linux – How do pirates get on our server without brute force?

I am a web developer and we have no one who specializes in the well being of the server or network currently at our office. Usually, I can solve a lot of problems related to my basic knowledge, but currently, we have strange things and I do not know what's going on, so I'm looking for some advice from someone a lot more competent than me a little light if possible.

We have an ecloud server hosted by UK Fast (Linux server) and which contains a VPS server and many client sites. Yesterday, the server fell at random and when we realized, we called them and they said that someone had SSH in and executed the command sudo rm which essentially deleted our entire server. UK quickly managed to get an IP address indicating the origin of the user who accessed it, but 1. I do not know how it helps and 2. they could have used a VPN anyway .

What is strange is that they had a connection attempt and that it was a success … So whatever it was, knew the password or got it from somewhere. The only place we have our password is on LastPass and no one else knows it. So we restored the backup and recovered everything, changed the password and called a day.

So, break for this morning and it's happened again … except this time they left no trace of anyone because they made sure to remove the logs as well …

How could they do that and how can we stop that? I do not even know where to start …

Does anyone have any idea of ​​how this could happen, please?

Mechanism for brute force attack detection from Apache Access_log files [on hold]

How to detect a brute force attack attempt in my web application, whether for the user login or the administrator login hosted on the Apache server.

mysql – retrieves column names from a brute force blind sql injection table

Is it possible to get the column names of a blind injection sql table by brute force in mysql.
so the request would be:

select column_name in information_schema.columns WHERE table_name = 'tablename' and * first letter column names = "a" * 

So, if the first column name in this table does not start with "a", it will return an error if it starts with "a", which would not be it. and do the same thing for the second, third, and so on. Is it possible? Or is there a more effective way perhaps? Thank you

Key encryption against brute force of OTP

How does an attacker know that he has decrypted a traditional encryption key?

Wikipedia describes the OTP:

"A string of 140 characters coded once and subject to a brute force attack would eventually reveal all possible 140 character strings, including the correct answer – but of all the answers given, there would be no way to know what was the correct one. "

So, if you do not know when you have resolved OTP, what is a gift when a traditional encryption key is resolved?

private key – Number of tests needed for the brute force attack to be x% successful?

I make an informative video about the probability that an attacker will force a specific bitcoin address. Obviously, we will have to deal with incredibly huge numbers ("Not in the life of the Earth with the technology of today"), but I would like to include the number of tests needed for an attacker to gain 1%, 50% and 90% confidence in his success.

Normally, I can afford to use Excel to solve statistical problems. However, Excel does not make very big numbers, so I am unable to calculate.

If I had to use Excel, I would use the formula below which tells me the chance of getting 0 success in ???? trials. I subtract the result of 1 and this% represents the possibility of success.

= 1-BINOM.DIST (0, ????, 2 ^ -160, TRUE)

For a simplified example of what I am looking for: If I were to play a game with a 1% chance of winning, I would have about 90% chance of succeeding 1 or more effort after 250 tries, 50% chance after 70 trials, and 1% chance after 1 trial.

91.89%= 1-BINOM.DIST (0,250,0,01, TRUE)

50.52%= 1-BINOM.DIST (0,70,0,01, TRUE)

1.00%= 1-BINOM.DIST (0,1,0,01, TRUE)

Can any one calculate how many tests would be needed for a 90%, 50% and 1% probability of success against a single Bitcoin address? The ability to land the address correctly is 1 in 2 ^ 160.

Well done if you can do the math in your head.

brute force – Question about the use of hashcat for a collision attack

For any half-decent hash function, even totally unsuitable hashes for cryptography, if you're looking for brute-force collisions, no matter how you explore the search space. Keeping a fixed prefix and changing the suffix, or keeping a fixed suffix and changing the prefix, are as effective as any other method. Indeed, all hash functions are designed to produce distinct results for similar entries.

If there are N possible hash values, you should calculate and store about √N hashes until you have a good chance of finding a collision (birthday limit). For a 32-bit hash that is used in hash tables, N = 232 then √N = 216 which is reached very quickly. For a 128-bit hash such as older cryptographic hashes, √N = 264. A GPU these days can calculate something like 234 (16 billion) hash MD5 per second, which means that it calculates 264 hash in about 230 seconds ≈ 34 years).

But that's not all: to find a collision, you have to store the result of all these calculations. The limiting factor will therefore be the bandwidth of the memory. And once your RAM is full, it will be the storage bandwidth. You will not find a collision in a 128-bit hash of your life.

Hashcat is designed to look for hash pre-images, not to look for collisions. Hashcat is designed to reverse password hashes (and ordinary hash badly used for passwords), and collisions are irrelevant for that. But even with an optimized tool, what you are trying to do is not feasible for a hash-sized cryptography.

If you want to find a collision for a 128-bit hash, you must understand its structure. There are known methods for looking for collisions for MD4 and MD5, for example. These methods are practical because they do not use brute force over the entire search space.

By the way, you call hash entries of "passwords," but password hashes are different from "ordinary" cryptographic hashes. They are slower and saltier. Using a random salt means that with a password hash, you do not get the same output twice, not even if you use the same password twice. .

brute force – rate limiting when users are on the same network

We develop a web application and some brute force mitigation strategies must be applied to protect our users.

Since the majority of users access the application on the same network connection, IP address blocking on too many invalid login attempts will not work.

Locking user names would work, but this can be easily abused.

We try to avoid captchas (without any particular reason), then what would be another solution?

NEW: Index Nuke – Backlink Indexer from BRUTE FORCE

Nuke Index – Backlink Indexer from BRUTE FORCE
We know the secret of indexing backlinks.
Now you can own the software that makes all of this possible!



How to detect the IP of RDP brute force

I want to know is it possible to find the IP address of the attacker who brute forcing the RDP? For example, use netstat or any other tool

What is the speed record of brute force hash force in bitcoin?

I've recently read an article about this project, they have generated billions of dollars of portfolio and seem to find some used portfolios outside their wallet. Many claim that sha256 is still perfectly safe until 2060, but the power of the processor and graphics processor is still growing faster than expected (Moore's Law). If anyone is considering using a supercomputer to create a portfolio of bitcoins with brute force (many large supercomputer projects admit that breaking the encryption key was part of their goals). What is the fastest hash speed recently?