TCA hack attempt

[dimitrifrom31]

Few minutes ago my security blocked a hacker who had logged in under my own TCA administrator account.

 

IP of offender is 81.19.223.100

 

 

I don't know how that guy could get my password, I have strenghtened security even more and contacted Gamers-Network.co.uk as this IP was registered under their name.

 

Here is the chat we had :

 

07.09.10 18:43:12| Alexander King: Hello Dimitri, my name is Alexander King, how may I help you?

07.09.10 18:43:26| Alexander King: Hi there

 

07.09.10 18:43:47| Dimitri: Hello, trying to get info about the following IP : 81.19.223.100 it appears to be yours, is it a dedicated server by any chance ?

 

07.09.10 18:44:08| Alexander King: Can i ask who you are please?

 

07.09.10 18:44:36| Dimitri: Sry, IM dimitri pawelski ownerof RoxServers.com and I just caught that IP trying to hack on my network

07.09.10 18:44:46| Dimitri: after tracing it it appeared to be from your company

 

07.09.10 18:44:54| Alexander King: 81.19.223.100?

07.09.10 18:44:57| Alexander King: Impossible

 

07.09.10 18:45:06| |Dimitri: yes

07.09.10 18:45:17| Dimitri: Title: Gamers-Network.co.uk -

Login

 

Keywords: none

 

Description: none

 

IP:

81.19.223.100

server location:

United Kingdom

ISP:

KillerCreation Networks Ltd

 

07.09.10 18:45:28| Alexander King: Correct

07.09.10 18:45:32| Alexander King: Its our gaming panel URL

07.09.10 18:45:37| Alexander King: No one has access to it

07.09.10 18:45:50| Alexander King: So its near impossible

 

07.09.10 18:46:06| Dimitri: well someone used a web browser from there to login as admin into my own gaming panel

 

07.09.10 18:46:25| Alexander King: You need to have better security your end then

07.09.10 18:46:26| Alexander King: lol

07.09.10 18:46:53|Alexander King: No one has logged into the server for a long time

 

07.09.10 18:46:59| Dimitri: Its done on my end, problem is actually YOUR security aas your system is compromised apparently

 

07.09.10 18:47:05| Alexander King: last login was me, to update the monitor

 

07.09.10 18:47:22| Dimitri: well I can tell you that was this IP for sure few minutes ago

 

07.09.10 18:47:28| Alexander King: I dont see how it could be our end as its not actually our panel that has been logged into

 

07.09.10 18:47:33| Dimitri: I got everything logged

07.09.10 18:47:56| Dimitri: well the login was from one of your IP so your security is obviously compromised

 

07.09.10 18:48:20| Alexander King: Its got a 128bit password on it changes weekly, impossible dimitri

07.09.10 18:48:27| Alexander King: If you can email me all the details 07.09.10 18:48:31| Alexander King: alex@gamers-network.co.uk

07.09.10 18:48:34| Alexander King: i will look into it further!

 

07.09.10 18:49:11| Dimitri: Well I can tell you its possible since it just happened, will email you some log excrapts

 

07.09.10 18:49:27| Alexander King: Thanks, could be anything someone clonning the ip address, anything is possible

07.09.10 18:49:32| Alexander King: Thanks for letting me know

 

07.09.10 18:50:14| Dimitri: cant be ip cloning that would be too much of a coincidence

07.09.10 18:50:22| Dimitri: you seem to use same panel as me

07.09.10 18:50:27| Dimitri: and we are both in the GSP

 

07.09.10 18:50:29| Alexander King: Tcadmin Correct

 

07.09.10 18:50:37| Dimitri: I dont believe in such a coincidence

 

07.09.10 18:51:08| Alexander King: Well i have nothing against you dont even know you personally, cant see why i would want to "hack" into your system, anywho please email me the log transcripts

 

07.09.10 18:51:35| Dimitri: never said that was you, just said it was coming from an IP registered at your name...

 

07.09.10 18:51:48| Alexander King: Correct

07.09.10 18:51:54| Alexander King: Well as i said send me the details 07.09.10 18:52:06| Alexander King: and i will get our network investigators to have a peak around

 

07.09.10 18:52:24| Dimitri: 2010-07-09 16:39:01 W3SVC1099804505 87.98.189.37 GET /webmail - 80 - 81.19.223.100

|Mozilla/5.0+(Windows;+U;+Windows+NT+5.2;+fr;+rv:1.9.2.6)+Gecko/20100625+Firefox/3.6.6 404 0 2

07.09.10 18:52:29| Dimitri: will email you some more

 

07.09.10 18:52:39| Alexander King: We dont have mozzila on the server 07.09.10 18:52:41| Alexander King: lol

07.09.10 18:52:47| Alexander King: Only windows explorer ha

 

07.09.10 18:53:06| Dimitri: thats just the user agent it can be edited easily

 

07.09.10 18:54:25| Alexander King: email me the details

07.09.10 18:54:29| Alexander King: as its all on the file then

 

07.09.10 18:59:11| Dimitri: well i will email you some but i dont see the point, just watch your team as the "hacker" was familiar with TCAdmin obviously

 

07.09.10 19:00:06| Alexander King: Its only me

07.09.10 19:00:12| Alexander King: That has the main password to that box

07.09.10 19:00:26| Alexander King: Thanks for your time dimitri

 

 

I dont believe in such a coincidence so I suggest you to ban this IP already if you are a bit paranoid (you have to be when you are in this business).

 

 

About the details well the wanabe hacker edited TCA config which proves he was very familiar with it, he went straight to the things and allowed file extensions such as bat and exe then uploaded bat and exe on some game servers and finally edited those game server application to run the uploaded files.

[Dan M]

Well if a successful login was initiated, improving security on your end should be a priority over tracing whoever it was.

 

Possibly implement a VPN solution of which only users connected via the VPN can login to the administrative account of your GSP, the same with other services, focusing your security on one sole box of which would run the VPN instance.

 

A handful of larger GSP's have a similar setup, massively improving security.

 

- D

[dimitrifrom31]

Well if a successful login was initiated, improving security on your end should be a priority over tracing whoever it was.

 

Possibly implement a VPN solution of which only users connected via the VPN can login to the administrative account of your GSP, the same with other services, focusing your security on one sole box of which would run the VPN instance.

 

A handful of larger GSP's have a similar setup, massively improving security.

 

- D

 

 

dont worry i already took the measures and his "attack" miserably failed. It was obviously a rookie "hacker" who obtained my password somehow (actually I think I know how already) and uploaded trojans/viruses he got from the web.

[ECF]

Hacked into MYSql most likely and got the password from there.

[adamnp]

We had a similar issue a while back, found a bunch of stupid ass scripts that someone uploaded into a bunch of dir's. He couldn't get on the box because of our security, but he was able to connect via FTP and upload stupidass files to the gameservers.

 

Did you provide details of the break in to luis?

[dimitrifrom31]

We had a similar issue a while back, found a bunch of stupid ass scripts that someone uploaded into a bunch of dir's. He couldn't get on the box because of our security, but he was able to connect via FTP and upload stupidass files to the gameservers.

 

Did you provide details of the break in to luis?

 

well in fact he got my password by an idiot way im assuming so wasnt tca exploit.

 

However there should be a security added to tca so you can "lock" some settings like the restricted files/extensions (maybe in v2) and that settign can be unlocked only with physical access to the machine or w/e

[Admin-Nation-Servers]

well in fact he got my password by an idiot way im assuming so wasnt tca exploit.

 

However there should be a security added to tca so you can "lock" some settings like the restricted files/extensions (maybe in v2) and that settign can be unlocked only with physical access to the machine or w/e

 

You can have it so only IPs from the box itself or others are allowed to connect to tcadmin

[dimitrifrom31]

You can have it so only IPs from the box itself or others are allowed to connect to tcadmin

 

ye i know but when im away its then a pain for mobility

[ECF]

ye i know but when im away its then a pain for mobility

A good way is to allow one of your servers IPs and then you can RDP into the server and hit TCAdmin from there when you are on the road.

 

If you want, please put in a ticket with the details of the break-in. Luis may be able to do something with it.

[matrix4583]

so someone was able to hack into tcadmin control panel or the RDP? if RDP, try improving with encrypted data. IF tcadmin then try to put 5 chances to ban the person if they get it wrong.

[AJK2408]

Hi,

 

I have nothing against you so why would i even try and hack your system? - Try changing your passwords next time and also i didnt get your email my end which you said you would send...

[matrix4583]

is this a reseller or own?

[dumdum1974]

hmm somone tried today to login as Admin with us also ,after he missed few times probably requested recovery and we recieved mail with our details,nobady requsted from us thats 100% sure,partner contacted me asking did I requested password ,I said no so we checked logs whats going on and we found those details ,so we blocked this IP but maybe some of you can use it also...

 

This is from log just one copy :

10.7.2010 11:51:35 : Invalid User ID or Password. User ID: Admin/admin IP: 89.212.26.5

 

Details about network:

89.212.26.5 IP address location & more:

IP address : 89.212.26.5

IP country code: SI

IP address country: Slovenia

IP address state: Bohinj

IP address city: Ljubljana

IP address latitude: 46.0553

IP address longitude: 14.5144

ISP of this IP : T-2 Access Network

Organization: T-2 Access Network

Host of this IP: : 89-212-26-5.dynamic.dsl.t-2.net

Local time in Slovenia: 2010-07-10 12:27

 

Do you think reporting this to his provider T-2 for abuse will change something or its just losing time :-) ?

[dimitrifrom31]

Hi,

 

I have nothing against you so why would i even try and hack your system? - Try changing your passwords next time and also i didnt get your email my end which you said you would send...

 

didnt mean to accuse but you look like having guilty conscience since thats second time you defend yourself even if I never accused you.

 

Only concrete things I know about the wana be hacker are :

- he got my admin password (i think i know how and thats 100% my fault, he didnt need any hacking knowledge for that in fact, just eyes. And for what I know he could get it from TCA forums even)

- hes familiar with TCAdmin (he is a TCA client or used to be) as he went straight to the point editing the files permissions, uploading bat/exe then editing services to run them (they got blocked by my security measures anyway)

- he used your IP and that cannot be IP spoofing (not to mention what a coincidence it would be if he picked up an IP belonging to another TCA user)

 

 

Tbh I first thought your company was providing dedicated servers and some1 used it as a proxy but now with your reaction I must admit I start having doubts, even though I wouldnt accuse directly without solid proofs, your reaction is inappropriate.

 

 

edit : about the email i dont see the point emailing you logs. I have sent you a part of a log showing the IP browsing my website to prove you that it was coming from your machine , the one "no one but you is supposed to have access on". So my conclusion is either your system is compromised either something else...

 

to answer previous post no he didnt get into RDP, only into my TCA web admin account. but i got multiple security walls and I could catch him.

[AJK2408]

O sorry i may be a bit upset but someone is accusing me of hacking into their system then posting it onto a public forum, very pathetic, try changing your password and maybe scan your system next time for keyloggers or something like that.

[dimitrifrom31]

O sorry i may be a bit upset but someone is accusing me of hacking into their system then posting it onto a public forum, very pathetic, try changing your password and maybe scan your system next time for keyloggers or something like that.

 

Again you were never accused of anything until you started defending yourself whereas you were not attacked.

And no TY I dont have keyloggers or whatever as I mentionned I know how the pass was known and thats nothing to do with hacking actually.

[dimitrifrom31]

just close this topic btw this wont lead anywhere

[Admin-Nation-Servers]

If my ip was the offending ip of a hack attempt I would isolate that box asap and check all the logs

[dimitrifrom31]

If my ip was the offending ip of a hack attempt I would isolate that box asap and check all the logs

 

 

that also made me doubt about the inappropriate reaction but whatever, fail attempt, just lame.

[LFA]

well in fact he got my password by an idiot way im assuming so wasnt tca exploit.

 

However there should be a security added to tca so you can "lock" some settings like the restricted files/extensions (maybe in v2) and that settign can be unlocked only with physical access to the machine or w/e

 

See this article

[dimitrifrom31]

See this article

 

 

ye thx i know that feature and I use some parts of it already. I might lock the executable too as I almost never had to use it.

[adamnp]

Again you were never accused of anything until you started defending yourself whereas you were not attacked.

And no TY I dont have keyloggers or whatever as I mentionned I know how the pass was known and thats nothing to do with hacking actually.

 

Have to agree with you 100%. I would have thought/felt the same. A proper response would have been for them to look into the issue and possibly see if maybe something went wrong. We have seen even the largest companies with the most sophisticated security end up hacked, so a response saying "cant be" is just lackluster, and definately lends a worried ear.

 

Looking from the log, you definately didn't formally accuse him imo, I don't know if theres more to that log than you posted however.

[Derek]

Find it funny he says "impossible" but then later says "anything is possible" lmao

[dimitrifrom31]

Have to agree with you 100%. I would have thought/felt the same. A proper response would have been for them to look into the issue and possibly see if maybe something went wrong. We have seen even the largest companies with the most sophisticated security end up hacked, so a response saying "cant be" is just lackluster, and definately lends a worried ear.

 

Looking from the log, you definately didn't formally accuse him imo, I don't know if theres more to that log than you posted however.

 

the chatlog is complete, the only other chat i had with him is here in that thread.

 

About hack proves ofc i got more than the IIS log (just used this as it was showing ip and hour to show him that was his ip) :

 

TCA Web.Logins.txt :

09/07/2010 18:38:06 : User logged in: ADMIN/XXXXXXXXXXXXXXXXXXXXXXXXXXX== IP: 81.19.223.100

 

TCA Uploads.txt shows uploads started 2 mins later on demouser account :

09/07/2010 18:40:06 : Starting upload. (/TKXBENWUZOCEQUVSUOKHVWINJGAGPLUGYDEFAFCUUEYQOHRGJC)
09/07/2010 18:40:06 : Received headers and filename. Processing POST data. Filename: D:\UserFiles\demouser\GameServers\TC001138411507634XXXXXXXX\te.exe (/TKXBENWUZOCEQUVSUOKHVWINJGAGPLUGYDEFAFCUUEYQOHRGJC)
09/07/2010 18:40:06 : Finished processing upload. (/TKXBENWUZOCEQUVSUOKHVWINJGAGPLUGYDEFAFCUUEYQOHRGJC)

 

 

and the admin user log is selmf explanatory :

09/07/2010 18:38:06 : 	81.19.223.100	Admin Home	
09/07/2010 18:38:10 : 	81.19.223.100	System Settings	
09/07/2010 18:38:12 : 	81.19.223.100	File Servers	
09/07/2010 18:38:17 : 	81.19.223.100	Servers	
09/07/2010 18:38:21 : 	81.19.223.100	Plugins	
09/07/2010 18:38:23 : 	81.19.223.100	Security Configuration	
09/07/2010 18:38:38 : 	81.19.223.100	Admin Home	
09/07/2010 18:38:44 : 	81.19.223.100	Users	
09/07/2010 18:39:19 : 	81.19.223.100	Admin Home	
09/07/2010 18:39:21 : 	81.19.223.100	Game Servers	
09/07/2010 18:39:48 : 	81.19.223.100	Game Server Home	Parameters: ServiceId=TC00113841150763402616016 
09/07/2010 18:39:54 : 	81.19.223.100	Filemanager	Parameters: ServiceId=TC00113841150763402616016 
09/07/2010 18:40:00 : 	81.19.223.100	File Upload	Parameters: ServiceId=TC00113841150763402616016 
09/07/2010 18:40:00 : 	81.19.223.100	File Upload	Parameters: ServiceId=TC00113841150763402616016 
09/07/2010 18:40:06 : 	81.19.223.100	Uploading file: 'D:\UserFiles\demouser\GameServers\TC0011384115076340XXXXXX\te.exe'
09/07/2010 18:40:18 : 	81.19.223.100	File Upload	Parameters: ServiceId=TC00113841150763402616016 
09/07/2010 18:40:18 : 	81.19.223.100	File Upload	Parameters: ServiceId=TC00113841150763402616016 
09/07/2010 18:40:25 : 	81.19.223.100	Uploading file: 'D:\UserFiles\demouser\GameServers\TC00113841150763402XXXXXX\videoxxx.exe'
09/07/2010 18:40:29 : 	81.19.223.100	File Upload	Parameters: ServiceId=TC00113841150763402616016 
09/07/2010 18:40:29 : 	81.19.223.100	File Upload	Parameters: ServiceId=TC00113841150763402616016 
09/07/2010 18:41:50 : 	81.19.223.100	Uploading file: 'D:\UserFiles\demouser\GameServers\TC001138411507634026XXXXXX\Firefox.exe'
09/07/2010 18:41:51 : 	81.19.223.100	Filemanager	Parameters: ServiceId=TC00113841150763402616016 
09/07/2010 18:44:06 : 	81.19.223.100	Admin Home	
09/07/2010 18:44:15 : 	81.19.223.100	System Settings	
09/07/2010 18:44:19 : 	81.19.223.100	Plugins	
09/07/2010 18:44:21 : 	81.19.223.100	Security Configuration	
09/07/2010 18:44:26 : 	81.19.223.100	Filemanager Configuration	
09/07/2010 18:44:47 : 	81.19.223.100	Filemanager Configuration	Action: Save
09/07/2010 18:44:54 : 	81.19.223.100	File Upload	Parameters: ServiceId=TC00113841150763402616016 
09/07/2010 18:44:54 : 	81.19.223.100	File Upload	Parameters: ServiceId=TC00113841150763402616016 
09/07/2010 18:45:02 : 	81.19.223.100	Uploading file: 'D:\UserFiles\demouser\GameServers\TC001138411507634XXXXXX\f.exe'
09/07/2010 18:45:03 : 	81.19.223.100	Filemanager	Parameters: ServiceId=TC00113841150763402616016 
09/07/2010 18:45:11 : 	81.19.223.100	Game Server Home	Parameters: ServiceId=TC00113841150763402616016 
09/07/2010 18:45:13 : 	81.19.223.100	Service Details	Parameters: ServiceId=TC00113841150763402616016 
09/07/2010 18:45:17 : 	88.185.156.137	Admin Home	

 

 

I just saw that I deleted the DBcommands log (had it copied elsewhere to review and correct everything that got changed) butit was just a compement of previous log showing what exactly was edited.

[AJK2408]

Please close the topic, we will look into this further and check firewall log's and server log's and get back to you dimitri