Count – Country

94 – UNITED
82 – CHINA
23 – KOREA
19 – BRAZIL
13 – TAIWAN
11 – POLAND
10 – UNITED
10 – RUSSIAN
10 – ITALY
8 – GERMANY
8 – COLOMBIA
8 – ARGENTINA
7 – MEXICO
7 – INDIA
7 – CZECH
7 – CANADA
5 – SPAIN
5 – HUNGARY
5 – HONG
5 – FRANCE
4 – UKRAINE
4 – TURKEY
4 – ROMANIA
4 – PANAMA
4 – JAPAN
4 – CHILE
4 – AUSTRALIA
3 – BULGARIA
2 – VENEZUELA
2 – SOUTH
2 – SAUDI
2 – PHILIPPINES
2 – PERU
2 – PAKISTAN
2 – NETHERLANDS
2 – MOLDOVA
2 – MALAYSIA
2 – IRAN
2 – HONDURAS
2 – FINLAND
2 – EGYPT
2 – BELGIUM
2 – AUSTRIA
1 – VIET
1 – UNITED
1 – SYRIAN
1 – SRI
1 – SLOVAKIA
1 – SINGAPORE
1 – NICARAGUA
1 – LITHUANIA
1 – KAZAKHSTAN
1 – ISRAEL
1 – IRAQ
1 – GUATEMALA
1 – GREECE
1 – GHANA
1 – COSTA
1 – AZERBAIJAN

The root account was the most targeted username out of all the attacks. Its always a good idea to disable this account when setting up your ssh server. This will slightly decrease the chances of an automated brute force from being successful. Listed below are a few more options you should consider if you wish to protect your server.

- Using host-based tools such as DenyHosts, fail2ban or BlockHosts
- Making sure usernames were not easily guessable
- Using multiple factors of authentication or public keys if possible
- Reduce the amount of public facing servers if possible

Malware Infection

“Imagine if instead, in the case of Britney Spears account for example, that the hacker had posted a link that said: ‘Here’s my new video. Click on this link.’ Imagine how many people would have clicked on that and it could have pointed to malware? And Barack Obama is one of the most followed people on Twitter. If he said: ‘I’ve just made a new speech. Check it out.’ a lot of people would click on that link and get infected.”

Read About the other 2 ways

“A potent trojan cocktail consisting of backdoors, password stealers, and downloader is being loaded by a malicious iframe on nearly 55,000 compromised website pages. The iframe points to an intermediary exploit site, http://a0v.org/x.js, which in turn loads additional exploits and malware from up to seven different malware domains.

A Google search on the iframe script tag resulted in 54,900 hits. Victim sites include www.feedzilla.com, latindiscover.com, and a number of charitable and nursing facilities, including howellcarecenter.com, sweetgrassvillagealf.com, www.foodsresourcebank.org, and morningsideassistedliving.com.”

I started seeing these domains pop up around 8/5. Follow the links below for more information.

ahthja info
laogong info

Read More

site
The site operator is great for trolling through all the content Google has gathered for a target.
This operator is used in conjunction with many of the other queries presented here to narrow the focus of the search to one target.

intitle:index.of
The universal search for Apache-style directory listings.
Directory listings provide a wealth of information for an attacker.

error | warning
Error messages are also very revealing in just about every context.
In some cases, warning text can provide important insight into the behind-the-scenes code used by a target.

login | logon
This query locates login portals fairly effectively.
It can also be used to harvest usernames and troubleshooting
procedures.

username | userid | employee.ID | “your username is”
This is one of the most generic searches for username harvesting.
In cases where this query does not reveal usernames, the context around these words can reveal procedural information an attacker can use in later offensive action.

password | passcode | “your password is”
This query reflects common uses of the word password.
This query can reveal documents describing login procedures, password change procedures, and clues about password policies in use on the target.

admin | administrator
Using the two most common terms for the owner or maintainer of a site, this query can also be used to reveal procedural information (“contact your administrator”) and even admin login portals.

ext:html –ext:htm –ext:shtml –ext:asp –ext:php
This query, when combined with the site operator, gets the most common files out of the way to reveal more interesting documents.
This query should be modified to reduce other common file types on a target-by-target basis.

inurl:temp | inurl:tmp | inurl:backup | inurl:bak
This query locates backup or temporary files and directories.

intranet | help.desk
This query locates intranet sites (which are often supposed to be protected from the general public) and help desk contact information and procedures.

Website-specific searches:

Show all indexed pages for a specific domain:

site:{url}

Find pages that link to a specific URL:

link:{url}

Find pages related to a specific URL:

related:{url}

Show Google’s cached version of a specific URL:

cache:{url}

Show a page containing links to related searches about a URL:

info:{url}

Find only results from a specific domain:

site:{url} {terms}

Content-, Link-, and Title-specific searches:

Find results with the specified terms in the link URL or title of links to a website:

allinanchor:{terms}

Find results with only the first specified term in the link URL or title of links to a website:

inanchor:{terms}

Find results with the specified terms in the URL:

allinurl:{terms}

Find results with only the first specified term in the URL:

inurl:{terms}

Find results with the specified terms in the page title:

allintitle:{terms}

Find results with only the first specified term in the page title:

intitle:{terms}

Find results with the specified terms in the page text, not the links or page title:

allintext:{terms}

Find results with only the first specified term in the page text, not the links or page title:

intext:{terms}

Find results with the specified terms in the page links, not the text or title:

allinlinks:{terms}

Find results with only the first specified term in the page links, not the text or title:

inlinks:{terms}

Find results containing the specified filetype:

filetype:{filetype}

Find results not containing the specified filetype:

-filetype:{filetype}

Other Tips & Tricks

Find directory indexes (a listing of web server files) for specific topics and with specific filetypes:

{term} intitle:"index of /" {filetype}
php intitle:"index of /" .pdf

Find only images containing faces in a Google Image search result by adding ‘&imgtype=face‘ to the end of the search URL:

http://images.google.com/images?q=google

http://images.google.com/images?q=google&imgtype=face

Demo of the Hack

Here’s a demo of the hack (the theft occurs at the end of the clip).

Demo