<![CDATA[FrontAccounting forum — Hacking attempts and mitigation]]> https://frontaccounting.com/punbb/viewtopic.php?id=8751 Sun, 19 Apr 2020 16:30:29 +0000 PunBB <![CDATA[Hacking attempts and mitigation]]> https://frontaccounting.com/punbb/viewtopic.php?pid=37289#p37289 Recently, a scan of the apache access logs on a Linux based FA server yielded the following two entries:

45.13.93.82 ... "CONNECT ip.ws.126.net:443 HTTP/1.1" 405 408 "-" "Go-http-client/1.1"
192.241.238.130 ... "GET / HTTP/1.1" 200 452 "-" "Mozilla/5.0 zgrab/0.x"
162.243.128.149 ... "GET / HTTP/1.1" 200 452 "-" "Mozilla/5.0 zgrab/0.x"

The last 2 entries above are from the ZGrab Project which is part of the Open Source ZMap portfolio of applications.
* Hack to Learn
* Insecure default SSH Keys in IoT devices
* 580 Default HTTPS Keys in use
ZGrab2 is written in Python/Go languages and is used to grab webpage data.

ip.ws.126.net => 59.111.181.52    CN    China,Asia    59.111.0.0/16    Guangzhou NetEase Computer System Co.
https://ip.ws.126.net/ => states nginx and Forbidden
DNS verified with: https://dnsdblookup.com/ip.ws.126.net/
Referred in: https://forums.homeseer.com/forum/homeseer-products-services/system-software-controllers/hs3-hs3pro-software/hs3-hs3pro-discussion/1355113-odd-web-sever-log-entry-should-i-be-concerned
Abuse Reports: https://www.abuseipdb.com/check/59.111.181.52

45.13.93.82    DE    Germany,Europe    45.13.92.0/23    Cnservers LLC
192.241.238.130    US/California    192.241.238.0/24    Digital Ocean
162.243.128.149    US/California    162.243.128.0/24    Digital Ocean

https://ip.ws.126.net/ipquery
  var lo="泰米尔纳德邦", lc="金奈";
  var localAddress={city:"金奈", province:"泰米尔纳德邦"}
translates to:
  var lo = "Tamil Nadu", lc = "Chennai";
  var localAddress = {city: "Chennai", province: "Tamil Nadu"}

Also in your /etc/hosts file, make sure the following entries are present (In Windows it would be in C:\WINDOWS\SYSTEM32\drivers\etc\hosts:

127.0.0.1  airartapt.site
127.0.0.1  netpatas.com
127.0.0.1  hadsecz.com
127.0.0.1  ofgogoatan.com

The third one is included into the browser using a javascript file of random name masking all content to have an overlay of a link that dynamically changes redirection and captures username and password as well especially in the FA login screen.

A page refresh toggles it off.

The last one above is present in sites like in https://f2movies.to and gets into other tabs sometimes.

Conclusion:
1. Make sure all unnecessary background programs / apps are killed off.
2. When logging on to FA, make sure no other browser instance or browser tab is present.
3. After entering the login page, refresh it once before entering access credentials.

]]> Sun, 19 Apr 2020 16:30:29 +0000 https://frontaccounting.com/punbb/viewtopic.php?pid=37289#p37289