Re: Proxy stealing journal access

[Gary Warner <gar () CIS UAB EDU>]

We have seen several indications in the past of students "sharing" their journal access with the entire internet.  It 
has frequently been associated with Chinese access to the journals.

Watching the logs on your subscription databases is a great way to find compromised university accounts, because it is 
one of the few "things of value" shared by every university student/faculty/staff.

Searching for you university with the Chinese characters:

用户名：
and
密码：

is often a useful exercise.

My whole Google search (sorry if the list "de-Chineses" this for finding these is this:

密码：  用户名：  userid: password:  databases  lexisnexis

(This is a useful exercise because the lists people post usually have some of the login information in english and some 
in mandarin.  swap out the word "lexisnexis" with things like "elsevier" "springer" "Academic onefile" to find others.)

If you only want "really fresh" ones, you can add a limit like "last 30 days" on your Google search.  The freshest one 
I see is from Sep 27, 2014 ...

www.expaper.cn/forum.php?mod=forumdisplay&fid=143&filter=typeid&typeid=224

Which is a thread for people to share passwords for accessing Academic resources at other libraries.

This one from May had a TON of University database passwords:

www.qc-lab.com/news/bencandy.php?fid=67&id=1465

Also a great reminder that we should not have "shared" passwords for these.  Many of the examples given have a password 
of "library" or "password" or the "userid = password" things like "libustc" as both userid and password.


----------------------------------------------------------

Gary Warner
Director of Research in Computer Forensics
The University of Alabama at Birmingham
Center for Information Assurance and Joint Forensics Research
205.422.2113
gar () cis uab edu

-----------------------------------------------------------

----- Original Message -----
From: "Roger A Safian" <r-safian () NORTHWESTERN EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU
Sent: Tuesday, October 7, 2014 8:14:10 AM
Subject: Re: [SECURITY] Proxy stealing journal access

It doesn't happen to have Spybot on it?  There's some sort of issue there with opening a proxy, but, that doesn't seem 
like the port I recall.

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Andrew Daviel
> Sent: Monday, October 6, 2014 9:28 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Proxy stealing journal access
>
> We have an institutional subscription to a number of scientific journals,
> where our IPv4 address block is whitelisted so we can do searches without
> logging in per-user.
>
> Recently we had a complaint from SAE about unusual activity on our account.
> Their logs show downloads of some papers all from January 1994, from one
> of our laptops and also from an address from China Mobile.
> At the time in question, our network logs show a connection from the China
> Mobile address to the laptop - apparently a Web proxy on port 9064.
>
> So it looks like there is something on our laptop that allows a remote user to
> download journal papers using our subscription.
>
> When I look on the laptop, I can't find it. The laptop was rebooted, but I had
> expected something like Squid to start up again. There seem to be no
> common ports open. I'd half expected something simple installed by a user
> - VNC or logmein - but I don't see that.
>
> It's an older machine running XP with a few "possibly harmless" adwares, a
> couple of which I've cleared out.
>
> Has anyone seen anything like this ?
>
> I read things in the media about industrial espionage from China, so I'm half
> thinking "APT", but on the other hand it may be a wild goose chase.
>
> I'm running malwarebytes, which has turned up a few "potentially unwanted
> programs" but nothing really obvious. My usual Linux technique of looking
> for changed files is stymied because the users installed a lot of legitimate
> programs right around the same time - LabView etc.
>
> --
> Andrew Daviel, TRIUMF, Canada
> Tel. +1 (604) 222-7376  (Pacific Time)
> Network Security Manager