What is IP 91.209.196.40 doing to Cryptome?

Donate for the Cryptome archive of files from June 1996 to the present

30 July 2013

What is IP 91.209.196.40 doing to Cryptome?

Answers to:

http://cryptome.org/2013/07/doing-what-to-cryptome.doc

A1:

Fairly standard web application map/vuln scan. By looking for known file structures, attacker can find fingerprint of installed software and use for exploitation with known exploits. Notice that logs include "Nessus" - an off-the-shelf vulnerability scanner - http://www.tenable.com/products/nessus - this may be scripted, or done manually. This is standard for any website these days, I wouldn't take it personally.

A2:

Seems to me like someone already did the work ahead of time and was able to identify the file structure of your web server. It seems evident because what is happening appears to be a vulnerabilities scan. I guess most companies hire overpaid systems operators, because it seems like nobody ever mentions this sort of thing happening except for hackers themselves.

In other words, congratulations on not having overpaid systems administrators!

I'm not a computer analyst, nor an expert. But I do know a few things, and I'm rumored to have a fairly high IQ, so if you feel I might be right about that (You could always ask the NSA what's happening ;P), then here are a few relatively easy precautions to take:

- Contact the NSA and try to figure this stuff out, I'm sure they'd love to figure it out with you (It's obviously a test of some kind...I could go on here, not knowing ;P).

- Archive all of your goodies on a 1TB portable hard drive (Not the files that run your server, those might be corrupted by now), and never connect it to the internet ever.

- Compare original files from their original media to their current versions stored online (Might be hash variations).

- Continue to record similar and not-so-common activity.

Other than that, John, I couldn't say anything more. A computer security analyst could identify this problem for you, maybe TSCM could figure it out too?

A3:

91.209.196.40 is using some tool to guess names of files & directories on http://www.cryptome.org/*, attempting to discover

1) content that the webmaster (you) did not mean to be publicly accessible and

2) presence of software that is known to contain vulnerabilities.

Based on the output, I think that tool is Nikto ( http://www.cirt.net/nikto2 ), and nothing was discovered other than some directories that are not publicly accessible (at all, or not without password): http://cryptome.org/awstats/ http://cryptome.org/stats/ http://cryptome.org/stuff/ http://cryptome.org/log/ http://cryptome.org/cgi-bin/ http://cryptome.org/ar/ http://cryptome.org/wa/ ...and some things that can be found on most webservers: http://cryptome.org/icons/ (typically present on Apache servers) http://cryptome.org/robots.txt (which in your case does not reveal anything other than you not liking crawlers) No software was found that is known to contain vulnerabilities. -

A4:

I read the report about this IP.

I think your website tested by security scanner software from this IP.

As you see in first step the security tools crawl your website to find directories and files and in next step the tools start scanning your website for security problems.

And here is the signature of tools:

91.209.196.40 - - [28/Jul/2013:07:20:16 -0400] "GET /admin.back HTTP/1.1" 404 575 "-" "Nessus"

A5:

Based on the log data you provided 91.209.196.40 is most certainly performing a Nessus scan against cryptome. This is a widely used and freely available vulnerability assesment tool available at

http://www.tenable.com/products/nessus

A6:

Automated attack:

https://en.wikipedia.org/wiki/Nessus_%28software%29

A7:

Comodo //

Chain of companies, all under apparent leadership of Melih Abdulhayoglu, US resident (but not citizen) residing at nr 1 Watchung Ave, Montclair, NJ. See

http://www.companydirectorcheck.com/melih-abdulhayoglu

for more details and some history. Play with the links.

A8:

IP 91.209.196.40

your logs show an obvious vuln scan by that IP - the question is - why Comodo network? open wifi? spoofed IP?

A9:

The IP address in question is performing a Nessus scan against cryptome.org, which is a program that automatically probes security.

A Nessus scan is designed to find poorly configured servers and scripts. In this case, the type of scan is easily identifiable because the string "nessus" appears throughout the log. It is a prevalent tool for penetration testing in the network security world. You can tell its tests were unsuccessful by the repeating "404" found throughout the logs.

This IP address from which the scan originates is associated with comment spam by projecthoneypot.org. The "user agent" value is exactly the same as that which appears in your logs. Projecthoneypot identified 3,500 web posts made with this IP.

http://www.projecthoneypot.org/ip_91.209.196.40

It is unlikely this scan indicates a targeted attack, as it would only be effective against the "lowest-hanging fruits" of the Internet.

I hope this answers your questions, and doesn't somehow land me in Guantanamo Bay.

A10:

Look at the end of the logs published in

http://cryptome.org/2013/07/doing-what-to-cryptome.doc

The cross_site_scripting.nasl is a plugin for Nessus and OpenVAS vulnerability scanners, which is probably what someone ran against your host.

Personally I wouldn't be too concerned. Of course scanning a host without written permission from the owner is prohibited, and the owner can (and probably should) notify the relevant authorities (in most countries the police). If I was the owner I would do so, just out of curiosity. BTW periodically doing a vulnerability assesment of _your_ host (for example using OpenVAS, nessus, nikto etc) is a really good idea, just be careful if doing this using a hosting provider (then the host be yours, or it may belong to the provider, depending on what service you paid for).

A11:

Looks like they pointed a scanner at your site looking for common CMS admin entry points and other common but hidden directories. Typically sites like Wordpress put the administration functions on the site as well. Try as an example

http://Gigaom.com/wp-admin

Perhaps just doing a free security scan or perhaps trying to find a weakness to ...

A12:

This is a general scan for configuration information and general vulnerabilities.

I get these all the time on my own web server. When I get these I don't figure that I have been singled out.

A13:

somebody's running a garden-variety web vulnerability scan, it looks like (Nessus would be my guess from logs)

A14:

looks like 91.209.196.40 is probing for any possible vuln it has handy...

A15:

appears to be the “usual” scan for known exploit vectors.

A16:

are you hacked? you are sending a word doc?

A17:

weird. never ever seen the HTTP method GVBXDB. Is that a thing?

A18:

That IP is associated with Comodo Hacker Guardian Service

http://www.projecthoneypot.org/ip_91.209.196.40 …

AX:

Indecipherable message. Please resend.