国内近期针对微软账户 Hotmail 进行扫号操作

9 天前
 huangxiao123

原由:昨天晚上的时候,发现微软的 Authenticator 弹出了个莫名其妙的认证请求,一开始疑惑是谁在登录,并且开始回想起本人平常有没有泄露账户,经排查,没泄露过该账户出去,该账户只用于微软家族的产品登录,没用于其他地方,疑似是通过 csrf /数据泄露获取到邮箱号

通过 https://account.live.com/Activity 进行排查,发现两个 IP 登录操作,如下

whois 信息如下

% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '114.96.0.0 - 114.103.255.255'

% Abuse contact for '114.96.0.0 - 114.103.255.255' is 'anti-spam@chinatelecom.cn'

inetnum:        114.96.0.0 - 114.103.255.255
netname:        CHINANET-AH
descr:          CHINANET Anhui PROVINCE NETWORK
descr:          China Telecom
descr:          No.31,jingrong street
descr:          Beijing 100032
country:        CN
admin-c:        JW89-AP
tech-c:         JW89-AP
abuse-c:        AC1573-AP
status:         ALLOCATED PORTABLE
remarks:        service provider
remarks:        --------------------------------------------------------
remarks:        To report network abuse, please contact mnt-irt
remarks:        For troubleshooting, please contact tech-c and admin-c
remarks:        Report invalid contact via www.apnic.net/invalidcontact
remarks:        --------------------------------------------------------
mnt-by:         APNIC-HM
mnt-lower:      MAINT-CHINANET-AH
mnt-routes:     MAINT-CHINANET-AH
mnt-irt:        IRT-CHINANET-CN
last-modified:  2021-06-15T08:06:13Z
source:         APNIC

irt:            IRT-CHINANET-CN
address:        No.31 ,jingrong street,beijing
address:        100032
e-mail:         anti-spam@chinatelecom.cn
abuse-mailbox:  anti-spam@chinatelecom.cn
admin-c:        CH93-AP
tech-c:         CH93-AP
auth:           # Filtered
remarks:        anti-spam@chinatelecom.cn was validated on 2024-04-15
mnt-by:         MAINT-CHINANET
last-modified:  2024-04-15T01:54:23Z
source:         APNIC

role:           ABUSE CHINANETCN
address:        No.31 ,jingrong street,beijing
address:        100032
country:        ZZ
phone:          +000000000
e-mail:         anti-spam@chinatelecom.cn
admin-c:        CH93-AP
tech-c:         CH93-AP
nic-hdl:        AC1573-AP
remarks:        Generated from irt object IRT-CHINANET-CN
remarks:        anti-spam@chinatelecom.cn was validated on 2024-04-15
abuse-mailbox:  anti-spam@chinatelecom.cn
mnt-by:         APNIC-ABUSE
last-modified:  2024-04-15T01:55:05Z
source:         APNIC

person:         Jinneng Wang
address:        17/F, Postal Building No.120 Changjiang
address:        Middle Road, Hefei, Anhui, China
country:        CN
phone:          +86-551-2659073
fax-no:         +86-551-2659287
e-mail:         ahdata@189.cn
nic-hdl:        JW89-AP
mnt-by:         MAINT-CHINANET-AH
last-modified:  2014-02-21T01:19:43Z
source:         APNIC

% This query was served by the APNIC Whois Service version 1.88.25 (WHOIS-JP3)

% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '111.126.0.0 - 111.127.255.255'

% Abuse contact for '111.126.0.0 - 111.127.255.255' is 'anti-spam@chinatelecom.cn'

inetnum:        111.126.0.0 - 111.127.255.255
netname:        CHINANET-NM
descr:          CHINANET NeiMengGu province network
descr:          Data Communication Division
descr:          China Telecom
descr:          No.31,jingrong street
descr:          Beijing 100032
country:        CN
admin-c:        CH93-AP
tech-c:         CH93-AP
abuse-c:        AC1573-AP
status:         ALLOCATED PORTABLE
remarks:        service provider
remarks:        --------------------------------------------------------
remarks:        To report network abuse, please contact mnt-irt
remarks:        For troubleshooting, please contact tech-c and admin-c
remarks:        Report invalid contact via www.apnic.net/invalidcontact
remarks:        --------------------------------------------------------
notify:         cyg@nmgtele.com
mnt-by:         APNIC-HM
mnt-lower:      MAINT-CHINANET-NM
mnt-routes:     MAINT-CHINANET-NM
mnt-irt:        IRT-CHINANET-CN
last-modified:  2021-06-15T08:05:56Z
source:         APNIC

irt:            IRT-CHINANET-CN
address:        No.31 ,jingrong street,beijing
address:        100032
e-mail:         anti-spam@chinatelecom.cn
abuse-mailbox:  anti-spam@chinatelecom.cn
admin-c:        CH93-AP
tech-c:         CH93-AP
auth:           # Filtered
remarks:        anti-spam@chinatelecom.cn was validated on 2024-04-15
mnt-by:         MAINT-CHINANET
last-modified:  2024-04-15T01:54:23Z
source:         APNIC

role:           ABUSE CHINANETCN
address:        No.31 ,jingrong street,beijing
address:        100032
country:        ZZ
phone:          +000000000
e-mail:         anti-spam@chinatelecom.cn
admin-c:        CH93-AP
tech-c:         CH93-AP
nic-hdl:        AC1573-AP
remarks:        Generated from irt object IRT-CHINANET-CN
remarks:        anti-spam@chinatelecom.cn was validated on 2024-04-15
abuse-mailbox:  anti-spam@chinatelecom.cn
mnt-by:         APNIC-ABUSE
last-modified:  2024-04-15T01:55:05Z
source:         APNIC

person:         Chinanet Hostmaster
nic-hdl:        CH93-AP
e-mail:         anti-spam@chinatelecom.cn
address:        No.31 ,jingrong street,beijing
address:        100032
phone:          +86-10-58501724
fax-no:         +86-10-58501724
country:        CN
mnt-by:         MAINT-CHINANET
last-modified:  2022-02-28T06:53:44Z
source:         APNIC

% This query was served by the APNIC Whois Service version 1.88.25 (WHOIS-JP3)

使用 https://ip.sy/查询的地理位置如下

ASN 均为: AS4134

微步:

腾讯威胁平台:

查询总结:

111.127.50.125 对应 ICP:

两者 IP 只开了 53 TCP + 1041 TCP

疑似是一伙人,不知各位 V 友怎么看待,疑似是国内某个扫号团伙拿到了微软泄露的数据库进行批量登录验证爆破

10975 次点击
所在节点    信息安全
140 条回复
huangxiao123
9 天前
@165924 不知道 LOL ,也有可能
huangxiao123
9 天前
@qlee1122 我这目前三个,中间那个 HongKong ASR 是我之外,其他全是爆破

https://imgur.com/uoaB3mo
Yadomin
9 天前
虽然没有登录成功,但是不是密码确实泄露了,被 2FA 拦住了,有点害怕😰

Protocol: IMAP
IP: 116.22.0.37
Account alias:
xxxxxxx@outlook.com
Time: 6/21/2024 3:12 PM
Approximate location: China
Type: Unsuccessful sync
bluetree2039
9 天前
我看了我的 msn 账户,
从 5 月 21 号开始,就全球好多国家登录失败。 密码错误
这是最早的记录:

设备/平台
Windows
浏览器/应用
Internet Explorer
IP 地址
194.32.120.86
bluetree2039
9 天前
@shinsekai 我和你一样
ST0RMTR00PER
9 天前
我也收到了,以为自己帐号泄露了,但是我是无密码帐号。
huangxiao123
9 天前
我寻思攻击者是不是找到从微软账户后台下发命令到使用微软账户主机的方法?为什么日期都集中在最近?
Andim
9 天前
我也看了下,从 5 月开始到现在一直持续

Nasei
9 天前
不是密码泄漏,因为登录失败原因是密码错误,我这从 5 月份或者更早就有了(因为登录记录只有最近一个月),我也没有绑验证器之类的东西
huangxiao123
9 天前
现在可以确定的是,攻击者有一份准确的账户列表,但其数据来源未知,也不知道是否包含密码,用大量的 IP 去爆破,可能是僵尸网络
xiaozecn
9 天前
这种,好几年了,一直有。
aitianci
9 天前
@Andim #28 我跟你一样,全世界人都在破解我这个小破邮箱😂
huangxiao123
9 天前
这个 IP:194.32.120.86 ,在微步上捕获的数据包,在打 CVE-2017-9841 的 EXP

https://imgur.com/3FqDuj8
huangxiao123
9 天前
@xiaozecn #31 感谢补充信息,但是本人是自从昨天才开始收到这样的信息
huangxiao123
9 天前
@huangxiao123 #33 估计是,打 EXP ,然后用 agent 端控制,下发爆破任务
haodingzan
9 天前
看了一下,我有一个 6 月 3 日,180.127.241.59 的登录失败记录,密码错误。使用的登录别名一直以来都是专用于邮箱客户端的。
bobryjosin
9 天前
我这好像没有国内的登陆请求,有几个厄瓜多秘鲁巴西的请求,也是 n 年前的别名了,不过我已经开无密码账户,登陆也是优先用 yubikey 登陆,炸就炸吧😂
ztjal
9 天前
巨硬就不会自动封一下这些重试次数超多的 IP 吗
huangxiao123
9 天前
@ztjal #38 这就是为什么会有大量 IP 去爆破
SayHelloHi
9 天前
前几天 发现账号登录 微软验证 App 弹出了验证消息

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/1051891

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX