2010-09-29 19:16:30Hacking attempt from China
John Cook

john@skepticalscience...
124.186.160.198

I don't promote this publicly but just thought I'd mention that there was another attempted hacking on the website tonight, just a few minutes ago. The IP address is from China. This is the 4th attempted hack of Skeptical Science - The first was from Spain, in December last year. Since then was a second attempt from Russia and a 3rd attempt from Columbia.

Only the first attempt was successful - thanks to some excellent advice and support from Doug Bostrom, we've managed to tighten the defence and also put up an alert system so I immediately get notified if someone tries to hack the site and I can block out their IP. Doug also set up a back-up system in case something goes horribly wrong.

2010-09-29 20:02:40very good idea to have a back-up
nealjking

nealjking@gmail...
91.33.127.209

It surprises me someone from China would do that. Or is it possible to really tell the ultimate location of the hacker?

Maybe it's not ideologically motivated: Just someone going after a visible target.

 

2010-09-29 21:01:01
doug_bostrom

dbostrom@clearwire...
184.77.83.151

If it's of any comfort, the second-most-aggressive of these was a canned attack designed to attack specific vulnerabilities of online retail systems. 

It's not generally possible to ascertain the origin of a hacking attempt. China does in fact have an sizable indigenous industry in place, some of it widely agreed as state sanctioned. So do we in the U.S., for that matter; look into the recent remarkably irresponsible release of stuxnet.

Although there probably other earlier undetected attempts here at SkS, the first known successful intrusion in December was quite fun and intriguing in that we tracked the origin to an open wireless access point in Spain, strongly suggesting we were only one physical  hop from the first machine in the chain. All signs indicated that once a successful entry was made, a real live human being took over the work and proceeded to do puzzling and highly specific things over the course of some days. Usually an intrusion is either immediately followed by graffiti defacement or simply logged and then access often sold on to another party or used directly for purposes of fraud. I think the disruption drawing John's attention to the successful invasion was probably a blunder on the perp's part. I was left to wonder if the whole affair was about using John's site as a demonstration or training aid.

2010-09-29 22:40:20Quite fun and intriguing?
John Cook

john@skepticalscience...
124.186.160.198
It makes for a good anecdote now but at the time, it was mortifying and terrifying. I had no idea how the website got hacked, had no way of keeping the hacker out and was completely at the hacker's mercy for several days. They could have done anything. Doug was a heaven send - he found out how they got in, advised me how to stop another attack and set up a backup system. I was extremely thankful to have such an ally with such extensive experience in Internet security :-)
2010-09-29 23:21:16
Riccardo

riccardoreitano@tiscali...
93.147.82.100

I think it's a coincidence but I'm not a security expert.

It's a couple of weeks that I receive port scannings from the same chinese IP (58.218.204.110). It's not very aggressive, 5 to 10 attempts a day. I have dynamic IP but the scanning keeps going even after the IP changes and after I blocked all active responses. The port numbers they scan look random but i did not save the logs so I can't tell with any real confidence. The only service I run is a ftp server but did not found any attempt to login. It looks like a bot scanning whole networks. Anyway, I'll pay more attention and report here if I note something that might be of interest.

2010-09-30 01:03:10
doug_bostrom

dbostrom@clearwire...
184.77.83.151
Sorry, John, "fun and intriguing" in the wry sense. It was pretty awful, especially that moment when we thought we had it locked down and they got in again. Persistent, like cockroaches...