It was just another ordinary day , a lovely morning . Was working on some flash project at work and received a call from some friend telling me her email account was stolen and she needs help to retrieve that account . ( that explains why she was quite on MSN last night ) .
Any how after looking at the issue, I figuredthe following :
The attacker guessed an easy secret question, there by was able to reset the password and change the old secret question.
Any how i saw the contact online once again … tried to communicate, as in for replies the guy was calm, he sent me many “****” “stars” whenever I was talking to him for some reason, then he went offline .
I was like hmmm, so I called my friend back and told her I have to leave now to college , and asked her to send me her full details ( old pass , old secret question , location , name , phone number ) Any thing that she can remember that was added to the Account ID , so I can contact Microsoft & ask them to reset the password .
Wrote an email to Microsoft account services explaining the current situation .
The next day I receive another call from my friend telling me it is someone from the same company I work for , “ And now WTF !!! << that was my reaction “ ! Now why would you say that , I said .
She was able to trace an offline message that lead to one of our IP addresses “ I didn’t know which or what IP address was that , I then asked her to fax me the details … i quickly closed unimportant Temporary ports (ftp , terminal services , telnet & some ranges of ports)
I then had a bright idea , remember the Re-login page ?
Yes I made one , only I couldn’t embed it in the email I was sending the attacker .
The main concept is when the attacker receives the link it will prompt him to enter his email and password to see the content … and when HE/SHE submits the form , it will send it to a database ( a text file ) and compose an email to me with the Username password & IP address .
Any how I composed an email message to my friend’s stolen email from a different account late at night somewhere about 12 am I received the email . guess were the attacker came from … Cypruss .
I then waited for 15 minutes (“Just incase before I reset the password, ‘The attacker was also able to hijack 2 of her friend’s ID’s, only that I didn’t know what’s the 3rd account ID, I tried calling my friend but her phone was turned off, I just assumed that he might have been using the same password for the 3 accounts “)
Any how I reset the first 2 accounts and had my hands on the 3rd account from one of the 2 accounts and reset its password. Now what made me think is the IP , it was a mystery , what and how the IP was used , mind that MSN , HOTMAIL & YAHOO are blocked on the employees end , Only way to use those was on some servers !
The next morning she faxed the information about the IP , It was an offline message that was sent to one of her friends from the attacker , and it had the IP of our testing server .
Which had a remote access enabled with a silly password ( my fault , never thought of it this way ) .
( BTW I received an email from Microsoft asking me for more personal details so they can decide on resetting the password “meaning , it works this way too. )
Then I concluded the following:
When the attacker received MY offline message, he was able to scan the range of IPs and he found the remote desktop port enabled, had the password guessed … and used it to do his stuff “some felony”!!!
I closed the port changed the password, checked the access audit log to find out hell yeah , he was in , smart bastard . Thank god he didn’t go further .
Hope this helps other people to understand the security risks of keeping silly easy guessed passwords on their accounts or servers , it demonstrates the fatal error of human being so no need to blame Windows every time 😀 .