Play games with hackers: Use CryptoWall tracker to mess up hacker actions

Source: Internet
Author: User
Tags md5 hash cloudflare vps

Play games with hackers: Use CryptoWall tracker to mess up hacker actions

In a TED speech, I personally demonstrated a game that interacts with 419 scammers-what happens after you reply to spam, so I also had the idea of playing a guerrilla warfare with hackers.

So in February 10, I published all the information about CryptoWall on a website and published it as "CryptoWall tracking:




Generally, when you open a website, you can directly test it on the network to determine the "Free Security reminder ". Most tests (pentests) are automated; prevent CryptoWall proxy or Zone-H 'credit '..

Not long ago, I suddenly noticed that someone started logging on to the CryptoWall tracking website and opened my own messy game.

CryptoWall tracker settings

First, I want to explain how this website is set up.

The website itself is static at 100%. All pages are displayed on my personal devices and uploaded to the server through SCP. The reason why the website is completely static is mainly for security. This website does not have much content to update. It does not prevent me from working on the website or browsing the website.

The network server serving static content runs behind CloudFlare to filter out various network noises and reduce traffic through CloudFlare cache. This means that although I gave up some "control" on the website itself, the website is always online. In addition, I have enabled the "always online" feature on the website, which means that even if its original server requires offline CloudFlare, it will always cache the latest version of the website. Another advantage of using CloudFlare is the decrease in the number of requests. All network noise and normal scanners are automatically filtered out by CloudFlare for "harmful" requests. Another way to reduce the number of requests on the backend server is to allow the cache of all content on the webpage. In this way, only new requirements that have not been cached can attack my server, and only some unique requests are left after these filters.

CloudFlare provides great functionality in shielding all automatic scanning tools, which I usually use to view tools with Low Frequency limitations or perform manual testing.

First attack

When I clean up disk space on the server, I noticed that the access log memory is much larger than usual. Generally, server access logs are small. However, some original requests exist only when I clear the cache on the CloudFlare webpage.

Many Python-based scanner requests are generated. I guess someone is doing something. The following are some requests for attackers to search for the management interface on the tracing Website:

[01/Mar/2016: 18: 24: 16 + 0100] "GET/administrator/HTTP/1.1" 404 0 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/2.6.32-042stab092. 1"

[01/Mar/2016: 18: 24: 54 + 0100] "GET/admin/HTTP/1.1" 404 0 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/2.6.32-042stab092. 1"

[01/Mar/2016: 18: 25: 37 + 0100] "GET/adm/HTTP/1.1" 404 0 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/2.6.32-042stab092. 1"

This lasted for a long time. During the first scan, 80 requests were scanned. Looking at which requests are printed slowly, I feel that someone is manually operating or copying and pasting them into the browser. I decided to go and have a game with him.


First, check the IP address, which seems to be the IP address of a Tor egress node. This guy uses Tor.

Then, I carefully read the requests and basically confirmed that he was looking for a specific folder based on a specific list. He keeps sending requests to the same list sub-folder and tries to obtain a series of backup and configuration files. However, after attacking the "CSS" folder, I can also find out which files have been viewed by him. Based on this file list, I decided to start my competition.

Game: changing the game location

First, I need to lure the attacker out of the tracking website. CloudFlare caches all of his requests, which also contain some attack filters. I guess he may call the verification code by hand every time, because there is a delay between his requests.

He apparently knew that I was using CloudFlare and provided him with a fake CloudFlare IP address for his investigation. I also disclose the error information to him to transfer the information. I wrote this in/data/test. php:


This error is usually displayed only when the database fails to connect to the server for some reason. In this case, I place a static text. I hope attackers can open the Server ip address I revealed.

Two days later, I received a request about the file. That's right. He searched for/data/folder .. However, I cannot tell whether it is the same person as the hacker who attacked the CryptoWall website.

Game: cracking hash

About an hour later, the attacker found my planting error page. The user agent still displays "python-requests/2.2.1 CPython/2.7.6 Linux/2.6.32-042stab092. 1". That's right. Now you can confirm that you are the same person.

When preparing VPS, I installed a green NGINX and set static files and Python bottle framework applications. This time, I created a bait file under/backup. The directory contains some SQL files. Except for one of the dump files, all other files return the NGINX forbidden page:


Now I need a nice sqldump. I found a website that can generate fake MySQL dump (including a large number of other file formats) So I generated the cwt-mysql-settings-backup-01032016 file in the directory list:


This is a user table automatically backed up from the database. I generated the data and manually added two password hash entries. This is the MD5 Hash Value of 'test123' and the final 'crypt3d 'I used for testing. If you find the hash and use the online MD5 cracking service to crack it, you will get two passwords. I don't know if the hacker has manually cracked the hash value, but it hasn't appeared for three days.

He never showed up, so I thought this guy was not playing, because I set it very simple.

Game: pitfall

At the beginning, I set the MYSQL dump file to allow the hacker to crack the hash value (whether online or offline) and use the password to log on to the fake management tracking website panel.

I created a bottle framework application as the "Management Panel" of the CryptoWall tracker ". You can obtain the following information in the "/administration/login" request:



Really, really, really easy. The hacker found the backup folder (a false MYSQL dump) for a long time ).

You must use the Account "my" obtained from the fake MYSQL dump, username "Yonhap", and password "Crypt3d" to log on to the Panel, and then see one of the two pages. I also want to see If hackers will expose their real IP addresses. From the Tor Project Website



At the beginning, I also hoped to add the last sentence "you have logged out" to make the hacker think "mom! What are the correct logon passwords? Why haven't I logged on !" If he uses an IP address that is not used as the egress node, this page will appear:



The internetpolice. us website is operated by my friends. If the hacker finally enters this page, he will know that he has been played.

Finally, in this game, the hacker first disappeared for a long time. Three days later, he found the SQL dump and then accessed the Panel and logged on... 3 minutes later, the P address will log on. Then a Ukrainian IP address is displayed to log on to my fake panel.

Thank you for playing this game with me, my Ukrainian friend. Although this is not necessarily his actual IP address, it may also be handled through some sandbox.


In fact, I think it is not good at all. This setup was in a hurry and there were many vulnerabilities. The historical IP addresses in the VPS ip address record the operation process. This hacker stepped down step by step according to my traps, which is really surprising ~

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.