Our server was hacked today again for the second time by the Russian military.
Our website was hacked today again (the first time in 2023-03-21) by Russian military cyber divisions in four different attacks. We have responded to their attack with the same means which were very successful and destroyed their network and connection to the internet for more than half a day.
Russian hackers’ attacks on Swedish websites and infrastructure have exploded due to Sweden’s large military support to Ukraine and the EU’s sanctions against Russia. Sweden is also the EU’s presidency country, which makes us a target for Russian military cyber divisions.
They also left a very childish message on the server: “This is revenge for arming Ukraine with your rockets.”
We could trace down the connection very precisely, as it is very easy to obtain information in countries like Kazakhstan.
Fake name: Zinchenko Lyubov
Address: East Kazakhstan city Altai, st. Stakhanovskaya, building 21/1
SpaceChain is particularly vulnerable due to our military support to Ukraine, where we gave away approx. 180 long-range missiles manufactured by us. We will of course continue our support and another 312 missiles are under production to be sent to the front in Ukraine.
We will restore all files that have been deleted, but it will take a little time. The only thing the Russian military succeeded in doing was deleting the contents of our WordPress upload folder. (Amateurs)
Since it involves thousands of images and footage from rocket launches and footage from our satellites, it can take up to a week before everything is back in place.
The security problem has been fixed so that something like this will not happen again. (Not because it is particularly difficult to delete the upload folder in WordPress… What amateurs…)
Nothing else on our servers is affected and our databases are intact.
The SpaceChain network has not been affected and its chain is functioning normally.
The irony in this attack was that our server automatically created a mess in their network by uploading a trojan software with malicious code payload, which crippled their network by creating random network bridges and corrupting routing tables.
As our server kept pinging the target, we are aware that they were cut off from the Internet for 12 hours and 42 minutes, before they were able to neutralize our malware.
We use EW (Electronic Warfare) in protecting our servers and all kind of attacks will be met with force. (This goes also for any authority, domestic or international that tries to eavesdrop, or hack our computers, servers, or network – we show no mercy – have in mind that we
severely damaged a complete Russian military cyber division, so you better stay off our systems.)
The CSO Team
PS. Check the advice below for protecting your server (Ubuntu server or Debian) or Linux desktop computer.
Our security team has found the IP and information about the attackers:
Our firewall is now configured to stop any more attacks on this site.
A list of all IP numbers used by attackers/hackers will be posted here on weekly basis, so make sure to update your firewall to stop any attacks: http://www.spacechain.org/attackers.txt
% This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '18.104.22.168 - 22.214.171.124' % Abuse contact for '126.96.36.199 - 188.8.131.52' is 'firstname.lastname@example.org' inetnum: 184.108.40.206 - 220.127.116.11 netname: LEGION descr: LEGION country: KZ admin-c: ZL1394-RIPE tech-c: ZL1394-RIPE status: ASSIGNED PA mnt-by: KNIC-MNT created: 2020-02-21T09:22:22Z last-modified: 2020-02-21T09:22:22Z source: RIPE person: Zinchenko Lyubov address: East Kazakhstan city Altai, st. STAKHANOVSKAYA, building 21/1 phone: +7 777 2100 294 nic-hdl: ZL1394-RIPE mnt-by: KNIC-MNT created: 2020-02-21T09:22:22Z last-modified: 2020-02-21T09:22:22Z source: RIPE # Filtered % Information related to '18.104.22.168/20AS9198' route: 22.214.171.124/20 descr: Kazakhtelecom Data Network Administration origin: AS9198 mnt-by: KNIC-MNT created: 2008-10-08T08:36:29Z last-modified: 2008-10-08T08:36:29Z source: RIPE % This query was served by the RIPE Database Query Service version 1.106 (SHETLAND)
We recommend this script for system administrators for detecting IP numbers that try to access the server using brute force or other methods that create a post in /var/syslog with Access Denied.
Save this code as addufw.sh using nano. (Or whatever text editor you use) Notice: You have to use sudo su, as the created files have to be owned by root. Also addufw.sh and denyip.sh needs to run as root in CRON. $ sudo su Password for user xxxxx: (type your password) # ufw allow ssh # ufw enable # nano addufw.sh grep "Failed password for" /var/log/auth.log | grep -Po "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort | uniq > denyip.txt sed -r 's/([0-9\.]+)/ufw insert 1 deny from \1/' denyip.txt > denyip.sh rm denyip.txt chmod +x denyip.sh Now press CTRL+X and ENTER to save the file. # chmod +x addufw.sh # ./addufw.sh
You will now have a file called denyip.sh that is executable.
You can add both files to CRON jobs, but have in mind that the log rotates every 24 hours (on most systems), and make sure that your IP is not among the IP numbers that are going to be blocked.
Check your IP by typing
What is my IP in Google and then:
# nano deny.ip
Press CTRL+W and search for your IP number.
Delete that line from the file if it’s there (maybe because you typed your password wrong before log rotation.) or you will be locked out from your server.
Press CTRL+X and then ENTER to save the file.
We have these two scripts running once every 23 hours and 58 minutes.
(It takes time to add all the IPs to the Ubuntu firewall – why the two minutes delay.)
Also remember to open ports for SSH, HTTP, HTTPS, IMAP, POP3, etc.
You can do it by typing:
# ufw allow http # ufw allow https # ufw allow pop3 # ufw allow imap # ufw allow smtp ... and so on.
NOTICE: These scripts only work with Ubuntu Linux.
If you have any other ports you need to use, also add them to the UFW.
For example, if you have an OpenVPN server running, type:
# ufw allow 1194/udp # allow in on tun0 # allow in out tun0
As again: for other services, like web, email, FTP, and so on, don’t forget to open the ports.
DO NOT add a service to nr 1 in the firewall, as it will allow any IP, even those that are blocked, to access the service.