Yeah! You read it right. Someone is trying to hack me!
While you’ll be reading it as “HACK me”, I’m still thinking “hack ME“.
I don’t have anything interesting enough for you to break into my machine and steal it.
a) I don’t have anything related to national security on my laptop which you can make use of
b) I’m not a billionaire that you can scoop off something, rather people know I’m as broke as any other average guy 🙂
As far as I know/understand, this started in the beginning of Feb 2011. My personal laptop has enough protective layers (antivirus, patches, firewall, blah blah) and as anybody would guess I keep it more up-to-date compared to many people out there.
So the attack (when I detected) was done using Metasploit, a wonderful attack/security testing framework by @hdmoore and the attacker caught me on CVE-2010-0840 which is a Java runtime vulnerability allowing remote code execution. It was sent to me via some malicious web page which I might have stumbled somehow. (I’m pretty much into exploring lot of garbage online). I know my JRE was 2 subversions older which made this attack possible.
I felt something fishy when on my home broadband (not a shared LAN) I started getting
SSL errors. Thanks to stubbornness of Google Chrome, it didn’t allowed me to ignore it & made me think twice. When scanned my RAM, I found “meterpreter” running in my explorer.exe (pretty neat dude). This was the time when I knew someone is deliberately trying to get into my machine & it can’t be a work of a malware.
Damn you attacker, you forced me to change 83 passwords in total.
Moving ahead I started keeping a (more) vigil eye on my machine for the attack to re-occur, I also created a honeypot with a lot of legitimate looking traffic to lure him. But seems like the attacker understood that I have found his meterpreter trick & have killed the session once. So now his attack strategy changed and looking at the strategy used further, I’m not sure if it is work of a single guy or bunch of them together or even individually. If it’s by a single guy, I seriously have a good job for him waiting.
The attacker presented me a fake SSL certificate for api.twitter.com and this is what he did wrong. He created a fake certificate with validity of 10 years. In no good senses , twitter will buy a certificate from verisign (twitter actually uses equifax) for 10 years in one go. This fake certificate was encountered on my phone, when I rechecked actual certificate of api.twitter.com (this time using my USB internet dongle) it is issued by equifax and for one year only. See images below & click them for enlarged view.
There are few more screenshots & reverse trace reports but I’m not posting online for legal reasons. I’d need them to be produced as evidence.