BACKTROLLING

An action taken by a person who is being trolled. The person being trolled uses the exact same trolling technique that the troll is using thus confusing the troll and making him look bad in front of everyone else.

"He was trying to make me look like an idiot, but I pulled the good ol' backtrolling trick on him."

"Dude, poor Toni always gets backtrolled by his friends."

#back #troll #trolling #backtrolling #back-trolling

Web Page Builder

-.. .- ... .... . ... / .- -. -.. / -.. --- - ...

MAKING SOMEONE HACK HIMSELF

Return to sender, address unknown. No such number, no such zone...

Hmmm...  Someone is trying to brute-force his way through my SSH server. I do have automated 10-year black-listing for every IP with three consequtive login failures, but it's still annoying to see his continous attempts in my logs.

[root@vaktankan ~]# tail -10 /var/log/secure
Mar 29 00:20:19 vaktankan sshd[29176]: refused connect from 116.31.116.10 (116.31.116.10)
Mar 29 00:20:28 vaktankan sshd[29183]: refused connect from 116.31.116.10 (116.31.116.10)
Mar 29 00:20:53 vaktankan sshd[29216]: refused connect from 116.31.116.10 (116.31.116.10)
Mar 29 00:21:15 vaktankan sshd[29228]: refused connect from 116.31.116.10 (116.31.116.10)
Mar 29 00:21:18 vaktankan sshd[29235]: refused connect from 116.31.116.10 (116.31.116.10)
Mar 29 00:21:43 vaktankan sshd[29253]: refused connect from 116.31.116.10 (116.31.116.10)
Mar 29 00:22:07 vaktankan sshd[29276]: refused connect from 116.31.116.10 (116.31.116.10)
Mar 29 00:22:12 vaktankan sshd[29280]: refused connect from 116.31.116.10 (116.31.116.10)
Mar 29 00:22:32 vaktankan sshd[29297]: refused connect from 116.31.116.10 (116.31.116.10)
Mar 29 00:22:57 vaktankan sshd[29320]: refused connect from 116.31.116.10 (116.31.116.10)

I wonder if the computer that the attacks comes from is properly secured:

[root@vaktankan ~]# nmap -v 116.31.116.10

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 00:23 CEST
...
Initiating SYN Stealth Scan at 00:23
Scanning 116.31.116.10 [1000 ports]
Discovered open port 1080/tcp on 116.31.116.10
Discovered open port 6006/tcp on 116.31.116.10
...
Well, well.. Two interesting ports seems to be open. What's behind them, one might ask:

[root@vaktankan ~]# curl http://116.31.116.10:6006
curl: (56) Recv failure: Connection reset by peer

No answer on a plain http call on port 6006... But how about 1080?

[root@vaktankan ~]# curl http://116.31.116.10:1080
SSH-2.0-OpenSSH_6.9p1 Ubuntu-2
curl: (56) Recv failure: Connection reset by peer
[root@vaktankan ~]# ssh -p 1080 116.31.116.10
root@116.31.116.10's password:
^C

Aha! He put his own SSH server on port 1080 instead of port 22. Security by obscurity...clever..

Let's have some fun and redirect all SSH traffic from that IP address to his own SSH server, so that he ends up banging on his own front door:
[root@vaktankan ~]# iptables -t nat -A PREROUTING -s 116.31.116.10 -p tcp --dport 22 -j DNAT --to-destination 116.31.116.10:1080

Now let's see if the secure-log is more quiet than before:

[root@vaktankan ~]# tail -f /var/log/secure
^C
[root@vaktankan ~]#

Lovely - it is completely silent. But I can imagine how it looks in the attacker's own security logs ;-)

Maybe he eventually succeeds breaking his way into his own house and starts destroying things. That would be cool...