The most disturbing thing about this cyber attack: the actual high-profile networks involved, aiding and abetting, AFTER the problem has been reported repeatedly to each of the primary companies involved.
The person(s) behind this particular attack is persistent, vulgar (some of their password guesses recorded include “fuck”, “pussy” and other profanities). The irony is none of this nor their visits would be known if NOT for their unauthorized access attempts. The area they’re trying to access isn’t publicly displayed, nor is there an invite to access unauthorized area.
How it starts: person(s) uses scripts stored on hosting companies servers, or via exploited, unmonitored computers to search for admin usernames on websites. Here’s an example of what is searched for in a common script:
Description /?author=3
Type 404 error
IP 35.165.12.173
Date/Time July 21, 2019 02:01
If a username matches that ID (3), then persons sell and use that username and run login/password guess scripts from various servers across the US and around the world.
This particular attack involved 23,297 attempts through 1,366 ISP’s — YES, ONE THOUSAND THIRTEEN HUNDRED AND SIXTY SEVEN internet service providers, hosting companies and personal computers with attacks continuing past 1366 reported as of this post — to login to a Vietnam Veteran’s military history site. The only content on the site: military history of war crafts restored and used during Vietnam War, while persons were searching for themes, apps, scripts and more, while also running login scripts to access site to overtake content for their own malicious reasons (human trafficking, exploitation, ID theft, and various other organized criminal activity).
The only logins for the military veteran are his and the site admin, who just happens to be someone they don’t want to piss off. She is responsible for the arrest and conviction of one of the world’s top ten spammers, and is an original Silicon Valley member who was on the internet when persons knew EXACTLY who was online and could be ID’d by name and address, literally, long before browsers and AOL came along and created anonymity. And the brother of the military veteran site owner is also a Vietnam Veteran and Silicon Valley pioneer.
The cyber attackers’ script’s first password guess attempt at the military veteran’s site resulted in an immediate block AND recording of the cyber attackers’ information, as well as their digital fingerprint. Did I mention the site was run by an original Silicon Valley member? Cyber attackers’ script is clearly so horrific, they had no clue they were blocked at the gate and triggered recording and publishing of their actions, which they’d have known had they actually visited the site they were attacking — a message appears to advise attacker that they’re blocked, recorded and reported.
Through some ISP’s, persons ran the same script repeatedly, while getting nowhere except to FBI’s www.ic3.gov. Equally horrifying, is the response from some of the ISP’s and hosting companies after reporting the activity. Digital Ocean thinks it’s funny, and mocks the situation, while Digital Ocean itself has fake address and phone information, yet is verified on Twitter. QuadraNet appears to be a cyber attackers’ haven, never responds, and cyber attackers easily jump to a new IP range once blocked. Some of the ISPs appear to be the actual cyber attackers, 😲 they’re the ones who want you to fill out a form on their site (to capture your information to exploit as well) and someone will get back to you.
The attacked site’s admin doesn’t do forms! Forms clearly indicate that companies have zero cyber security (no NOC), aren’t monitoring critical and repetitive issues, and simply data warehouse “anti-cyber crime snitches” (what cyber terrorists think those who report their malicious activities are 🙄) for attacks later. Meanwhile, Amazon has been proactively stopping the attacks and immediately, and has been the only company to show any kind of concern to address situation.
We have a copy of the 23,297 log file entries of just the login attempts alone, as well as a copy of the entire log file which shows all of their attempts including searching for files to exploit. We cannot share the log file because some of the entries contain server information, but we will follow up to this post and share a list of files persons are searching for on the site, that never existed, but it’s clears these cyber attackers know which files can be exploited. That info will be valuable for other developers using third-party apps, to know which ones to avoid.
1366 ISP’s, hosting companies and personal computers exploited for an aggressive cyber attack:
https://docs.google.com/spreadsheets/d/1faCHKgx4OymB0seJ2yNAoeMdWhn0x7qOTXngAIy4ibk/edit?usp=sharing
1366 ISP’s PDF file:
https://drive.google.com/file/d/1qDLyIoWXf-Gco5WbzPaZqrSHv3-eYhPi/view?usp=sharing
Be safe out there, this problem will be getting worse, as evident by the trend.