hackers and script kiddies, oh boy ha ha ha

sammie posted 27th of December 2008 in Community Voice. 33 comments.

Over the last 30 hours i have been watching 3 hackers/scriptkiddies trying to hack into one of my servers, between them they have made some 132,000 login attempts to the Administrator (system) account on my linux server. why did i watch them for 30 hours and not block them? i'll explain that later, first lets talk about the difference between a hacker and a scriptkiddie.

A scriptkiddie is a snotty nosed 13 year old that download Ytunnel and uses it to kick you off yahoo chat or crash your yahoo messenger. they just use a script, he is a wanna be hacker to look cool for his mates.

There are three types of hacker, the ones you never hear about until they go to jail. (real hackers), security hackers, (hackers turned good guys), and the hacker that tells you he is going to hack your hotmail or website and never does. (because he cant hack his way out of a wet paper bag with an axe)

So why didnt i block 3 scriptkiddies from trying to hack into the Administrator account on my server?

Well i know they are not Hackers because they all made one fundemental mistake, one that tells me they are scriptkiddies that have no idea what they are doing with the script they are using to try and hack the server.

Linux servers do not have a system Administrator account, only Windows machines do. so for 30 hours they tried to get into the system Administrator account that does not even excist.

if they where smart they would have used 30 seconds to do a whois to lookup the server and see what system it is and use the correct system account name to try and hack into an not waste 30 hours.

============= important you read below=============

This got me thinking, 132,000 attempts on one account name, divided by 3 people is 44,000 different passwords they each could have used, thats a lot more than the normal 2000-4000 you would see used.

if your password is easy to remember, its most likely on that list of 44,000

so the whole point of this post is to help you to learn how to make strong passwords that are easy for you to remember as most people don't know how.

you need a formulae thats easy for you to remember and one you can apply to different passwords used for different things. you do not need a mile long password to be strong.

But first a word about online MD5 hash generators and crackers.

Never ever use an online MD5 generator, all you are doing is making your strong password public and giving it to hackers.

how this con works. you think of a strong password, enter it in the online generator, you walk away with your new md5 hash, and the generator owner walks away with your strong password you entered and the hash for it, and puts it on his MD5 hash cracker site list and sells your password for $10 to whoever enters your MD5 hash. you did all the work, he keeps the cash and you get hacked and wonder how when your password was 100% strong. now you know how.

password formulae

a strong password needs to contain symbols there are 26 letters on a keyboard, and 30 symbols, i use 3 different formulae depending on where i am logging in. The 30 symbols will generate 810,000 different formulae, times them by the 44,000 passwords used by the hackers above and it makes 39 billion passwords all 90% strong or higher.

i will teach you how you can join 20,000 different websites with 20,000 different passwords and login to all 20,000 sites without forgetting a single password. How? read on

choose 4 symbols any 4 and remeber them, start your password with 2 of them. like this

$%

choose a name, not your own i'll use my dogs, Max, but wow its only 3 letters long and anyone can guess it? sure they gotta guess one of 810,000 formulae too remember.

this formulae uses 4 symbols $% at the start and #^ at the end

so start with

$%M

then use the standard @ for the a

$%M@

drop the last letter and replace with the 3rd symbol of your formulae

$%M@#

and now add the last symbol of your formulae

$%M@#^  = 95% strong from using my dogs name Max and not a mile long

any generic name used needs to have the  vowles change for symbols like a=@ e=3 i=1 o=0 u=^

so to login into 20,000 sites without having to remember the password use this.


but only the first 6 letters of the domain name. take boonex.com

it would be using this formulae

$%B00n3#^ 100% strong

expertzzz.com would be

$%Exp3r#^  100% strong

! " £ $ % ^ & * ( ) _ + - = < . , : ; @ ' ~ # [ { ] } \ | ` =30 symbols choose any 4 to make 2 pair

 
Comments
·Oldest
·Top
Please login to post a comment.
iced
hmm interesting read indeed...

Cheers
aviatrix
hahahahah that made me rofl .. kids those days do so many dum things .. they use some random tools and call them hackers ..
for example .. few months back some kid askd for my ip .. and i told him that it was 127.0.0.1 and he told me to save my documents and to wait i said ok .. and the convo went liek this :
me:what you gona do ?
him : im gona restart ur pc !!!
me : hokay ...
* then i had one big grin on my face wating something to happen 5 seconds later he went offline .. can u gues see more what happend ? *
me : what happend
him : i think i hit my firewall and it bacfired to me o.O
me : hmm .. stop ur firewall and try again
him : ok ..
* he goes offline several more times and i laught my but off .. *
richardpitt
These "dictionary" attacks are tried against all manner of systems - FTP, SSH, Telnet (not that any system I run has this turned on, but...) and specific applications like phpMyAdmin and such.

I run a program called log-guardian (PERL) http://www.tifaware.com/perl/log-guardian/ (except I can't get in right now) that watches log files for patterns and performs an action if/when the pattern matches.

I have my system watching the "secure" log for ssh and ftp transactions - see more and bad passwords are "3 strikes you're out" - meaning the offending IP address is put into IPTABLES firewall to block any further conversations until the firewall is reset - typically every 12 hours.

The same can be done for web logs.

Note that this needs to be done at the operating system level so anyone with hosted applications will have a problem. On the other hand there are ways of doing similar things with .htaccess too.
gautam
hope dat i'm not treated like script kiddies :)

great post for securing passwords.
idea to including to include one or two characters of the website name too is great. In case someone finds password of one site, he won't be able to acces others as other site passwords would have difference in characters. but in case u include too many characters from website name, it might not help ;-)
sammie
i'll repost that part and you'll see what you can do.
I am still stuck on the 30 hours wasted :-)

30 hours...

Sammie... sammie...

:-p
CyberXing
sammie
well while they are ever so busy trying to get access to an account that does not exsist, they are not doing it to a server where it does, so i didnt mind letting them waste their time. i went to bed and woke up and they were still at it.
kranio
see moreOoops!
I just arrived from jail and forgot some technics. Where I find script kids to restart my career ? ;)
Good post Sammie. But is import know that your security is made by you.
Watch your logs, change your pass at least one time/week. use strong firewalls (more than one if possible), ssh, read security news, and be expert with the news attacks system and verify the authencity from messages that you can receive by mail. Of course I don't need write almost nothing that I say but ... Cya People
sammie
i'll repost this part and make it a little more clear for you. read the **** parts that i have added to explain more.

i will teach you how you can join 20,000 different websites with 20,000 different passwords and login to all 20,000 sites without forgetting a single password. How? read on

choose 4 symbols any 4 and remeber them, start your password with 2 of them. like this

$%
***** Dictonary attacks will always start with a letter, but some letters are commonly replaced with a symbol see more like "a" for @ or "s" for $ so an attacker can add both to the script so it tries both "simple" and $imple, by adding 2 symbols to the begining you eliminate this risk is one of the symbols you choose is not one that is standard to replace letters*****

choose a name, not your own i'll use my dogs, Max, but wow its only 3 letters long and anyone can guess it? sure they gotta guess one of 810,000 formulae too remember.

this formulae uses 4 symbols $% at the start and #^ at the end
**** just for showing how it works****

so start with for Max

$%M
**** for using Max i chose to capitalise the M but if its a longer word you can capitalise the 3rd or 4th or last letter as long as you apply the same formulae to all your passwords, you'll never forget your password again****

then use the standard @ for the a

$%M@

drop the last letter and replace with the 3rd symbol of your formulae
**** Dropping the last letter is important, because what you are trying to do is make standard words in the dictionary, none exsistant. i know this wont work with the letter S as it would revert the name to the singular, we are not all perfect lol ****

$%M@#

and now add the last symbol of your formulae

$%M@#^ = 95% strong from using my dogs name Max and not a mile long

any generic name used needs to have the vowles change for symbols like a=@ e=3 i=1 o=0 u=^

so to login into 20,000 sites without having to remember the password use this.


but only the first 6 letters of the domain name. take boonex.com
**** i use 6 letters from the domain, but if the domain has only 4 letters then add 2 numbers after the 1st 2 symbols, this ensures you can still drop the last letter of the name. see below ****
boonex.com would be using this formulae

$%B00n3#^ 100% strong

expertzzz.com would be

$%Exp3r#^ 100% strong

*** you done have to capitalise the 1st letter, i did it here to demonstrate, you can capitalise the 3rd letter so boonex.com would be:

$%b0On3#^ 100% strong

expertzzz.com would be

$%exP3r#^ 100% strong

*** for sites with less than 6 letters in the name use numbers you can remember, like 1982 for my year of birth, (dont use that, its just an example) add the numbers after the first 2 symbols so we can still drop the last letter***

msn.com would be

$%198Ms#^

bebo.com would be

$%19B3b#^

! " £ $ % ^ & * ( ) _ + - = < . , : ; @ ' ~ # [ { ] } \ | ` =30 symbols choose any 4 to make 2 pair

as pointed out in a comment, if the webmaster does not hash your passwords and keeps them in his database in the clear, they only have the one for their own site so can not use it to get to your other accounts like hotmail because he also has your email address you supplied.
estensen
Great reading. From now on I will be using these symbols to have my password(s) 100% safe. A while back I actually had a email-skimmer recording my credit card numbers and code, name etc, only 10-15 min after having a complete check of virus and other shit on my computer, and they managed to empty my bank savings account for a large amount of dollars. It wasnt the end of the world, but all the same, money is money and I hate to lose any of them, especially my savings.. You should all read the 'article' see more above and follow it, better safe than sorry.. :)
buzz_lightyear
Hi Sammy,
nice post, however i think, that your passwords are very short for nowadays computers and password generators.

In general, longer passwords means much better security (even without special characters).
So as a suggestion, i'd extend your pass formula to some constant suffix/prefix (8 alphanum characters), which would then hopefully make it 100% attack proof.

Anyway, log files and some nice ban utility on your server is also good to have. I use fail2ban on my servers and it works see more very nicely...

have a nice day..
sammie
hi buzz
re read it, you'll see i recommend using 6 letters from the domain +4 symbols, dropping the last letter of the domain = 9 in all.
buzz_lightyear
hi sammie, i did :)
9 sounds good. i use 16 myself :P

here's a pass strength meter, if someone wants to check his password: http://www.passwordmeter.com/
The problem with online STRENGHT test, is you are now posting your "Strong" password to the outside world.

Not saying that this site in particular will do anything with it, but just remember, if you have to ask someone if your password is good, you just reduced its ability to be strong.
sammie
yup i did post about that with the MD5 generator sites, i am not saying all are currupt, but have you ever thought who owns the MD5 cracker sites and how they get the passwords?
theguypc
I just use keypass. It's set to create a 17 character password & it shows the strength of the password automatically. No need to check it online - which I would never do anyways.

Keypass is free & it is beyond awesome IMHO.

Great post though Sammie.

PC
stech786
Hey sammie,

Before you post how to join 20,000 sites, can you PLEASE teach us how to protect our site from these attacks,

cheers :-)
sammie
see your blog i posted in that
new_user09
Hi sammie, did you come up with the solution yet?
vinayak
thanks for this usefull information!!
RobertRun
Awesome.. really very useful for a newbie like me.
ladybugn
coo. going to go change my unity password.

Now if I can just get that "welcome admin" off my front pages to stop inviting visitors to come try to log into my admin panel...
stophi
But if someone knows your rules, the password isn't secure anymore, is it?

If you register at a malicious site, then the admin knows your first two and the last two characters of all your passwords. So then the passwords have actually only the strength of a password with five letters.

Or if someone knows that you are using some leetspeak presentation of the domain name in letter 2 to 7 and only special characters in letter 1,2,8,9 then he can also exclude many possible passwords.
sammie
Well the 1st thing to remember is this, its for you to make your own formulae, the post is to get you thinking, not to follow everything i have posted. you see i used 4 symbols, 2 at the start to at the end, you can use 3 or 4 at the start and 2,3, or 4 at the end, or in the middle, the post is to get you thinking of how to make your passwords for you, so you can use them and remember them.

i used very basic and symplistic demo's i made people think, now they can go away and think of the other see more ways to apply a formulae (i am not doing all the thinking for you, nor am i going to post a 3 mile long post showing every way you can apply this.

again, one webmaster with one password, has nothing to compare it with to see its a formulae, again the passwords today should in most cases be in MD5 hashed code so safe as long as you do not use one to make your password, or a strenth meter as mentioned above.
stophi
Yeah, I mean, the idea is great. I think I will adopt some version of it for my "not so important" passwords. But i will continue using unique, random passwords for important things like banking, webserver, PGP and so on. Because if you are using the domain name in your formula, it is fairly easy for a human being to guess the pattern, I think.

And of course, reliable admins will hash the password right away. So nobody would ever see the plain password. But you never know if they are see more reliable. Okay, sounds a bit paranoid. Never mind.
earpick
That's all dandy but as soon as one of your passwords gets uncovered I think there's going to be a whole lot of personal data theft all at once.

There is nothing wrong with generating a completely random password for something like a hosting account and storing it somewhere safe, such as your wallet. If you're not bringing your wallet around with you, I think you should be afraid for more than your email.

With hosting accounts in particular, you could always set up a set of SSH passphrase-protected see more keys that you can keep reusing. With a fairly long passphrase even if somebody gets onto your computer and steals the keys, there is little chance they will be able to guess the passphrase unless it's a saying you like to rub into your friends' and colleagues' ears.

In which case nothing can stop social engineering.
ZopfWare
Good article and tips. I only scanned through some of it but I noticed that a security I use didn't appear to be mentioned. I run Linux boxes and I find that, when properly configured, DenyHosts (a python script) is great to automatically scan logs and lockout ssh and other attempts on the fly.

You may already be able to install it by apt or yum depending on your distro.
DamnIt
Awesome Sammee, but any opinions on keypass and/or roboform password generators?
Robbie
Finally we have tracked down how my server was being hacked into. The attacker was able to upload a file called zq.php to "/var/www/html/roundcubemail-0.1.1/logs/zq.php" and was executed at http://seekqa.co.nz/roundcube/logs/zq.php. I have disabled that file. This is a bad one
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.
PET:0.12296295166016