admin cp login attempts - LOGGED!

Red Squirrel · Post by **Red Squirrel** » Wed Jul 23, 2003 11:56 am

Haha look what I caught!

I wonder who this is. I am positive I know what site they come from.

The isp is pbi.net (Pacific Bell) and because there were TWO attempts, I'll most likely contact their ISP. I don't think they should loose their connection over two completly failed attempts, but at least get a cute little warning from their ISP.

I wonder where they go those passwords though, coco is the name of my cat, and the other I can't explain...

I have a long password, so that's far off. I hope the guy who did that sees this post.

I'll investigate further once I download the logs. I did not check them in like 3 days lol.

Archived topic from Iceteks, old topic ID:1119, old post ID:9827

Wren · Post by **Wren** » Wed Jul 23, 2003 1:03 pm

They must think you're stupid to use an obvious password, like your cat's name!

Let us know what you find out.

Archived topic from Iceteks, old topic ID:1119, old post ID:9828

Red Squirrel · Post by **Red Squirrel** » Wed Jul 23, 2003 1:09 pm

Yeah no kidding. Oh, but I'll add a A so it sounds more like a type of nut instead. But my username is Red Squirrel. Hmmmm.

And yep, I will post more info once I check those logs. As you can see I'm not very freaked out right now. I'll go do my homework first.

Archived topic from Iceteks, old topic ID:1119, old post ID:9830

Wren · Post by **Wren** » Wed Jul 23, 2003 1:38 pm

Good idea...keep the priorities in order!

Archived topic from Iceteks, old topic ID:1119, old post ID:9832

Red Squirrel · Post by **Red Squirrel** » Wed Jul 23, 2003 2:24 pm

Oh boy, I downloaded the logs and I have 4 Megs to go through, wohoo!

That's what happends when I let 11 days of logs accumulate. These logs only log certain events, so it makes them much smaller, and only keeps important data. There's also 3 logs produced every day, as some are more detailed.

Archived topic from Iceteks, old topic ID:1119, old post ID:9843

Wren · Post by **Wren** » Wed Jul 23, 2003 2:29 pm

No telling what you'll find in there if you ever get through them all!

Archived topic from Iceteks, old topic ID:1119, old post ID:9846

Red Squirrel · Post by **Red Squirrel** » Wed Jul 23, 2003 2:31 pm

Actually, I noticed many people get here by google. Almost every 10 minutes or more often, there is a google search that leads here. Ain't that great? I just need to make the forum link bigger on all the pages.

But the hit counter on the home page also shows that we do get quite a lot of visitors.

Archived topic from Iceteks, old topic ID:1119, old post ID:9847

Wren · Post by **Wren** » Wed Jul 23, 2003 2:52 pm

Just hope they are the right kind of visitors!

Archived topic from Iceteks, old topic ID:1119, old post ID:9853

Red Squirrel · Post by **Red Squirrel** » Wed Jul 23, 2003 3:08 pm

I'm sure most of them are. most of the google hits are people searching for something that the article covers so they read the article and go on to what they were doing. While google hits help us be known, I doubt it will help much in getting the forum more busy as most of the time when someone does a search for something and find it, they don't check the forum or anything. Some do though. Most searches also land right on the forum on a topic, so that's good.

We have 682 matches for IceTeks right now. That's great!

Archived topic from Iceteks, old topic ID:1119, old post ID:9855

jryan · Post by **jryan** » Wed Jul 23, 2003 3:19 pm

"User: Red Squirrel
Password: jryanaucliue"

I wonder if whoever was trying to login realizes that Red and I are not the same person... We live in the same town, subscribe to the same ISP but were not the same person. My username is just a combination of my first and last names.... lol....

Archived topic from Iceteks, old topic ID:1119, old post ID:9857

Chris Vogel · Post by **Chris Vogel** » Wed Jul 23, 2003 3:30 pm

jryan wrote: I wonder if whoever was trying to login realizes that Red and I are not the same person...

What?! You aren't Red?

HA! Red does all these things to improve security, so why in the world would he make his password the name of his cat?

Red knows better than that.

I remember when "summer" and "winter" were passwords I used!

Archived topic from Iceteks, old topic ID:1119, old post ID:9858

Red Squirrel · Post by **Red Squirrel** » Wed Jul 23, 2003 4:53 pm

jryan wrote: "User: Red Squirrel
Password: jryanaucliue"

I wonder if whoever was trying to login realizes that Red and I are not the same person... We live in the same town, subscribe to the same ISP but were not the same person. My username is just a combination of my first and last names.... lol....

Actually, a lot of our "ennemies" get confused over that. It does not help that my first name is Ryan.

Actually, I had someone send me hate mail and he thinks every member here is me.

Archived topic from Iceteks, old topic ID:1119, old post ID:9865

Chris Vogel · Post by **Chris Vogel** » Wed Jul 23, 2003 4:56 pm

Red Squirrel wrote: he thinks every member here is me.

Hmm.... How do I know that every member here is not you?

Heck, I could even be you.

Am I Red Squirrel?

He probably said that to insult you.

Archived topic from Iceteks, old topic ID:1119, old post ID:9866

Red Squirrel · Post by **Red Squirrel** » Wed Jul 23, 2003 4:59 pm

takahita_tsukino wrote:
Red Squirrel wrote: he thinks every member here is me.
Hmm.... How do I know that every member here is not you? Heck, I could even be you. Am I Red Squirrel?

He probably said that to insult you.

Yep, it goes something like this:

Oh… your members enjoy reading my bullshit do they? What members are these ryan? Any time I drop by your pitiful little excuse for a forum there’s nobody there, and any new threads started are by you, and answered by you. I’m pretty sure for the most part you’re just there by yourself, and that speaks volumes. Please make sure you include that in your dispatch to your legion of members *cough* *splutter* *guffaw*

It's not him though who tried to get in. The IP is far from matching.

And to be honest, I think this might of been something not done maliciously from the more advanced logs, but I'm waiting to confirm this before I mention anything.

Archived topic from Iceteks, old topic ID:1119, old post ID:9867

Red Squirrel · Post by **Red Squirrel** » Thu Jul 24, 2003 2:34 pm

It's basically code all over my site that powers that. You can see the login page here: http://security.iceteks.com. It logs anything that is a security threat. I just need to use the function ScadaSend() within my site to "send" an alarm. For example ScadaSend("this is the alarm text",5,$_SERVER[REMOTE_ADDR]); where 5 is a critical alarm, 4 is high, 3 is so and so, 2 is not so bad and 1 is just information. (ex: someone opens an email that contains a tracker). This works similar to the US homeland security meter, but it's not always at 5.

Through this login, I can also add/remove bad sites from accessing here. For example, one of our ennemy forums will sometimes link to posts here, either to make fun of us or whatnot, so I block those requests through that, and it starts an alarm and blocks their IP. It does not really block it, it simply causes a message to be displayed on their screen saying they have been detected as trolls, and it logs an alarm each time. I also submitted that page on google, so recent IPs will be searchable on google and it will hit that page.

I had one where it was public, but I decided not to do that since sometimes I miss-type my password in there and I would not want my partially correct password in public.

But yeah, that setup is very useful. That's another thing I should make a distributable version of, but it's sort of hard to do, since all pages must have it, type of thing. Most of the pages on this site have a logger script that checks stuff such as referrers, and logs it if it's important, but in that logger there's also the scada function in case I ever want to use it in that particular page. The logger simply logs normal activity, such as google hits, for information purposes only.

So by the end of the day, I have like 3 and sometimes 4 different logs to look at. But only 1 of them is important for information, the rest is only do track down known malicious activity. (ex: when I saw that IP, I did a search and found more information such as where he came from, and it was well, weird. )

Archived topic from Iceteks, old topic ID:1119, old post ID:9914

Red Squirrel · Post by **Red Squirrel** » Thu Jul 24, 2003 8:23 pm

Red Squirrel wrote: And to be honest, I think this might of been something not done maliciously from the more advanced logs, but I'm waiting to confirm this before I mention anything.

Just an update on this.

See, what happened is that this IP matched with Magic's at a/f, but it was older posts, his "current" is way different but same isp and given this is a large isp, it turns out to be a pure coincidence. Not to mention that he would never do such thing. I asked him if it was maybe an attempt to fix a sql error or something but it was not, which I figured. He would email me in that case.

I do suspect it is someone from pur "ennemy" site though, but not the guy who reported my server. He actually knows better not to mess with this site's security features, I think. In fact, May was the last time he set foot here, unless he's using a proxy or something.

I'll send him mail though telling him that I am aware of the possibility that it's members there. He can go and post it in the "fried squirrel" thread he started. (or I think "the

squirrels" is the most recent, started by a member there)

I should change my password to "c0c04isn0tmyp4ssw0rdidi07"

Archived topic from Iceteks, old topic ID:1119, old post ID:9925