TurnKey Linux Virtual Appliance Library

The DDoS spam bot from hell (a suburb of China)

Happy new year everyone,

I'm back online to put out a fire. My inbox was full of alerts that the CPU on the server that runs the site was maxing out.

Well boys and girls, it turns out www.turnkeylinux.org has been under an escalating distributed denial of service attack that started about two weeks ago. To the best of my knowledge the site continued operating normally. We use a ton of caching. Did any of you notice a slowdown?

Lucky for us the "attack" was braindead simple so it was easy to figure out what was happening and block the offending IPs. 32 nodes from 4 Chinese /16 network blocks which I sincerely hope aren't home to any TurnKey fans:

60.169.73.186
222.186.24.101
60.169.78.19
60.169.75.168
61.160.232.38
222.186.26.164
60.169.78.57
60.169.78.174
61.160.232.22
60.169.78.193
60.169.78.177
222.186.25.134
60.169.78.15
60.169.78.52
60.169.75.50
60.169.78.54
61.160.232.39
60.169.78.7
61.160.232.58
61.160.232.4
61.160.232.10
60.169.75.161
60.169.78.42

All using the same User Agent:

Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1

Supposedly identifies as Firefox but from the logs it's transparent it isn't behaving like a real browser. For example, a real browser gets CSS and image files. This just crawls all over the site and POSTs a zillion times the kind of predictable crap our spam filter blocks half-asleep.

What does that sound like? Ah yes, a poorly programmed, incredibly persistent spam bot network from hell. None of the spam attempts went through our countermeasures but it still took up a ton of CPU time.

Being naturally inquisitive I investigated the offending IPs and it turns out most of them are running a remotely exploitable version of SSH (SSH-2.0-OpenSSH_4.3). I'm half tempted to run metasploit to get into these systems and clean away the spambot software as a public service but that's illegal and I'm a bit busy besides.

Wouldn't it be neat though if we had a net equivalent of the Justice League to deal with the kind of lowlife scum who commandeer hapless machines to run very low quality spam software?

Note that I tried doing the right thing and looked up the abuse contact for the network that was attacking us (and presumably thousands/millions of other sites) on WHOIS:

person:         Jinneng Wang
address:        17/F, Postal Building No.120 Changjiang
address:        Middle Road, Hefei, Anhui, China
country:        CN
phone:          +86-551-2659073
fax-no:         +86-551-2659287
e-mail:         wang@mail.hf.ah.cninfo.net
nic-hdl:        JW89-AP
mnt-by:         MAINT-NEW
changed:        wang@mail.hf.ah.cninfo.net 19990818
source:         APNIC

Then instead of sending off an angry e-mail into the void I actually picked up the phone, dialed the number, and listened to some funky Chinese elevator music until some guy (Mr. Jinneng Wang I presume?) who didn't speak English picked up and eventually hung up on me after an akward mutually incomprehensible exchange. Of course. How could it be any different?

I don't get it, what's the point of putting up an abuse contact in the WHOIS records if the person listed doesn't speak English? Just list the abuse contact in Mandarin and get it over with.

Sometimes I feel like a character in a Neal Stephenson novel.

You can get future posts delivered by email or good old-fashioned RSS.
TurnKey also has a presence on Google+, Twitter and Facebook.

Comments

I feel your pain

My webserver gets battered regularly by brute force idiots and automated attacks. Fail2ban is a nice way to wave the banstick automatically.

I did chase up the first few attacks (a German IP) but after running into constant dead-ends like 'recipient not found' bounced mail from abuse addresses, you run out of motivation to try to clean up the web.

Liraz Siri's picture

Fail2ban looks awfully useful

Thanks for the fail2ban reference. I think I came across it a while back but I had totally forgotten about it since. Looks generic enough to be tweaked to deal with pretty much any circumstance. I'll set threshold and auto-ban IP addresses that hammer us too hard. Thanks and happy new year!

some info...

Liraz Siri's picture

I wonder if Jinneng Wang is his real name

Googling for "Jinneng Wang" spam turns up 22,000 results. So I guess I'm not the only one that has run into trouble with this guy's networks.

brute force attacks

My VPS in hostgator, rackspace and stromgdemand all are getting offlate a lot of brute force attacks, good that I've cpHulk, from cpanel, which i protecting. I was told it's enough. Fingers crossed.

BTW, though a lot of attacks come from China, I get attacks from even US, Canada, Germany a lot...!

Rgds

JiNiom

http://www.jiniom.com

I notice that a fax number is included there.

Perhaps the written-language barrier is lower than the spoken one. A fax might actually communicate your displeasure. Especially if it's repeated often enough to be sure it gets through.

good

it is very very useful article thank you.

feedback

Perhaps use Google translate or another service so you can send your email, fax, or even phone message in Mandarin?

Email may work

A couple of years ago, when I had more free time, I actually looked up the network manager of the IPs used to send me spam email and sent them an email asking them to shut down the activity. I actually got more cooperative answers than I had expected. Even in english from Korea.

iptables rules to drop offending traffic

Good post. Thanks.

This might save someone some typing:

 

iptables -I INPUT -s 60.169.73.186 -j DROP
iptables -I INPUT -s 222.186.24.101 -j DROP
iptables -I INPUT -s 60.169.78.19 -j DROP
iptables -I INPUT -s 60.169.75.168 -j DROP
iptables -I INPUT -s 61.160.232.38 -j DROP
iptables -I INPUT -s 222.186.26.164 -j DROP
iptables -I INPUT -s 60.169.78.57 -j DROP
iptables -I INPUT -s 60.169.78.174 -j DROP
iptables -I INPUT -s 61.160.232.22 -j DROP
iptables -I INPUT -s 60.169.78.193 -j DROP
iptables -I INPUT -s 60.169.78.177 -j DROP
iptables -I INPUT -s 222.186.25.134 -j DROP
iptables -I INPUT -s 60.169.78.15 -j DROP
iptables -I INPUT -s 60.169.78.52 -j DROP
iptables -I INPUT -s 60.169.75.50 -j DROP
iptables -I INPUT -s 60.169.78.54 -j DROP
iptables -I INPUT -s 61.160.232.39 -j DROP
iptables -I INPUT -s 60.169.78.7 -j DROP
iptables -I INPUT -s 61.160.232.58 -j DROP
iptables -I INPUT -s 61.160.232.4 -j DROP
iptables -I INPUT -s 61.160.232.10 -j DROP
iptables -I INPUT -s 60.169.75.161 -j DROP
iptables -I INPUT -s 60.169.78.42 -j DROP

What year are we in?

This blog only ever seems to show the month and day.  It would be nice if I knew what year I was in.

Got the same crap from China, Hefei, Anhui... But...

I haven't receive spam or anything like that, yet. However I have received a notification of someone from there that had attempted to hijack my account. Less than 36 hours ago my password was changed and I had to reset it. Another thing is that his IP wasn't the ones listed above (unless I'm mistaken) but his IP is 114.97.82.0 but all the other info IE:Name, Email, and phon num. now however my text has sem't to go bolded so now imma stop

Should I be worried?

So, I will be honest. I  didn't understand much of the article... I only ended up here because this Jinneng Wang  tried to hack my email account. The Ip adress that was listed isnt the same as those in the article... But, I have changed my password and set up a security code through my phone...should I be worried about this? Is there something specific I should be doing to protect myself?  I am very sorry for my ignorance when it comes to this topic.  Any reply about what I should or shouldnt do to protect myself would be greatly appriciated.

No real reason to worry

Simply change your password to something secure, and if he manages to get into your account again, you could contact customer service from your provider and see if they could blacklist all the IP addresses he tried to access your account from.

Other troubles

On a different note, he's been trying to log into google accounts now, with brute-force attempts, from these IP addresses: 223.240.209.13, 58.243.11.242, 113.240.131.211, cheers.

More Hacking

Yes he also just tried hacking my gmail account from 60.166.249.42

Cloudflare

While not perfect, may I humbly suggest CloudFlare? automated bot defense system via DNS.

It's free and highly customizable

 

 

 

He has used 3 another IP-adresses

124.73.0.200 , 60.171.214.30 and 114.96.77.196 .

I think he is an real spammer. He has more then 100 IP adresses! This was the first syberattack i've got ever, i've blokked his Ip's and everything I know about him, but is that enough?

Hah, we have a mutual friend

This guy has been persistently battering my web-application for months. He automated signing up, and had generated a few hundred accounts before I figured out what was going on. Turns out he's really easy to identify: he picks a randomly generated hotmail email address (usually), a reasonable sounding username, and as a password he uses the following: the first 7 characters of the md5 hash of his username, with one letter capitalized and optionally adds an exclamation mark at the end.

So, we deleted all of his accounts, and changed the registration flow to claim success but silently fail on that combination (because seriously, screw that guy). Eventually the registration requests died down, but every two or three minutes my server gets hit by two login requests for what seems to be a randomly selected one of his non-existent accounts. For months. Around the clock.

One rather interesting thing though: In all the months that this has been happening, I got a single, solitary request following the same username/password pattern with a randomly-generated hotmail email address, but from an IP in Kansas City. Could be that's our "real" guy. I'm not sure how I'd follow up with this though.

Mutual Friend Location and info

Ok, so we also share a mutual friend.  I also noticed the Kansas IP in my logs months ago.  I traced it to an abandoned barn, by fields and country roads.  I forget the city it was in now, but I doubt that is the real address.  Most likely it's a proxy, or he/she is using a mobile device, piggy backing off of open wifi, or using air-crack to get into someones wifi.  I doubt he/she would leave crums right to his/her door.  He/She may even be using our machines as zombies/botnets to attack other webservers.  You know, the old use someone elses machine remotely to attack, until the machine owner realizes what is happening, or the feds/interpool come kicking in the machine owners door for cyber crimes.  If the Kansas hacker, and the China cracker are the same person, then I believe they are doing their attacks from botnetted machines.  My Antivirus didn't Alert me, and my Firewall didn't stop him/her from gaining access to my pc.  The only reason I found the Kansas hacker, was because I had just installed zAnti on my tablet with lots of credits.  I started pen testing and noticed someone "unknown" establishing a connection on 2 of my private ports, so I decided to to say hi xD.  (Yes, my tablet is unlocked and rooted, it has smb explorer pro,  ssh/telnet/linux shell (Terminal,cmd), etc, IP Scanner, NetTools, router pwn, zAnti platinum pack(like a portable version of backtrack), hackers keyboard, FaceNiff paid version, etc)... I join the open session, and send a  hi messege.  As soon as I did the attacker disconnected.  I got the ip and the Kansas barn is where it lead me too.

The only new thing I downloaded that could have exploited me, was a browser add on, I forget which one it was now, and a few different injectors I downloaded for a project.  The site I got them from did have an issue with a few packed metasploits getting by staff, so this could be how I was attacked.  I did a full format afterwords, went to my friends updated it, took it online, got it good again, then took it home.  I havent noticed the Kansas hacker since.

Also, around this time, I had someone from China, try to access my email. So I Reverse lookup the ip, and name/owner etc.

IP Address: 114.97.78.200 
Location: Hefei, Anhui, China

I'm going to do more research on this.  

% Information related to '114.96.0.0 - 114.103.255.255'
inetnum:        114.96.0.0 - 114.103.255.255
netname:        CHINANET-AH
descr:          CHINANET Anhui PROVINCE NETWORK
descr:          China Telecom
descr:          No.31,jingrong street
descr:          Beijing 100032
admin-c:        JW89-AP
tech-c:         JW89-AP
country:        CN
remarks:        service provider
status:         ALLOCATED PORTABLE
remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks:        This object can only be updated by APNIC hostmasters.
remarks:        To update this object, please contact APNIC
remarks:        hostmasters and include your organisation's account
remarks:        name in the subject line.
remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed:        hm-changed@apnic.net 20080516
mnt-by:         APNIC-HM
mnt-lower:      MAINT-CHINANET-AH
mnt-routes:     MAINT-CHINANET-AH
source:         APNIC

person:         Jinneng Wang
address:        17/F, Postal Building No.120 Changjiang
address:        Middle Road, Hefei, Anhui, China
country:        CN
phone:          +86-551-2659073
fax-no:         +86-551-2659287
e-mail:         wang@mail.hf.ah.cninfo.net
nic-hdl:        JW89-AP
mnt-by:         MAINT-NEW
changed:        wang@mail.hf.ah.cninfo.net 19990818
source:         APNIC

another IP adress from jinneng wang

Hello,

He is doing the same to my google account, from another IP adress 114.99.86.138, thankgod google is smart enough to block him!

Also tried to hack mine last month

Thank god I am not the only one he was trying to hack! Police should put him into jail lol

Just Tried To Hack Me To 2 Days Ago

new ip to add to the list  60.166.228.190. sigh when will this jerk be put away?

lol trying to feel all

lol trying to feel all special about himself thinking he's doing something so complicated and technical just doing a simple ip block, what a load of fucking idiots, typical linux users these days i swear rofl as if anyone actually uses this site.

Another ip to add

this guy also tried to hack my gmail with this IP:   114.97.69.19

wow im not the only one

yeah this freak did the same thing the ip is different too but wtf! the ip is 114.97.78.97 im gonna change my password this is creepy

Guy also tried to enter my

Guy also tried to enter my account with IP 114.97.71.228

Another ip to add

this fucking guy also tried to hack my mixi(famous Japanese SNS) with this IP:   124.73.81.93

And Another IP

60.168.126.7

Tried hacking my gmail.

more than just data persistence

wow it's been ongoing for years. crazy. anyway, this morning and over the last few days I've observed the brute force attack against one of my servers. here's the updated whois data that lead me to this post, this is our suspect or known associate:

 

person:         Jinneng Wang

address:        17/F, Postal Building No.120 Changjiang

address:        Middle Road, Hefei, Anhui, China

country:        CN

phone:          +86-551-2659073

fax-no:         +86-551-2659287

e-mail:         ahdata@189.cn

nic-hdl:        JW89-AP

mnt-by:         MAINT-CHINANET-AH

changed:        wang@mail.hf.ah.cninfo.net 19990818

changed:        hm-changed@apnic.net 20140221

source:         APNIC

 

I'll provide some of the IPs involved in today's attack: 

107.170.131.34

117.21.226.160

117.240.231.201

112.216.92.44

222.186.58.254

60.173.26.146

183.136.216.241

 

thank you.

addendum to more than just data persistence

still going through logs but here's an addendum to the address list.. there are likely many others, but all coordinated using the same technique, its all the same incident described above: 

216.151.212.100
112.101.64.113
220.177.198.62
220.177.198.87
117.21.191.197
101.79.130.213
198.100.147.60
60.173.11.81
192.210.211.195
116.255.231.234
222.186.50.46
198.100.147.60
122.0.76.82
85.25.91.165
220.177.198.87
61.147.103.138
115.47.0.26
198.50.120.178
184.180.122.76
222.186.55.215
78.46.195.105
60.173.11.81

If you're hiding in China, you can hack away for years

Almost 3 years in and this post is still relevant.

This fine specimen of whale feces we know as Jinneng Wang is still up to his old tricks, in my case, trying to use one of my web contact forms to spam.

As a small aside, I've set the form to ask for first name and last name in separate and to compare the two. If both are the same, as 100% of bots thus far appear to do, the form gets bumped and I get a warning that somebody misused the form.

The ip addresses that try to spam the form are so wide ranging that rather than ban individual IPs I've now opted to just ban address blocks. 

When you WHOIS the ip and find the owner, take note of the owner's address block and then enter it into your htaccess file using CIDR notation. Voila, whole IP range snagged.

Order Allow,Deny
Allow from All
Deny from 27.153.128.0/17
Deny from 117.64.0.0/13
Deny from 120.37.255.0/24
Deny from 140.237.0.0/17
Deny from 163data.com.cn
Deny from 183.160.0.0/13
Deny from 223.240.0.0/13

If you're unsure how to translate an address block such as "117.64.0.0 - 117.71.255.255", you will find the following web page very handy.

http://www.ipaddressguide.com/cidr#range

Happy hunting and punting.

Please keep the rest of us posted with any news, like that one about the Texas Hacker.

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)