Re: Compromised VPN provider out there?

[Benji <me () b3nji com>]

> How came im not surprised that public proxies are being abused for brute
> force attacks?

You're just that far ahead of the curve?

On Tue, Apr 10, 2012 at 5:17 AM,  <nix () myproxylists com> wrote:
> > Hi
> >
> > To any security-aware VPN providers out there reading this:
> >
> > More than 800 hosts (mostly from Asia) started hitting TorVPN.com's
> > webserver on HTTPS with login requests.
> >
> > Before blocking them all (and adding them to the proxy list section of my
> > site after testing, heh)
> > I decided to temporarily log the attempted usernames and passwords for a
> > few seconds to see what the deal was.
> >
> > The usernames and passwords do not seem to be from dictionaries, more like
> > someone got a hold of plaintext
> > userinfo from somewhere and figured enough of them could be valid for
> > TorVPN.com to make it worth
> > the time to write a script and start bruteforcing (and monitor results,
> > because when I changed the login
> > URL, they updated their script in less than 5 minutes).
> >
> > I believe the most likely reason for an attacker to try check for password
> > re-use on my site is if their
> > accounts are from another VPN provider's database - which is why I am
> > writing this.
> >
> > Below you will find a list of usernames (not posting the passwords) that
> > were logged in those few seconds.
> > (None of them are actual real users on TorVPN, they are not part of any
> > public list that can be found with Google)
> >
> >   - vlai1214
> >   - BHGboat
> >   - haines
> >   - Mod95TZc
> >   - JJOM54
> >   - johnnieak
> >   - hair7
> >   - hair18
> >   - flipperke
> >   - outhcent
> >   - haipas
> >   - hainline
> >   - anxdpphh2334
> >   - rgcBCN
> >   - Pretty26
> >   - hair11
> >   - hairaP
> >   - cyrren
> >   - tomba73
> >   - mikemaynard25a
> >   - jamesmorrow
> >   - lending2
> >   - laynec
> >   - willthekiller
> >   - chrisn
> >   - chulony79
> >   - firefox
> >
> > If someone-who-isn't-me obtains similar info from an attack, manages to
> > log in to another VPN provider
> > with the logged accounts, sends me an e-mail about this success, I will
> > post the results.
> >
> > If anyone has already experienced a similar password bruteforce on their
> > VPN-website, do not hesitate to post details.
> >
> > Whoever hammered my server, I'd like to thank you for possibly helping to
> > uncover an ownage, as well as for helping me
> > re-fill the list of proxies on my site with working ones.
> >
> > Kind regards,
> > https://torvpn.com/
> >
> > ps: a couple of IPs with the most attempts
> >
> > # 189.127.120.253 -> 927
> > # 64.79.72.52 -> 868
> > # 186.225.60.90 -> 785
> > # 217.112.128.247 -> 732
> > # 203.122.19.11 -> 699
> > # 178.132.216.182 -> 699
> > # 146.255.9.124 -> 664
> > # 222.165.175.246 -> 646
> > # 188.230.77.233 -> 632
> > # 190.90.100.103 -> 584
> > # 188.241.71.1 -> 583
> > # 201.65.25.85 -> 563
> > # 202.47.88.46 -> 561
> > # 208.94.244.15 -> 494
> > # 187.0.32.6 -> 485
> > # 210.212.144.214 -> 484
> > # 196.1.178.254 -> 474
> > # 201.234.220.99 -> 474
> > # 190.145.74.10 -> 472
> > # 184.164.142.214 -> 465
> > # 89.235.50.141 -> 461
> > # 175.111.192.12 -> 461
> > # 186.225.106.146 -> 450
> > # 188.127.231.78 -> 450
> > # 200.1.110.146 -> 449
> > # 93.99.16.254 -> 434
> > # 84.22.50.42 -> 422
> > # 93.89.84.220 -> 401
> > # 201.234.58.212 -> 396
> > # 187.60.96.7 -> 379
> > # 125.21.55.194 -> 374
> > # 121.254.133.150 -> 366
> > # 202.46.69.4 -> 363
> > # 157.181.228.181 -> 361
> > # 201.49.77.7 -> 361
> > # 46.4.33.41 -> 360
> > # 206.212.249.237 -> 358
> > # 202.29.97.2 -> 355
> > # 46.162.1.253 -> 354
>
> Just due to curiosity, I picked up the first proxy (189.127.120.253) and
> ran it against http://nixapi.com/ip-reputation-lookup. The result was
> 'HTTP L3 (Transparent) proxy 189.127.120.253:3128 - Verified 03:49:38
> ago.'
>
> How came im not surprised that public proxies are being abused for brute
> force attacks? About a year ago, I setup a public proxy for testing
> purposes, after ~two day uptime what I can remember;
>
> Over 500 simultaneus connections all the time
> I think there was only 0.1% human users, the rest were abuse bots/scripts
> Bandwidth used constantly: 15-50Mbps/second (I remember capping it to
> 50Mbps) to prevent network lag issues to other services)
>
> There were several hundreds of thousand connections in very short time ...
>
>
>
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/