Jianyu · 2016/03/07 10:49
0 x00 preface
As the saying goes, one should always pay back those who are out of business. I was shocked to see the article “Network Little Black Reveals Series of Black Products and Jianghu Black Eat Black — The Invisible Handle of Chinese Kitchen Knife” on The knowledge base of Dark Cloud. I was bored and spent a week to investigate 360’s statement that “from the public whois information, [email protected], and register the domain name maicaidao.me. Security circle friends a look at this mailbox, should not be unfamiliar, yes, the owner of this mailbox is one of the members of an SEC organization, the next we will not say, interested in their own digging.”
It is estimated that many friends are curious about how to take it down. Here is a brief introduction, hoping to promote the development of China’s network security and make a contribution to the industry.
0x01 Information Collection
First caught, in order to avoid the program will have a variety of detection, flow images by wireshark, wrote a filter only look at the HTTP protocol, found the receiving IP address and domain name, and then use the Internet information collection script writing, target domain IP throughout the C section, all domain names involved with receiving swept subdomain, ports, and application of distribution, According to the existing information collected, a dictionary rule was generated to wait for subsequent targeted blasting. Well, it can only be done for the time being. After all, the target is not a large enterprise, and 360 DayEyes’ security team has also worked out the difficulty of the target, so there are few clues left for us from the whole data flow.
0x02 Comprehensive Detection Process
A. After collecting information, it is found that the domain names 9128.cc and Maicaidao. co refer to the same address.
(Historical resolution records of all 9128.cc domain name modifications)
(Historical resolution records of all maicaidao.co domain name modifications)
Now we can basically confirm that this is a real IP address. The test of binding HOST was successful, directly bypassing Cloudflare’s cloud protection. We also learned from our friends that the network segments beginning with 23 are all high security segments in the United States, and they are generally sold by domestic agents on Taobao and other places.
Then analysis of another domain name some of the information, and some new findings, http://www.threatexpert.com/report.aspx?md5=4b4a956b9c7dc734f339fa05e4c2a990
(Parsing records related to maicaidao.me)
(Trojan reports related to Maicaidao.me)
Look at this report, it turns out that foreigners used this Chinese cleaver Trojan horse to analyze it, which shows its influence!
B, after mastering these cases took 2 days all C segment of relevant IP address system vulnerabilities, WEB vulnerability, including automated combination case and intelligent is converted into digital weak passwords are scanned again, 2 day still no progress, should be a lot of friends have to spend a lot of time doing the same thing, should be decreased, Looks like social workers will have to…
C, thinking for several days, not too much clue, holding a try mentality, with the previous collection of email combined with automatically generated password library to blast SSL IMAP, using 90sec email user name, collected other information to do a good dictionary !!!! Went back to work after a good night’s sleep and miracles appeared!! Google SSL iMAP 993, automatic combination password “root90SecFuckYou” detonated successfully!!
The target mailbox is successfully accessed.
(Target Gmail)
When I went in, I saw a lot of Emails from GoDaddy.
(The password is reset successfully. The domain name management page is displayed.)
(The maicaidao.co domain name points to Cloudflare)
Into here still can not determine the final result, after analyzing the chopper is our purpose, it is necessary to confirm receipt, thought for a moment’s safety is to do the reverse proxy to caught, because do cloudflare CDN default will hide the source address, the administrator will for cannot be found, it directly in gmail to recover, the result is a success, Ha ha, a little luck.
(A commercial reverse proxy to visually configure the man-in-the-middle attack source)
In order to investigate this box and a green and safe Internet environment for the majority of users, we spent some money to buy a commercial reverse proxy to do the packet capture analysis, replace the returned packet to insert the specified JavaSscript, under which every person requesting this site will be included in our traffic statistics system, as well as the cookies tracking system.
I have been waiting for several days without finding any trace of the administrator, and parsing records have not changed for a long time. However, a lot of data packets submitted by shell post have been submitted to my server, which is conservatively estimated to be thousands of shells every day.
It is really helpless, but can see a lot of white hat data, can only sigh these people and I as boring, I have to screen every day there is no administrator’s footprint.
Stuck here again, thinking about now to get the permissions, into imagination mode, came home from work every day must sit two hours on a bus, always staring blankly sitting home at 8 PM, hurried meal, bought a SMS gateway API interface, wrote a program request automatic filtering flow statistics page keyword SMS alerts, When I wake up is at 2 o ‘clock midnight, the dead of night thought always exceptionally clear, disappointed looked aside mobile phones without a text message to come over, almost had abandoned the idea, and sober head suddenly thought of in a hurry after login into the mail to retrieve password, there are so many emails, why don’t I see?
At this moment, I was logging in to the same email address that the 360 security team had called “the domain name registered in the public WHOIS information is [email protected] and the owner is a member of an SEC organization.” I tried to combine this email many times, but it did not log in to 90sec. Maybe my dictionary is not strong enough. Well, I asked my friend to help me check the login data package of a certain SEC website in a certain system, but I did not find the relevant registration record, just because it misled me to take a detour for a whole day. In this email, carefully looked at every email, don’t pass any clues, the kung fu fast break is not the truth, these days, almost all do not have a good sleep, this time a certain IDC long ago an E-mail to attract I opened it, but now can’t confirm the target server is bought in the IDC, I sent an email to IDC’s customer service with this email organization language, waiting for the reply. Haha, after confirming that this server is indeed purchased from this IDC, there is another clue, friction friction along this clue.
I found a common user name in my email and did another successful password reset! The login IDC management page, with the password to login failed, directly submitted the work order to IDC, REQUIRING IDC to modify the password, 30 minutes lovely IDC administrator told me that I had dealt with it, really happy, then I really had a jump impulse, leaving a few final results.
(It turns out that early information gathering is so important.)
(Take a souvenir, also spent nearly ten days is not easy ah, tonight can have a good rest)
(friendship remind you all the things I don’t use the Internet, the back is too much, this is just the tip of the iceberg) for Internet security, in order to your work not be deprived by others, changsha rain it team on behalf of the people carry cover type deleted text file of 170 MB, visual three million shell, should be the nation’s largest.
0 x03 epilogue
This article mainly wrote this for you to share some experience and some ideas in the process of osmosis, mainly to topic and folk master too much, this article after kept hitting me on soy sauce, low-key dream to strive for the ideal, hope to have some idea to work for everyone’s help, also remind everybody try not to use other people’s tool, in this network, Invisible smoke battle continues every day, you can not see does not mean that it did not happen, the article said that the Internet is one of the real tip of the iceberg, each friend take care of themselves.