27 lines
1.7 KiB
Markdown
27 lines
1.7 KiB
Markdown
These are cybersecurity incidents that the AniNIX has had to remedy due to some failure in our detection and prevention systems.
|
|
|
|
**Note**: We explicitly exclude routine incidents, such as IP's banned for SSH brute-force, files quarantined after virus scanning, and other routine housekeeping.
|
|
|
|
# January 2018 Spambot Detection
|
|
An attacker used a default password to pull down a Perl SMTP spambot and email list to spam fake Bank of America emails to users, attempting to phish them into clicking an xplotica link.
|
|
|
|
* When: 11-29-2017 through 1-4-2018
|
|
* Who: IRL identity unknown; last source IP 196.52.32.4 (Netherlands residential)
|
|
* What: Spambot
|
|
* * Vector: Attacker used a default password to access a monitoring user account; spambot and target lists were downloaded from a GoDaddy webhost (now nonfunctional).
|
|
|
|
Detection was provided by the ISP and [https://www.abusix.com/ Abusix]. The Postfix service was shut down, and forensic analysis performed starting with the /var/spool/mail folder and tmux session capture.
|
|
|
|
# Impact
|
|
This has negatively impacted the AniNIX's reputation as an SMTP source -- we are following up with Abusix and Google to restore our reputation.
|
|
|
|
Current forensic investigation does not indicate a compromise to any AniNIX privileged information.
|
|
|
|
## Our Response
|
|
* Monitoring user password has been rotated on all systems.
|
|
* Automatic password rotation for service accounts will be added to the service deploy automation.
|
|
* Sharingan needs updates to better monitor lastlog output and the sshd "Accepted" regex in journald. Postfix will be evaluated for appropriate MTA settings and restored to service later.
|
|
|
|
Contact an admin for access to incident files.
|
|
|