DNS Attack lasting now at 48 hours
#1
Just a heads up for those who use MYbb software.  Our web site has been taking an attack for two days now. It started as a two-point attempt to access a file that was maliciously dropped into our public side file structure. We are still trying to find out how this file was dropped into the file structure.  Fortunately, the main file security posture did not allow writing any file, so the folders were empty. This one item is why our website is still on line.  The empty file folders generated an error on the server log and that is how we found the file structure compromised. 

They attempted at first to open files within the two folders. When they could not access them or open them, they then began trying to access the htaccesss file.  My guess is the files that were not allowed to be written were a control program designed to give them access to the server side and all the files.  Since that time, they have attempted to access the BOT programs that are allowed inside the program. They continue to try to gain access to the control files.  

We have banned a whole series of IP's from multiple points across the US. I think I am at over 150 ip's banned/blocked. 

The fervor of these people is concerning.  Not only are they trying to hack into the system they are using up connections for our guests. Our host has blocked about 50 of the IP's from their servers.  

IF you find a file named; .well-known,  with a sub file named; acme-challenge  dropped into your public HTML side do not ignore it.  Remove its contents and its permissions.   I didn't get to see what the contents were as I had blocked the writing of any data into the folders, but they tried to access a command file and several other items that were supposed to have been written within it.

Now they are pinging anything and everything to gain access.  I don't understand the persistence they are exerting for a small forum like ours.


Bill

Systems Administration- Patriot Action.
Patriot Action
E-mail; [email protected]

Secure your server access. Use two step authentications. Don't give these people an inch...
Reply
#2
The persistence is probably due to your forum being political. People can lose their minds over that.

Jude




Reply
#3
I don't think you even know what you're talking about. Your post doesn't describe a "DNS attack" at all. It actually describes LetsEncrypt trying to generate a certificate for you...
No longer involved in the MyBB project.
Reply
#4
(2023-04-27, 10:11 AM)Nathan Malcolm Wrote: I don't think you even know what you're talking about. Your post doesn't describe a "DNS attack" at all. It actually describes LetsEncrypt trying to generate a certificate for you...

How so?

The multiple points of intrusion, a file folder dropped into the system when no request or authorization to do so was generated.  No, we did not attempt to encrypt.  Had we, the file permissions would have been changed to allow writing into them.  Current rate of ping has lowered the number of people on the forum to 3-4.   They are expending usable connections for our guests.   

I will look into this avenue, however.

75 hours now.
Reply
#5
(2023-04-27, 03:22 PM)Billy_Bob Wrote:
(2023-04-27, 10:11 AM)Nathan Malcolm Wrote: I don't think you even know what you're talking about. Your post doesn't describe a "DNS attack" at all. It actually describes LetsEncrypt trying to generate a certificate for you...

How so?

The multiple points of intrusion, a file folder dropped into the system when no request or authorization to do so was generated.  No, we did not attempt to encrypt.  Had we, the file permissions would have been changed to allow writing into them.  Current rate of ping has lowered the number of people on the forum to 3-4.   They are expending usable connections for our guests.   

I will look into this avenue, however.

75 hours now.

acme-challenge is generated by certbot - https://letsencrypt.org/docs/challenge-types/
.well-known is also most likely generated by certbot or one of the following services - https://en.wikipedia.org/wiki/Well-known...known_URIs

Nothing malicious there. It is cron based task which runs automatically when certificates are due for renewal.
Reply
#6
(2023-04-27, 04:48 PM)RevertIT Wrote:
(2023-04-27, 03:22 PM)Billy_Bob Wrote:
(2023-04-27, 10:11 AM)Nathan Malcolm Wrote: I don't think you even know what you're talking about. Your post doesn't describe a "DNS attack" at all. It actually describes LetsEncrypt trying to generate a certificate for you...

How so?

The multiple points of intrusion, a file folder dropped into the system when no request or authorization to do so was generated.  No, we did not attempt to encrypt.  Had we, the file permissions would have been changed to allow writing into them.  Current rate of ping has lowered the number of people on the forum to 3-4.   They are expending usable connections for our guests.   

I will look into this avenue, however.

75 hours now.

acme-challenge is generated by certbot - https://letsencrypt.org/docs/challenge-types/
.well-known is also most likely generated by certbot or one of the following services - https://en.wikipedia.org/wiki/Well-known...known_URIs

Nothing malicious there. It is cron based task which runs automatically when certificates are due for renewal.

They sure are persistent and chewing up 2GB of band width.
Reply
#7
The renewal bot problem was stopped when I removed the auto setting for the SSL certificates.
Reply
#8
(2023-04-27, 03:22 PM)Billy_Bob Wrote: The multiple points of intrusion

...what points of intrusion? Even you yourself said "We are still trying to find out how this file was dropped into the file structure", but then go on to claim no files were created, only directories, which are known to be generated by LetsEncrypt. There doesn't appear to be any intrusion, certbot is just running as a different user and doesn't have permission to write to the directories it needs to.

(2023-04-27, 03:22 PM)Billy_Bob Wrote: a file folder dropped into the system when no request or authorization to do so was generated.

It's automated.

(2023-04-27, 03:22 PM)Billy_Bob Wrote: No, we did not attempt to encrypt.  Had we, the file permissions would have been changed to allow writing into them.  Current rate of ping has lowered the number of people on the forum to 3-4.   They are expending usable connections for our guests.

Again, it's automated. There is no "they". You're talking about an automated, scheduled process as if it's a malicious attack. The reason it doesn't stop is because it needs permission to write to the directories it created and it keeps on trying until it can. That's what you need to fix.
No longer involved in the MyBB project.
Reply
#9
Hello, you have explained the subject in such an enthusiastic way that I embraced it as if you were in it. As a cyber security expert, I found this incident, which is considered an attack, very strange. As a forum administrator, you don't have to understand system and network technologies. However, I have never understood how the company that provides you with the website hosting service does not understand this and blocks IP addresses at your request!

If we were to look for a possible attack scenario, it is contradictory in terms of both terminology and logic that an attacker makes a DNS attack after breaking in. If a forum site is to be attacked, first a shell attack with PHP payload or an injection attack on the SQL database is made.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)