Mbps/second (I remember capping it to
50Mbps) to prevent network lag issues to other services)

There were several hundreds of thousand connections in very short time ...





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages