It appears that my personal, and the Veil-Framework server, are under attack from someone attempting to brute force their way into our mail servers. I noticed this yesterday (5/12) around noon (Eastern Time Zone), and is still underway as of the time of this article. I’ve been monitoring the logs, and these attacks aren’t coming from a single IP address, but IPs from all over the world.
I have a tool that I am working on that can be used in this scenario. Right now, I want to try to find as much information about the systems attacking me as I can from publicly available information, without directly interrogating the attacking systems. Some of the information that I try to gather is stuff such as:
- Geo-location information
- Country
- City
- Timezone
- GPS Coordinates
- ISP
- Is it a known attacker documented by the Animus Project?
- Do the attacking IP addresses share any common traits
- SSH Keys
- HTTPS Certificates
- Certificate Chains
- What common ports are open across the attacking IPs?
- Are any of the IPs known by VirusTotal?
For anyone that is interested in obtaining the attacking IPs from me, just feel free to reach out to me. This tool will still need some work in it’s output formatting, but I figured I’d want to give a dump of the raw output in case anyone found its information useful. Ideally, this attacker metadata information can be helpful to others, but I’d also love to hear if there are tweaks that would make this information more useful.
Here’s some of the data about the systems that are currently attacking my servers (OBVIOUS NOTE: The information here is just about the systems attacking me, and where they are coming from. An IP address does not equal attribution. Also, the information that is calculated for “Top X” output is only calculated if the information is available.)
Top 10 Countries
(Country : Number of Occurances)
===================================
India : 300
Vietnam : 292
Peru : 206
Russia : 164
Germany : 134
Iran : 127
Kazakhstan : 126
Belarus : 94
Ukraine : 71
Mexico : 69