An incident !

14 11 2006

It was just another ordinary day , a lovely morning .
Was working on some flash project at work and received a call from some friend telling me her email account was stolen and she needs help to retrieve that account .
( that explains why she was quite on MSN last night ) .

Any how after looking at the issue, I figured the following :

The attacker guessed an easy secret question, there by was able to reset the password and change the old secret question.

Any how i saw the contact online once again … tried to communicate, as in for replies the guy was calm, he sent me many “****” “stars” whenever I was talking to him for some reason, then he went offline .

I was like hmmm, so I called my friend back and told her I have to leave now to college , and asked her to send me her full details ( old pass , old secret question , location , name , phone number ) Any thing that she can remember that was added to the Account ID , so I can contact Microsoft & ask them to reset the password .

Wrote an email to Microsoft account services explaining the current situation .

The next day I receive another call from my friend telling me it is someone from the same company I work for , “ And now WTF !!! << that was my reaction “ !
Now why would you say that , I said .

She was able to trace an offline message that lead to one of our IP addresses “ I didn’t know which or what IP address was that , I then asked her to fax me the details … i quickly closed unimportant Temporary ports (ftp , terminal services , telnet & some ranges of ports)

I then had a bright idea , remember the Re-login page ?

hotmail re login

Yes I made one , only I couldn’t embed it in the email I was sending the attacker .

The main concept is when the attacker receives the link it will prompt him to enter his email and password to see the content … and when HE/SHE submits the form , it will send it to a database ( a text file ) and compose an email to me with the Username password & IP address .

Any how I composed an email message to my friend’s stolen email from a different account late at night somewhere about 12 am I received the email . guess were the attacker came from … Cypruss .

I then waited for 15 minutes (“Just incase before I reset the password, ‘The attacker was also able to hijack 2 of her friend’s ID’s, only that I didn’t know what’s the 3rd account ID, I tried calling my friend but her phone was turned off, I just assumed that he might have been using the same password for the 3 accounts “)

Any how I reset the first 2 accounts and had my hands on the 3rd account from one of the 2 accounts and reset its password.
Now what made me think is the IP , it was a mystery , what and how the IP was used , mind that MSN , HOTMAIL & YAHOO are blocked on the employees end , Only way to use those was on some servers !

The next morning she faxed the information about the IP , It was an offline message that was sent to one of her friends from the attacker , and it had the IP of our testing server .

Which had a remote access enabled with a silly password ( my fault , never thought of it this way ) .

( BTW I received an email from Microsoft asking me for more personal details so they can decide on resetting the password “meaning , it works this way too. )

Then I concluded the following:

When the attacker received MY offline message, he was able to scan the range of IPs and he found the remote desktop port enabled, had the password guessed … and used it to do his stuff “some felony”!!!

I closed the port changed the password, checked the access audit log to find out hell yeah , he was in , smart bastard . Thank god he didn’t go further .

Hope this helps other people to understand the security risks of keeping silly easy guessed passwords on their accounts or servers , it demonstrates the fatal error of human being so no need to blame Windows every time 😀 .






4 responses

15 11 2006

Thank god it only ended up being an account stealing act. They could’ve used your server for far more dangerous acts of hacking. Organized crime is on the high and poor little servers/PCs with weak passwords are their ultimate playground for initiating scamming activities in the hundreds of thousands of dollars. Through out my career as an e-business specialist, I investigated several hacking cases that were done using innocent people’s PCs. Better safe that sorry.

15 11 2006
Mohammed Zainal

true true …
the attacker added me to his contact list .
was talking to him last night , appearantly , he was hacking in more servers .

I just couldn’t sleep … i thought he was doing one of my servers up hehe …

But as i mentioned earlier , i have tightened and limited the access ports to 25 and 80 ( that was yesterday ) now i will have to enable few more for our services …

10 01 2007

hey dude

your gr8 … i think im gona bother you with sum Q’s about PHP and sites designs =P

till I know how to customize the scripts


10 01 2007
Mohammed Zainal

Hey tnx and welcome to my blog buddy , sure about the questions , i’ll create a page called Q & A on this blog for those who needs help .

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: