0

Chasing script-kiddies and hackers on my blog

This morning, I was wondering over my admin dashboard and realized there are couple of guys (hackers or script-kiddies) trying to hack me. Well, to be hones guess my user name and password. So far, they were failing, but some of them were returning and trying every couple of hours, when my blocking mechanism release the block. Particularly, one guy from Moldova, one from Romania and one from Ukraine. To say it on the beginning… I ain’t gonna say something very smart here, I was just playing a bits of forensics here and there, to find out who they are. And to be honest, I am not satisfied, since I have not found much apart from IP address of machine that was used, IP WhoIs record with some names, phone numbers and addresses. So it started this morning.

 

Looking deeper on hacking attempts

As you can see, I have WordPress website. And quite long time ago I realized there are from time to time guys trying to guess my user name and password. However, I have some security plugins installed, like Wordfence and Bullet Proof Security. So basically hacker who tries it will get his IP blocked after couple of attempts. Whole thing would be logged. So I found out that these “hackers” were trying quite simple thing… guess password for admin user or Administrator. The only bad thing is that these default usernames does not exist on my website. They get soon blocked and whole attack is over.

Then today, I decided to look deeper. So I found out that the attack is happening from the static IP address 193.104.41.186. I could ping this machine. I looked at IP WhoIs record and I got the following information:

WhoIs IP record

There is pretty lot of information. IP is registred to the organisation PE Voronov Evgen Segiyovich, registrant is Evgeny Sergeevich Voronov who basically is a Russian basketball player (plays in national team as well). Address and phone number are from Tiraspol in eastern Moldova. I googled for  PE Voronov Evgen Segiyovich and found also following information:

AS registred to Volnorov

 

IP address mathes subnetwork. I also had similar attack, with different registrant from Ukraine… so might be connected. However, I am not sure and not really sure how to find out. However, this AS is registred to some organisation. It does not looks like they would be malicious as a whole. I had to look deeper. I runned nmap on the IP address.

What I found is in the following pictures:

nmap scan 1

 

Ports

 

So basically machine attack happened from is Windows Server 2008 with open ports for Remote Procedure Calls. Windows Remote Procedure Calls were vulnerable to couple of exploits. Here is an example of exploit.

I would conclude that this attack was done from this machine, which was pwned by the attacker. Maybe he even uses some script that just probes different wordpress sites. However, I decided not to go deeper and try to get access to machine from which was attack performed in order to know more about execution. So it looked like a dead end for my passive forensics ability. I just blocked these IPs. However, if you know more on IP level forensics and how can I know more about attacker, please let me know and leave a comment.

 

 

Born in Bratislava, Slovakia, but he lived in Belgrade, Serbia. Now he is doing a PhD in natural language processing at the University of Manchester. Great enthusiast of AI, natural language processing, machine learning, web application security (founder of OWASP local chapter in Serbia, currently one of the leaders of OWASP Manchester chapter and OWASP Seraphimdroid project), open source, mobile and web technologies. Looking forward to create future. Nikola wants to teach machines to feel and understand. Always finding way for dreams to come true.

Twitter LinkedIn Google+ YouTube Xing  

email

Leave a Reply

Your email address will not be published. Required fields are marked *