Fun With Chinese Hackers and Password Strength
I’ve been working on a personal API project so I’ve been spending a bit more time than usual sitting in front of the computer looking at lines of text. Because I’m building it from the ground up, I’ve been doing a lot of old-school sysadmin work and logging into my server.
Only yesterday I found I couldn’t log into my server. I kept getting an error saying that my key was rejected or that the connection was outright refused. This gives me the same feeling I get when I check my bank balance and it’s missing a chunk of money or maybe when I’m in a foreign country and I can’t find my passport. It’s not life or death, but it stirs those same tendrils of fear.
So I did my dance… I logged in using Rackspace’s console (which is like walking up to the machine and using the keyboard and mouse). First thing I did was check network connections and there were a TON from 126.96.36.199. Popping open the website Infosniper.net I found out it was coming from Jinan, China.
What they were doing was what we call a brute force attack. They were attempting to log in as the root user. You get five tries to type your password and then the server kicks you back out, and then you try again. A simple computer program can rotate through passwords all day long trying some obvious passwords first (“password”, “password10”, “pa55w0rd”) and moving on to a simple “run through the common words” algorithm (cities of the world, sports teams, etc in various combinations).
The thing is, this attack actually works more often than you would think. I personally follow the xkcd comic’s advice and use a series of random words -- you get a longer string and if you use really random phrases they’re really hard to break.
For example, I went to the OWASP passfault site where they analyze the strength of your password -- no, I didn’t enter my actual password, but I tested variations on it and discovered that it would take 138 centuries to crack it with current methods. So, I then grabbed a random phrase from a magazine (StimpsonSetTheGranitePavers) and got 33,199 centuries (the uncommon name Stimpson probably helped).
But the reason this is “brute force” is because there are so many combinations they have to pound on the server like Chinese Visigoths at the gates to the city. And, honestly, you can never have a completely secure computer.
So, when I logged into my server using the Rackspace backdoor, the first thing I did was to type “w” on the command line to see who was logged in -- just little old me, so if they were in they weren’t in my server the way they were trying to get in.
Then I shut down SSH (the Secure Shell server) so that they would go away. I also locked down root access so they can try to log in as root all they want and just get sent away so they’re less likely to lock up my SSH server again.
Then I checked the log files to see if they actually DID get in only weren't in the house when I logged in. Of course they don’t just try “root” as a username, but a quick scan shows what they try to log in with. And they’re still hitting it today:
admin git new info ubnt oracle boss support guest PlcmSpIp
I found “boss” amusing. Most of the other ones make sense (except I don’t have the kind of money lying around to have Oracle running on my personal web server), and that PlcmSpIp was interesting because it implies there was some open source program out there leaving a security hole.
Overall it’s just annoying. Yes, I’ve had servers hacked and had to completely shut them down, yes I’ve had my PC infected and turned into a botnet zombie and had to reinstall everything. But for the most part I see them try, block them, and then contemplate why they bother.
It’s kind of like house thieves going door to door with a big ring of keys and trying each key. They don’t bother to look at the house to see if it’s a shack or a mansion, they just try the keys. And if the door opens, they probably don’t even do much, just cut a hole in the basement wall so they can come back later without needing the key.
And every now and then I hear them jiggling the key in the lock, and I shoo them off my front doorstep. Then I have to change the locks, maybe add another one, and I start thinking about putting bars on the windows…
Just another day living in the world with other people…