How to Thwart Chinese Hackers

I enjoy being wrong.

The most I have ever learned has always been from the realization that something I believed was really not true at all.  It always causes evaluation and introspection which is needed so as to not become an “Archie Bunker” like character as years go by.

I had a moment like this a while back sometime after my Dear Abby parody post, and that was that the Chinese Government is Really attacking Government and business networks and websites.  I know most of you are thinking “Just now?  Its been all over the news for years”  I know this, but the fact was I did not really believe it then because I saw Spammers based in China doing scripted attacks in order to get an unwilling machine to host a website selling pills or providing backlinks to “SEO” nonsense that complimented their message board and social media SPAM posts.  So I had good reason to believe others were misidentifying the pattern that I had correctly identified.

Until I started seeing patterns myself.

The first patterns I saw were coming from 210.75.192.0 – 210.75.223.255 owned by the Beijing Information Highway Corp (love that name) but they followed the ones I see from all over the world; random times, pointless visits and attempts to register and attempts to post.  Successful posts are done in poor English and it is clearly the model of spammers using compromised computers that likely have pirated software installed on them so they never have security patches.  This is what made me believe that there was no Chinese Government conspiracy.  Then from the same IP blocks I started seeing things differently.  I still saw the spammers but I also saw attempted logins to ssh, ftp and telnet.  I even saw port 25 get lots of VRFY attempts.  The pages searched for on port 80 and port 443 involved wp-admin and another for chef/common.rb and chef/cookbook/cookbook.rb which seemed to be a directory traversal attempt or perhaps looking for an error message.  What was odd about these attacks was that they started at about 8:30pm EST and ended  about 4:30am EST.  I blocked one particularly annoying IP that was doing the weird directory traversal thing looking for Chef Configuration Management software (I suspect one would really like to get a hold of configuration management software to configure your own compromised machines) and trying MySQL injection with attempts like '1'='1-- and admin'/* and as soon as I did that the same stuff appeared again from an IP in Bogota Colombia that turned out to have been an Adtran 904 that had a default setting of admin and password for its security credentials and a VPN to the IP in China I had just blocked and a few others on the same Beijing IP block as well.

So I did what any sane person would do and didn’t touch anything and instead blocked the Colombian IP (I was very tempted to remove all VPN configurations and change the password but I did not).  After that I just got the same old spammy probes from China and visitors to index.html that just hung around until their sessions timed out.

What I checked out later is that Beijing switched government hours from 8:30 to 5:30 to 9am to 6pm.  This, to me, meant that people showed up for work 13 hours ahead of EST in Beijing, checked e-mail and assignments for maybe 30 minutes and then started working on their 9 hour day and then around 30 minutes before leaving they stopped working and perhaps wrote summaries of their day and went home.  What is odd is that I did not see what appeared to be a “lunch” hour.  This tells me they are either being worked very hard or (more probably) love their jobs attempting to break into stuff.

I wish I had more IP addresses to fool around with.  I could then make a virtual machine as a honeypot but really customize it.  Maybe with some poorly written php that would make MySQL vulnerable and a separate virtual machine for logging.  But I do not have those kind of resources.

I would really like to write a script to focus on timestamps between commands and see what commands are made when they do get in. I could then judge whether they are using a script like Metasploit or perhaps even have to get approval from a supervisor before privilege escalation and even be able to judge their language proficiency based on spelling and grammar mistakes.  In a way I am not sure why we are afraid of them when we can use them to actually understand them since they do not really hide (or not the one’s I saw anyway).

Now..How to Thwart them.   I do not know why they use directory traversal maybe just testing to see if a web application forgot to check for ../../ and unicode type strings or maybe there is another vulnerability out there?   But I think I would avoid writing my own web applications to go live right away for a while especially when so many more secure CMS exist today.

I also would make it so Configuration Management Software such as Puppet or Chef is never available to remote administration (that could be one of those disasters no one knows about until it is too late).

The other steps are normal security best practices like good passwords, never putting in a DVD or pen drive that you find just laying around somewhere.

I believe the main key to thwarting hackers from China (I really should not say “Chinese hackers but you all know that I mean “Sponsored and employed by the government of China” when I say that) is studying their bureaucracy from what clues they give us by their online presence.  Right now I know from my experience with them is that they show up for work, put in about 8 hours and then stop working.  I also am pretty sure they are based in Beijing and they attacked routers in countries other than the nation where their target exists. (perhaps we have compromised Adtran Routers here in the US that are used to attack Iran, Venezuela or Russia).

More exploration is needed and I am quite sure this is what they are saying about us as well.

 

A quick observation on “Get Paid To Take Surveys Online” scams

I am fascinated with what I call the “Sucker Circuit” section of the online economy.  The disparity of traffic to income of Sucker Circuit is high, only those at the very top of the chain make the money and those at the very bottom are the ones who fill social media with nonsense to generate “traffic” in the form of clicks,  These coveted “clicks” just hope to get a small percentage of income generated hoping another sucker joins the Sucker Circuit.  Because of this message boards and blogging software has registration counter measures, most free blogging websites are filled with keyword garbage to generate google ranking so that more “clicks” are obtained that they hope will lead to more suckers.

And so on and so on.

I found one sucker on LinkdIn.  He posted like he was a job recruiter (they use photographs of pretty, young women) to lead people to his website.  The fact he owned the website made me think he was more of a middle man in the Sucker Pyramid, but still I was curious about him.

I googled his e-mail address and found out he had been ripped off last year for about 100,000 rupees (almost $1900.00) when he joined a “Get Paid For Surveys” website called aeroliteonline.us.  In fact a lot of people from India got ripped off by them.

What that website offered (it is no longer up) was valid “survey identities” from Western nations because members of those nations get paid small amounts to take marketing surveys (apparently…I know nothing about this as it is really out of my world) but those small amounts are not so small to poor people in India and elsewhere but they do not have valid rich nation identities.  So these sites offer to sell them these identities, and aeroliteonline.us was selling identities for 6500 rupees ($120.00) with the promise of earning 4000 ($74.00) rupees a month per ID.  That means after two months of surveys per ID you make a profit.

The LinkdIn spammer bought fifteen IDs and lost them.  other lost amounts either greater or lesser.  One fellow lost 66 IDs that he was managing in his own pyramid scheme that he made with his friends and family members but unlike the owners of aeroliteonline.us everyone knew where to look for him to ask for their money back.

Needless to say aeroliteonline took everyone’s money and vanished, likely to a similar scam and they will likely prey on the same people, who are perhaps some of the more defenseless people in this world.  I would like to find the people who ran this scam and post their contact information here but I really do not know who they are.  They did not make the common mistakes others make when trying to hide their identities online but rather just blatant mistakes that lead me to nowhere, like claiming to be from Geneva, Ohio in the country of Switzerland.

Remember that the next time you are annoyed by spam or asked to follow a pointless link that there may be someone on another keyboard who paid the equivalent to one year’s wages in their own country for the opportunity to bother you and will probably never get their investment back.  Perhaps if we could learn to do better at thwarting this spam, these people would get out of the Sucker Economy and  join the real economy.

A dissemination of “comment spam”

Many years ago I was managing the website of comebackalive.com which is owned by my friend Robert Young Pelton.  We were running a phpbb forum and for about one year when it seemed that “comment spam” started happening.

I was curious about this.  A few years before I had tracked down a Romanian hacker and eventually became friends with him (Eastern European Hackers used to be really easy to catch since they always provided their photograph and their address and phone number on whatever website they frequented under their nom de guerre ) and in 2003 I visited him and his family in Cluj Napoca and had a wonderful time (we went fishing and I used maggots for bait)  I asked my hacker friend what the deal was with this comment spam and he told me that he did not know much about it except that it was from the Ukraine.

I eventually started doing research and I found out that most of it was from a guy named Alex from Sebastopol on the black sea.  Later “Alex” would write the comment spam program called XRumer.  I still never found out the last name of Alex and it has always bothered me that I did not pursue this with more vigor because I surely had time back then.

Now XRumer is a mainstay of spam.  It is now run like a Multi Level Marketing scheme in Eastern Europe that I like to call “Spamway”.  It produces annoyances here and makes people think that by investing a few hundred dollars “over there” that they stand to become rich.