From PyWacket Wiki

Main: WeirdAndWonderful

On this page... (hide)

  1.   1.  July 4th 2015 - A Patriotic Message to Raspberry Pi Users
  2.   2.  April 6 2015 - Bringing the War Back Home
  3.   3.  April 4 2015
  4.   4.  October 5, 2014
    1.   4.1  A Small Experiment
    2.   4.2  Update November 7th: Sparse Findings
  5.   5.  Aug 3, 2014
    1.   5.1  Sac Au Lait Fishin'
    2.   5.2  Update:

1.  July 4th 2015 - A Patriotic Message to Raspberry Pi Users

I'm starting to get ssh attacks on this site with user name 'pi'. You'd never guess from what part of the world ( right first time !).

Forewarned is forearmed. Firewalls up and bombs awaaaaaaay ...

P.S. I even had a persistent and concerted PMWiki attack from Germany ( ???? ) probing for 777 permissions in the wiki.d and pagelist.php script directories. Poor slob, what a waste of time ... but what can you expect from those people ? :-)


2.  April 6 2015 - Bringing the War Back Home

IP addresses associated with the Asia Pacific Network Information Centre (APNIC) account for about 90% of all port 22 attacks on this site and over 90% of attacks annoying enough to warrant a DROP record in iptables ...

A grand list of APNIC IPs - https://www.apnic.net/publications/research-and-insights/ip-address-trends/apnic-resource-range

... hmmm, tempting. How much legitimate traffic do I get from New Zealand and Australia ? Probably not much.


3.  April 4 2015

Just found this post from Dec 2012

http://www.raspberrypi.org/forums/viewtopic.php?f=36&t=23249

 And indeed, it's often the Chinese.
 Sometimes I wonder if they are being encouraged somehow to attack the capitalists.

 There is an "official" bounty program for "information". And since official policy is complete denial when it comes to
 cybercrime every poor person with a little bit of IT knowledge will try getting a part of the bounty.
 They also carry out information gathering inside China, as long as it is dissidents being spied upon.
 There is even OSX malware, directed at Tibetan dissidents that was very probably government issued. 

So it is said, but who knows if it is actually true. It's certainly consistent with the facts, such as they are ...


4.  October 5, 2014

4.1  A Small Experiment

Falun Dafa Falun Gong Occupy Hong Kong Democracy Tiananmen Square

I want to see if I can get the Great Firewall of China working for me to stop Secure Shell attacks against port 22. It will be interesting to see if the GFWC blocks legitimate ip traffic to tainted web pages, but still allows hacker attacks on port 22. Implications, anyone ?

Of course, it is also possible that this site will get blocked and the number of attacks from servers in China will dramatically increase at the same time ... for fairly obvious reasons. We'll see.

4.2  Update November 7th: Sparse Findings

My feeble attempts to provoke the Great Firewall have been utterly ignored, as far as I can tell. According to various sites purporting to determine if your domain name is present on DNS servers in China, I'm still there, defiant and ( frankly ) feeble in my protests for political change in China [ not that I know anything about the subject ]. But then, who has to know anything to have strong political opinions. For political purposes, it's probably better if you don't know anything about what you're talking about. More effective that way, less intellectual clutter. :-)

However, for the purposes of reducing port 22 attacks, the experiment was a total failure. At this point, I have about 20 million IP address in China blocked. so that may be helping a bit.

In fact, on November 6th there was the mother of all attacks, several hundred attacks from perhaps 100 different servers with 100 individual IP addresses from all over the world, attacking in rotation, boom boom boom, one after the other. It was awesome ... I felt vaguely honored to be the object of such attention, no joke.

Really, why me ? Why is a lousy little one processor Linode site so important to break into. The economic value of this site is nearly zero to me and probably to them as well.

So why ? Do they need another zombie server so much that the attackers feel they must waste ( presumably limited ) resources trying breaking into this site ?

It's been interesting, however sparse the actual conclusions. At this point, about 90% of all connections to this machine are break-in attempts, so I'll just keep plugging away at it, slowly tightening up the site. Certainly, the 'bad hacker' industry is far larger than I knew and perhaps larger than anything I can imagine.


5.  Aug 3, 2014

5.1  Sac Au Lait Fishin'

This is a strange one. Somehow someone is linked into the semantastic.com site.

You can also reach me via http://rovl.sac-au-lait.com/. Hnnnh ? How weird is that ?

I started researching Sac Au Lait ( "bag of milk" ) and found this little gem at http://www.songlyrics.com/tab-benoit/sac-au-lait-fishing-lyrics/ called "Sac-Au-Lait- Fishing".

 There's somethin' in the water that's callin' my name [IP 116.10.0.0/16 again ?].
 If I work another hour I'mma go insane.
 Driftin' to the places I would rather be... 
 In my boat under a cypress tree.

 (Chorus)

 Hey, they're gonna see me comin' before the sun dries the mornin' dew.
 Hey, you know I can't wait to go Sac-au-lait fishin' down on whiskey bayou.

 (End Chorus)

 There's some good Cajun music on the radio.
 Every Sunday mornin' it's a Fais do-do.
 The birds in the trees seem to know this song.
 I pop a crop to the beat while they're singin' along.

 (Chorus)

 Hey...

 One more cast before the sun goes down.
 That's just about the time the alligator come 'round.
 My baby, she's a'waitin' and she's all alone.
 But if I keep gettin' nibbles [at port 22] , I may never go home.

 (Chorus)

A 'Sac Au Lait' is a type of Crappie. I like to believe that somehow this will all make sense eventually ...

5.2  Update:

The domain sac-au-lait.com is associated with ip 50.116.44.179 which is assigned to Linode. Apparently, the sub-domain rovl.sac-au-lait.com is part of a Linode administrative backend of some sort.

And here I was paranoid about Chinese zombie hackers and suchlike ... whatever happened to trust in the basic decency of our fellow human beings ... :-)


Retrieved from http://semantastic.com/pywacket/index.php/Main/WeirdAndWonderful
Page last modified on July 04, 2015, at 04:28 PM