Die Nichtexistenz unsichtbarer Angriffe

Es gibt Sicherheitsanbieter, die aus einer Mücke einen Elefanten machen, um damit Aufmerksamkeit zu erregen. Das Geschäftsmodell kann man verbessern, indem man als Betreiber einer Blockliste die Aufmerksamkeit der Betroffenen einfordert. Obendrauf kann man ein Zusatzgeschäft satteln, das das Streichen von der Liste entgeltpflichtig macht. Natürlich wird eine solche Liste perfekt und seriös gepflegt sein.

Die Warnung

Dear Provider,

I’m George Egri, the Co-Founder and CEO of BitNinja Server Security.
I’m writing to inform you that we have detected malicious requests
from the IP a.b.c.d directed at our clients’ servers.

As a result of these attacks, we have added your IP to our greylist
to prevent it from attacking our clients’ servers.

Servers are increasingly the target of botnet attacks and you might not be aware
that your server is being used as a “bot” to send malicious attacks over the Internet.

I've collected the 3 earliest logs below, and you can find the freshest 100,
that may help you disinfect your server, under the link.

http://bitninja.io/incidentReport.php?details=ABC...XYZ

Url: [www.rechtslexikon.net/d/rechtsmittelverzicht/rechtsmittelverzicht.htm]
Agent: [Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]

Url: [www.rechtslexikon.net/d/rechtsmittelverzicht/img/logo.png]
Agent: [Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]

Url: [www.rechtslexikon.net/d/rechtsmittelverzicht/css/style.css]
Agent: [Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]

For more information on analyzing and understanding outbound traffic,
check out the guide that we’ve created. We’ve dedicated an entire site to helping people
prevent their server from sending malicious attacks: https://doc.bitninja.io/investigations.html

Our incident experts are also happy to help you and can provide detailed logs if needed.
Please feel free to connect me with the administrator or technical team responsible
for managing your server.

This is not the correct contact email?

Please provide us the e-mail address of the server administrator or the abuse department
of the server management company, so we can send the securityreport to them and
discuss the further steps needed to resolve this problem.
You can provide the e-mail address using a web form. 

Thank you for helping us make the Internet a safer place!

Regards,

George Egri
CEO at BitNinja.io

Selbstverständlich ist die E-Mail an den falschen Abuse-Kontakt  gegangen. Deren Whois-Abfrage beherrscht Abuse-C ala RIPE nicht. Das habe ich schon zig-mal mit denen durch dekliniert. Jedes Mal ohne Erfolg. Sie verstehen es nicht.

Und es fehlen die wichtigen Angaben im Report: Da es sich um die öffentliche-IP eines NAT-Pools ist, benötige ich die Portnummer, um überhaupt die Chance zu haben, den Verursacher zu identifizieren.

Der Vorfall

Aber nun, schauen wir mal wieviel Aufwand man rein stecken könnte, also welche Art von Schaden angerichtet wird.

2017-01-10 18:10:06

Url: [ho###er.com/default.php?os=wp&calling_app=9nblggh4p0vk]
Agent: [Mozilla/5.0 (Windows Phone 8.1; ARM; Trident/8.0; Touch; rv:11.0; IEMobile/11.0; Microsoft; Lumia 950 XL) like Gecko]
Get data: [Array(
 [os] => wp
 [calling_app] => 9nblggh4p0vk)]
 

2017-01-08 12:49:16

Url: [www.softair.at/faq.html]
Agent: [Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0]

2017-01-02 20:14:58

Url: [fa###ng.###.com/Overload/?steamid=76561198141804145&map=ttt_rooftops_2016_v1]
Agent: [Mozilla/5.0 (Windows; Valve Source Client) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1003.1 Safari/535.19 Awesomium/1.#.#.1 GMod/13]
Get data: [Array(
 [steamid] => 76561198141804145
 [map] => ttt_rooftops_2016_v1)]

2017-01-02 20:08:44

Url: [fa###ng.###.com/Overload/?steamid=76561198141804145&map=ttt_rooftops_2016_v1]
Agent: [Mozilla/5.0 (Windows; Valve Source Client) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1003.1 Safari/535.19 Awesomium/1.#.#.1 GMod/13]
Get data: [Array(
 [steamid] => 76561198141804145
 [map] => ttt_rooftops_2016_v1)]

2016-12-28 22:31:07

Url: [tattoomodels.hol.es/gotham-suicide/]
Agent: [Mozilla/5.0 (Linux; Android 4.4.2; X7 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.#.#.0 Safari/537.36]

2016-12-17 22:15:34

Url: [www.st-sebastian-bickenriede.hol.es/impressum.htm]
Agent: [Mozilla/5.0 (Linux; U; Android 4.3; de-de; HUAWEI G6-U10 Build/HuaweiG6-U10) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30]

2016-12-17 22:15:34

Url: [www.st-sebastian-bickenriede.hol.es/kontakt.htm]
Agent: [Mozilla/5.0 (Linux; U; Android 4.3; de-de; HUAWEI G6-U10 Build/HuaweiG6-U10) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30]

2016-12-17 22:15:02

Url: [www.st-sebastian-bickenriede.hol.es/Gottesdienste_Vermeldungen/aktuelle_gottesdienste_und_vermeldungen.pdf]
Agent: [Mozilla/5.0 (Linux; Android 4.3; HUAWEI G6-U10 Build/HuaweiG6-U10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36]

2016-12-17 22:14:29

Url: [www.st-sebastian-bickenriede.hol.es/Gottesdienste_Vermeldungen/aktuelle_gottesdienste_und_vermeldungen.pdf]
Agent: [Mozilla/5.0 (Linux; Android 4.3; HUAWEI G6-U10 Build/HuaweiG6-U10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36]

Das schaut aber nicht nach einem Angriff aus, sondern nach normaler Benutzung. Also stelle ich mal die explizite Rückfrage.

Can you please explain, what type of attack you are referring to?
I do only see valid web usage in your reports.

Der Abschluss

Die Antwort war ernsthaft überraschend:

Hello, 

Thank you for reaching out to us.
I checked the provided IP address and found nothing malicious in the recent,
therefore I delisted the mentioned IP address from our greylist.
If you have any more questions, do not hesitate to contact us.

Best Regards, 
Anita Batári
Incident Expert
https://bitninja.io
Avatar
BitNinja 21.04.2017 11:20
We just read your article. Sorry for the inconvenience, and please let us clarify the situation.
We're collecting so many incidents day-by-day that we are not able to process manually. We 're using an automation that provides a really low false positive rate. According to the law of large numbers, unfortunately, your case was probably one of them.
If you have any question regarding the BitNinja, feel free to write us. Our contact email is info@bitninja.io


Avatar
Ralf Hildebrandt 13.01.2017 00:13
Was für Schwachköpfe.

2 Kommentare

Post a comment

Verwandter Inhalt