Why the hackers are winning reason #1

Here’s a reason the hackers are winning:

Reason #1:  Stupid TLD registrars who make it nigh impossible to report abuse (#ISPidiots).

Our honeypot detected a brute force attempt from IP address:  91.191.19.58

Well lets do some looking into this abusive host / IP.

The first thing we do is a “whois” lookup to find out who’s responsible for it.  I caught this little bugger because I noticed it in an alert, I then looked it up on the Whackers For Hackers IPBL but didn’t see it listed. All our blocked IP’s and networks go to the W4H IPBL.  We maintain a set of block lists that our honeypots have found from IP addresses online that get a bit pushy.  Our systems are continually looking for unsolicited attacks like failed login attempts, crap-ware TLD’s (Top Level Domains) we deem pointless like .party, .ba, etc, and our lists continue building Internet Protocol (IP) addresses from attackers, hackers, hacked hosts and compromised systems like the one we’ll get into.

What I found was abuse at the ISP level:

ISP level abuse is the most egregious abuse in my view.  These are the companies allowing the infamous hacker loser access to the Internet.  OK, acceptable…BUT if you take that responsibility for being the “on ramp” to the Internet or more technically…the toll road, you should also be responsible enough to maintain proper reporting mechanisms which nic[.]ba does NOT do.  Like license plate registration for your car, marriage licenses or sex offender registries…errr…ummm, we need to know some information here people!

Lets look up the information here and see how we can report “abuse”.

Command:

whois 91.191.19.58

Results:

route: 91.191.19.0/24
descr: DASTO Semtel doo
descr: Bosnia Internet Service Provider
origin: AS35567
mnt-by: DASTO-MNT
created: 2007-06-02T19:11:59Z
last-modified: 2007-06-02T19:11:59Z
source: RIPE

Offense #1:  Pretty much no results for reporting abuse…no abuse@ email or contact email for abuse.  This is the first WTF ISP.  How can you let derps like DASTO Semtel, a telecom and ISP NOT fill out DNS information properly?  You’re required to have an abuse@ address as a standard for reporting abuse.  Yes derps, you’re required to provide two ways to access this list also NOT just a website (Link).  Here is an excerpt from the rules for whois from ICANN.

“Access to this distributed network of independent databases is provided in two ways – through a free web page and through a free Port 43 service.”

“Searches for the full WHOIS contact data for the registrant and the designated administrator and technician, as well as the registration creation and expiration dates can be performed at the registrar’s systems (either through its web page and Port 43 service)”

OK, so no “abuse@” requirement but they don’t even have an administrator or technician.  Here’s a snippet from GoDaddy’s whois (HoDaddy because they sell your private information to 3rd parties and do domain front running – they actually mastered this by not “registering” the actual domain like front runners do but charging you more when you come back to it for a 2nd or 3rd look…how very Amazon of them!):

OrgTechEmail: noc@godaddy[.]com

OrgAbuseEmail: abuse@godaddy[.]com

Offense #2:  I search for “DASTO Semtel Bosnia Internet Service Provider” and get “zona[.]ba” which I have to translate…my problem not theirs.  I then fill out their web form…mind you, this has now taken me 5 minutes because I have to search for it, get it translated, click around on their site, fill out the web form and explain what’s going on and THEN once I submit, answer their captcha question (What’s 3+1, I think that’s 4 right?) I get an error in my browser:  “This page isn’t redirecting properly” error.  That means they have an .htaccess file rule in some .htaccess file on their web server or in the forms submission directory that’s improperly configured and…and…and…OH THE MADNESS CONTINUES!  I don’t know if the request went through so I sent to abuse@ anyway.  So far I haven’t gotten a bounce back.

Offense #3:  I do the “whois” on the zona[.]ba hoping to get some registration information for the domain (not just the IP address) and then get this result (no abuse@ address still!!!):

whois zona.ba
This TLD has no whois server, but you can access the whois database at
http://www.nic[.]ba/stream/whois/

You…you…you MF’ers!!!  This makes me so mad!!!  No whois server even though you’re required by ICAAN to have one?  ICAAN is like the God of the Interwebs…you should be listening to ICAAN!!!

Now I’ve got to visit nic[.]ba and fart around on that site.  I have to also translate it and then do the who is only to get this as a result:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

At this point I’m feeling like Charlie Brown when Lucy van Pelt yanks the football from him every time he goes to kick the football!  At least I have an administrative contact.  I emailed them.  We’ll see if this goes anywhere.

The hakers are winning people and it’s mainly because ISP’s like DASTO in Bosnia aren’t setting things up to report abuse in accepted standard ways in addition to a litany of other offenses.  You’re supposed to have an abuse@ email address who’s inbox doesn’t get full.  An inbox that’s monitored and your team or the responsible person reads.  Speaking of ISP’s not setting things up properly I’d love to talk about how bad GoDaddy is…their abuse@ is ridiculous and you don’t know whether they actually get the message because you get a lame auto-responder telling you to email other email addresses.  This is all madness.

I had another interesting one yesterday from 123[.]net who’s abuse@ got forwarded to a project manager (LULZ).  One person…who looks like they’re on vacation.  We’ll see if anything gets done with that one too!  Note:  6 days and counting, Carol at 123 hasn’t gotten back to me yet!  123 is an American company based on the East side of Michigan, GoDaddy…an American company (Murica) so yes…I’m not just picking on Bosnian ISP’s.  American ISP’s and hosting providers like GoDaddy (who are still ISP’s in my view) are just as much to blame on many counts as the Bosnian ISP’s.  Just because they’re non-US based ISP’s doesn’t mean they’re sloppy…being sloppy means you’re sloppy regardless of location.

I implore anyone at the Federal level with clout to contact me.  We can fix this!  In most cases government isn’t the answer but I have the solution…HMU for more details!

I’m so fed up with sloppy ISP’s and they’re the #1 reason the hackers are winning.  It’s because the community (neighborhood watch like me) can’t easily report abuse.  Corporations build higher and thicker firewalls to block all the slaughter online from reaching their door.  It’s all madness.

I should put a special note in here about ISP practices in general throughout the world.

Note:  Many ISP’s deploy weak routing equipment with default admin passwords not reset from the manufacturer, partially a sloppy manufacturer problem too.  This particular violation I’m blogging about today is from a hacked Linux Server and not a weak router or modem.  It’s probably a server that the ISP provides for their customers and sells space on or hosts email on for their clients.

Embarrassing truths:

Bare SQL ports are open on the server and exposed to the Internet.  It probably fell prey to a SQL injection attack.

They don’t require secure access to their server, port 21, 143, 110, etc are all non secure ports.  Maybe for legacy reasons they’re open but I doubt it.

Here’s a list of other ports:

PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp open smtps
3306/tcp open mysql
8080/tcp open http-proxy <– ISP Config management portal
8081/tcp open blackice-icecap
10000/tcp open snet-sensor-mgmt

The above ports list tells me that it’s a hosting server.  As it turns out it’s an “ISP Config” server, similar to CPanel Server.  This is fairly typical of hosting servers to have all those ports open except for the MySQL ports (3306).  ISP Config is a great product.  What’s poor is this ISP’s security, weak configuration, lack of monitoring and the lack of adherence to standard ISP abuse contact information in whois.

OK…I’m done complaining!

 

Leave a Reply

Your email address will not be published. Required fields are marked *