1.7 KiB
These are cybersecurity incidents that the AniNIX has had to remedy due to some failure in our detection and prevention systems.
Note: We explicitly exclude routine incidents, such as IP's banned for SSH brute-force, files quarantined after virus scanning, and other routine housekeeping.
January 2018 Spambot Detection
An attacker used a default password to pull down a Perl SMTP spambot and email list to spam fake Bank of America emails to users, attempting to phish them into clicking an xplotica link.
- When: 11-29-2017 through 1-4-2018
- Who: IRL identity unknown; last source IP 196.52.32.4 (Netherlands residential)
- What: Spambot
-
- Vector: Attacker used a default password to access a monitoring user account; spambot and target lists were downloaded from a GoDaddy webhost (now nonfunctional).
Detection was provided by the ISP and [https://www.abusix.com/ Abusix]. The Postfix service was shut down, and forensic analysis performed starting with the /var/spool/mail folder and tmux session capture.
Impact
This has negatively impacted the AniNIX's reputation as an SMTP source -- we are following up with Abusix and Google to restore our reputation.
Current forensic investigation does not indicate a compromise to any AniNIX privileged information.
Our Response
- Monitoring user password has been rotated on all systems.
- Automatic password rotation for service accounts will be added to the service deploy automation.
- Sharingan needs updates to better monitor lastlog output and the sshd "Accepted" regex in journald. Postfix will be evaluated for appropriate MTA settings and restored to service later.
Contact an admin for access to incident files.