0
comments
Thursday, February 24, 2011
Yeah! You read it right. Someone is trying to hack me!
While you'll be reading it as "HACK me", I'm still thinking "hack ME".
----------------------------
Dear Attacker,
I don't have anything interesting enough for you to break into my machine and steal it.
a) I don't have anything related to national security on my laptop which you can make use of
b) I'm not a billionaire that you can scoop off something, rather people know I'm as broke as any other average guy :)
I don't have anything interesting enough for you to break into my machine and steal it.
a) I don't have anything related to national security on my laptop which you can make use of
b) I'm not a billionaire that you can scoop off something, rather people know I'm as broke as any other average guy :)
c) Info about my clients & future plans goes somewhere else & no traces of that will be found on my laptop/phone/home network
----------------------------
Although I used to get gmail password reset request atleast twice a week, but this is a real good one & the attacker deserves a round of applause for it. The amount of time & knowledge he has put in here, I can offer him a very lucrative job with handsome salary (are you listening Mr AV?, we got a candidate). And with this much dedication he can break into corporate or even more secure networks.
For the knowledge & food for thought of my readers, this is how it all looks like.
As far as I know/understand, this started in the beginning of Feb 2011. My personal laptop has enough protective layers (antivirus, patches, firewall, blah blah) and as anybody would guess I keep it more up-to-date compared to many people out there.
So the attack (when I detected) was done using Metasploit, a wonderful attack/security testing framework by @hdmoore and the attacker caught me on CVE-2010-0840 which is a Java runtime vulnerability allowing remote code execution. It was sent to me via some malicious web page which I might have stumbled somehow. (I'm pretty much into exploring lot of garbage online). I know my JRE was 2 subversions older which made this attack possible.
I felt something fishy when on my home broadband (not a shared LAN) I started getting
SSL errors. Thanks to stubbornness of Google Chrome, it didn't allowed me to ignore it & made me think twice. When scanned my RAM, I found "meterpreter" running in my explorer.exe (pretty neat dude). This was the time when I knew someone is deliberately trying to get into my machine & it can't be a work of a malware.
Damn you attacker, you forced me to change 83 passwords in total.
Moving ahead I started keeping a (more) vigil eye on my machine for the attack to re-occur, I also created a honeypot with a lot of legitimate looking traffic to lure him. But seems like the attacker understood that I have found his meterpreter trick & have killed the session once. So now his attack strategy changed and looking at the strategy used further, I'm not sure if it is work of a single guy or bunch of them together or even individually. If it's by a single guy, I seriously have a good job for him waiting.
This time the attacker seems to have got access to the firmware of my home router or wifi access point (I'm still to investigate my firmware). I started getting SSL warnings even on my phone when connected to wifi at home but not on my GPRS. Now this can't be done with access to my machine only, for this the attacker needs access to the network infrastructure. More interestingly the SSL warnings are only for some specific sites (gmail/twitter/facebook).
The attacker presented me a fake SSL certificate for api.twitter.com and this is what he did wrong. He created a fake certificate with validity of 10 years. In no good senses , twitter will buy a certificate from verisign (twitter actually uses equifax) for 10 years in one go. This fake certificate was encountered on my phone, when I rechecked actual certificate of api.twitter.com (this time using my USB internet dongle) it is issued by equifax and for one year only. See images below & click them for enlarged view.
There are few more screenshots & reverse trace reports but I'm not posting online for legal reasons. I'd need them to be produced as evidence.
I've spent enough time on this attack, reported it to appropriate authority & want to keep my hunt on to find my well wisher. The only problem is I have a life to live & a lot of work to do, which seems like the attacker doesn't have.
----------------------------
So dear attacker,
Go and get a life, you won't find anything more juicy on my machine/phone/network. If you wanted to prove it to the world that you can "Hack Rohit", I think I have done your work easy with this blog post.
----------------------------
An open letter to all my friends, family & followers,
If you receive some garbage mail or tweet from my side (@rohit11, @_rohit11, @clubhack) be assured that it wasn't me. You can still expect garbage videos shared on my facebook wall & you know that I keep sharing those stupid videos there :)
Wish me good luck & good life to the attacker(s)
PS - If this can happen to me, this can happen to you too. I'd again request you all to be little more careful online. As in "brand new days" song, STING said "It could happen to you - just like it happened to me. There's simply no immunity - there's no guarantee"
PS - I have used "he", "his", "him" to address the attacker but I'm not being gender biased. I don't think I have a "my super ex-girlfriend" kind of ex who would take so much of pain to attack me. Having said that, I'm still not under estimating the skills of female attackers.
PS - I used word "hack" cause that's what 90% of this world understand :)
