Our server was hacked today again for the second time by the Russian military.

Russian military cyber divisions hacked our website again today (the first time in 2023-03-21) in four different attacks. We have responded to their attack with the same means, which were very successful and destroyed their network and connection to the internet for more than half a day.

Russian hackers’ attacks on Swedish websites and infrastructure have exploded due to Sweden’s large military support to Ukraine and the EU’s sanctions against Russia. Sweden is also the EU’s presidency country, which makes us a target for Russian military cyber divisions.

They also left a childish message on the server: “This is revenge for arming Ukraine with your rockets.”

We could trace the connection very precisely, as it is easy to obtain information in countries like Kazakhstan.
Fake name: Zinchenko Lyubov
Address: East Kazakhstan city Altai, st. Stakhanovskaya, building 21/1

SpaceChain is particularly vulnerable due to our military support to Ukraine, where we gave away approx. 180 long-range missiles manufactured by us. We will continue our support, and another 312 missiles are under production to be sent to the front in Ukraine.

We will restore all files that have been deleted, but it will take a little time. The only thing the Russian military succeeded in doing was deleting the contents of our WordPress upload folder. (Amateurs)
Since it involves thousands of images, footage from rocket launches, and footage from our satellites, it can take up to several weeks or months before everything is back in place.

The security problem has been fixed so that something like this will not happen again. (Not because it is particularly difficult to delete the upload folder in WordPress… What amateurs…)
Nothing else on our servers was affected, and our databases are intact.

The SpaceChain network has not been affected, and its chain functions normally.

The irony of this attack was that our server automatically created a mess in their network by uploading a trojan software with malicious code payload, which crippled their network by creating random network bridges and corrupting routing tables.
As our server kept pinging the target, we knew they were cut off from the Internet for 12 hours and 42 minutes before they could neutralize our malware.
We use EW (Electronic Warfare) to protect our servers, and all kinds of attacks will be met by force. (This also goes for any authority, domestic or international, that tries to eavesdrop or hack our computers, servers, or network – we show no mercy – have in mind that we severely damaged a complete Russian military cyber division, so you better stay off our systems.)

With regards,
The CSO Team
PS. Check the advice below for protecting your server (Ubuntu server or Debian) or Linux desktop computer.

Our security team has found the IP and information about the attackers:
Our firewall is now configured to stop any more attacks on this site.
A list of all IP numbers used by attackers/hackers will be posted here on a weekly basis, so make sure to update your firewall to stop any attacks: http://www.spacechain.org/attackers.txt

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '92.47.143.208 - 92.47.143.211'

% Abuse contact for '92.47.143.208 - 92.47.143.211' is 'abuse@telecom.kz'

inetnum: 92.47.143.208 - 92.47.143.211
netname: LEGION
descr: LEGION
country: KZ
admin-c: ZL1394-RIPE
tech-c: ZL1394-RIPE
status: ASSIGNED PA
mnt-by: KNIC-MNT
created: 2020-02-21T09:22:22Z
last-modified: 2020-02-21T09:22:22Z
source: RIPE

person: Zinchenko Lyubov
address: East Kazakhstan city Altai, st. STAKHANOVSKAYA, building 21/1
phone: +7 777 2100 294
nic-hdl: ZL1394-RIPE
mnt-by: KNIC-MNT
created: 2020-02-21T09:22:22Z
last-modified: 2020-02-21T09:22:22Z
source: RIPE # Filtered

% Information related to '92.47.128.0/20AS9198'

route: 92.47.128.0/20
descr: Kazakhtelecom Data Network Administration
origin: AS9198
mnt-by: KNIC-MNT
created: 2008-10-08T08:36:29Z
last-modified: 2008-10-08T08:36:29Z
source: RIPE

% This query was served by the RIPE Database Query Service version 1.106 (SHETLAND)

We recommend this script for system administrators to detect IP numbers that try to access the server using brute force or other methods that create a post in /var/log/auth.log with Access Denied.

Save this code as addufw.sh using nano. (Or whatever text editor you use)
Notice: You have to use sudo su, as the created files have to be owned by root.
Also addufw.sh and denyip.sh needs to run as root in CRON.

$ sudo su
Password for user xxxxx: (type your password)
# ufw allow ssh
# ufw enable
# nano addufw.sh

grep "Failed password for" /var/log/auth.log | grep -Po "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort | uniq > denyip.txt
sed -r 's/([0-9\.]+)/ufw insert 1 deny from \1/' denyip.txt > denyip.sh
rm denyip.txt
chmod +x denyip.sh

Now press CTRL+X and ENTER to save the file.

# chmod +x addufw.sh
# ./addufw.sh

You will now have a file called denyip.sh that is executable.
You can add both files to CRON jobs, but have in mind that the log rotates every 24 hours (on most systems), and make sure that your IP is not among the IP numbers that are going to be blocked.

Check your IP by typing What is my IP in Google and then:

# nano deny.ip

Press CTRL+W and search for your IP number.
Delete that line from the file if it’s there (maybe because you typed your password wrong before log rotation.) or you will be locked out from your server.
Press CTRL+X and then ENTER to save the file.

We have these two scripts running once every 23 hours and 58 minutes.
(It takes time to add all the IPs to the Ubuntu firewall – why the two minutes delay.)
Also remember to open ports for SSH, HTTP, HTTPS, IMAP, POP3, etc.
You can do it by typing:

# ufw allow http
# ufw allow https
# ufw allow pop3
# ufw allow imap
# ufw allow smtp
... and so on.

NOTICE: These scripts only work with Ubuntu Linux.

If you have any other ports you need to use, also add them to the UFW.
For example, if you have an OpenVPN server running, type:

# ufw allow 1194/udp
# allow in on tun0
# allow in out tun0

As again: for other services, like web, email, FTP, and so on, don’t forget to open the ports.
DO NOT add a service to nr 1 in the firewall, as it will allow any IP, even those that are blocked, to access the service.