Category Archives: Gov -India

01/10/12

SCADA System Open to Google Search

 gAto tHiNk -SCADA systems are going to get hit this year. Why You Ask? gAto was chasing a mouse and found these misconfigured sites that with a little know how could be a bad day for some people.

a friend ask: http://115.248.75.73/rtu.aspx

You don’t want to peek and poke in a SCADA system, we need a place to report these open SCADA when we find them in the wild. So the government can make sure these open systems will be fixed by the companies. It’s their responsibility to keep these systems SECURE.

gAtO can you explain what confirmed that this is a scada system? This looks more like a mis-configured webserver at first glance. Haven’t gone deeper yet.

gAtO sAyA “mis-configured web server” is the skeleton key to any SCADA hack. Once opened we looked at the source code as to why this page was out in the wild. There are a few more from my first sweep that I found this is one that’s interesting. I contacted them about 3 months ago and told them what I found and they have not answered. A very passive scan will show “ports” that are open, a more aggressive scan will show more but I don’t want to go their unless I’m paid that is.

So now we have source code with directory structure of the website. The java script can be downloaded and studied for problems. http://119.226.250.66/ and other sites pop up this one a login for secure stuff and not even HTTPS. How many more server IP will I find, what OS do they have, what version do they have, what’s the webs app server-asp -error pages show a lot of information, on some Apache, linux (centOS used in Strafor, Duqu hacks- buggy-unsecure maybe) – what version and have the patches been upgraded. I could go on and on. The few I have found are in India and the states so far and Indian companies overseas copying the flawed open model for their overseas customers(Bali). As to RTU and stuff & thingy’s that go pop in the night, I think I’ll keep that information private, I hope you understand.
These are some of the things I saw without going into greater detail. I’t amusing what a web browser and a translate button can do. mis-configured web server are a big problem everywhere.

gAtO tried to contact these people but they did not answer so I hope this is just a lot of dumb stuff and it does not matter. gAtO will not go any deeper because that would mean I am a hacker and I do not have permission to do this. Any good security person will tell you this is not good practice. Below are gAto’s notebook log into this research some information is good some mAyBe good- gAtO oUt

Lab Notes:

Updated Jan 21,2012

Bad One - misconfigured sites:

  1. http://115.248.75.73/rtu.aspx
  2. http://scada.pln-jawa-bali.co.id/outofpoll.php
  3. http://bops.pln-jawa-bali.co.id/
  4. http://10.6.1.50
  5. http://scada.pln-jawa-bali.co.id/statusts.php
  6. http://80.81.127.209/citect/  – http://81.233.151.96/
  7. http://88.112.77.67/
  8. http://87.94.167.4/
  9. http://87.94.167.5/
  10. http://192.89.118.200
  11. http://217.30.178.82/
  12. http://84.249.121.239/ord?station:|slot:/P$e4$e4valikko
  13. http://132.181.40.6/index.cgi
  14. http://129.79.153.212/index.cgi
  15. http://155.185.12.221/index.cgi
  16. http://80.81.127.209/citect/
  17. http://85.112.163.200/
  18. http://81.233.151.96/
  19. http://213.201.177.254/
  20. http://64.131.88.166
  21. http://221.115.238.179/
  22. http://80.81.127.209/citect/
  23. http://84.249.121.239/ord?station:|slot:/P$e4$e4valikko
  24.  http://62.145.177.187/secure/ltx_conf.htm
  25. http://132.181.40.6/index.cgi
  26. http://129.79.153.212/index.cgi
  27. http://155.185.12.221/index.cgi
  28. http://80.81.127.209/citect/   80.81.127.209” on 80.81.127.209:80. ********
  29. http://85.112.163.200/
  30. http://81.233.151.96/
  31. http://155.185.12.221/
  32. http://115.248.75.73/rtu.aspx
  33. http://scada.pln-jawa-bali.co.id/outofpoll.php
  34. http://bops.pln-jawa-bali.co.id/
  35. http://10.6.1.50
  36. http://scada.pln-jawa-bali.co.id/statusts.php
  37. http://174.122.136.226/~tsoepcg/WEB-SCADA/admin/index.php
  1. The city of South Houston has a really insecure system. Wanna see? I know ya do.
  2. http://i41.tinypic.com/ip0aa0.png
  3. http://i42.tinypic.com/eun021.png
  4. http://i42.tinypic.com/1znptuu.png
  5. http://i41.tinypic.com/2m6o0au.png
  6. http://i40.tinypic.com/k386ep.png
  7. http://www.mediafire.com/file/38m3pvwrc8ckh7s/HMI.zip
  8. http://134.30.92.26
  9. http://77.241.236.100/
  10. http://84.35.1.26/
  11. http://62.132.140.68/
  12. http://86.86.170.62/
  13. http://81.70.183.50/
  14. http://90.145.71.18/
  15. http://77.170.9.159/
  16. http://87.195.149.111/
  17. http://213.84.82.128/
  18. http://213.125.69.122/
  19. http://92.65.96.170/
  20. http://188.203.145.174/
  21. http://92.65.96.170/
  22. http://82.92.163.7/
  23. http://92.68.26.162/
  24. http://213.197.61.146/
  25. http://213.84.223.82/
  26. http://80.126.161.66/
  27. http://188.201.63.161/
  28. http://31.160.203.190/
  29. http://31.160.203.188/
  30. http://213.84.82.144/
  31. http://92.67.47.42/
  32. http://81.205.168.234/
  33. http://188.204.125.49/
  34. http://194.89.33.245/
  35. http://173.247.17.72 12
  36. http://87.195.111.115/Infra-web/Login/Login.aspx?ReturnUrl=%2finfra-web%2fDefault.aspx
  37. http://194.89.33.245/
  38. http://188.204.125.49/
  39.  http://77.170.59.44/
  40. http://217.120.152.182/
  41. http://212.142.22.198/
  42. http://129.125.15.55/
  43. http://62.163.194.70
  44. http://188.200.74.43
  45. http://130.161.143.224/
  46.  http://87.195.111.115/
  47. http://77.170.59.44/
  48. http://217.120.152.182/
  49. http://178.85.43.105/
  50.  http://212.199.70.171/login.php
  51. http://188.64.203.242/login.asp
  52. http://212.235.109.200
  53. http://212.235.68.46/login
  54. http://77.127.51.131/admingui/login.html
  55. http://194.150.219.139/console/login.asp
  56. http://81.218.96.38/login
  57. http://212.199.41.148/Templates/Admin/login.aspx
  58. http://80.250.154.152/login.asp
  59. http://194.150.219.139/console/login.asp
  60. http://192.116.222.44
  61. http://81.137.8.170/file/px/Honeywell%20House%20Metering.px
  62. http://165.154.50.20/ord?station:|slot:/HOME
  63.  http://173.181.202.83/ord?station:|slot:/HOME
  64. http://219.90.201.244/ord?station:|slot:/Drivers/HOME$20PAGE
  65. http://124.178.246.152/ord?station:|slot:/Home$20Page
  66. http://203.122.195.160/ord?station:|slot:/Guest
  67. http://81.149.155.83/ord?file:^px/Welcome.px
  68.  http://81.149.206.150/ord?file:^px/energysummation1.px
  69. http://81.94.198.175/file/px/Chillers.px
  70. http://81.136.189.235/ord?file:^px/Welcome.px
  71. http://85.189.244.242/file/Graphics/Px/Guest.px
  72. http://188.205.196.6/ord?station:|slot:/MS01|view:MS01hx
  73. http://206.47.97.8/ord?station:|slot:/HOME
  74. http://208.80.99.243/ord?station:|slot:/HOME

http://115.248.75.73/

http://209.130.196.15/water1.htm

209.130.196.15/water1.htm


Lab Notes

 

Keeping Access

 

TCP/IP MODBUS  ethernet.industrial-networking.com/articles/i15security.asp

Traditionally network and security folks have focused virtually all our attention on the “enterprise” side of the network, ignoring the parallel “hidden” half of the network associated with process control systems and embedded systems.

Process control systems and embedded systems use different protocols, different jargon, and no one ever really mentioned them. They were out of sight and out of mind, and “handled” by hardware guys.

port 502/tcp -MODBUS/TCP

http://scadahoneynet.sourceforge.net

www.ethereal.com

SCADA Security Research Opportunities

http://www.instrument-middleware.org

120.124.6.25/broadWeb/bwview.htm


broadwin.com/

Broadwin WebAccess is web browser based HMI and SCADA software for industrial Automation. View and Control in Real-time using an ordinary Web browser.

http://120.124.6.25/broadWeb/

SCADA traffic will be on just one port such as 502/tcp (e.g., Modbus/TCP). This is both good and bad. The use of a single port (or just a couple of

http://www.robtex.com/dns/rtu.asia.html#records

http://my.epri.com/portal/server.pt?

http://www.pikeresearch.com/research/smart-grid/smart-grid-security

http://www.pikeresearch.com/research/smart-grid/smart-grid-security

http://blog.tenablesecurity.com/2006/12/nessus_3_scada_.html

http://115.248.75.73/rtu.aspx

http://scada.pln-jawa-bali.co.id/outofpoll.php

http://bops.pln-jawa-bali.co.id/

http://10.6.1.50

http://scada.pln-jawa-bali.co.id/statusts.php

http://115.248.75.73/

San Fransisco

http://209.130.196.15/water1.htm

San Francisco Water RTU 12

209.130.196.15/water1.htm

San Francisco Water. Pump Station 12. Rate -Pump 1. Rate -Pump 2. Tank Level. RTU Status. Pump Control /Alarms. MBP Statistics · RTU Home Page.

China :

http://www.echocontrol.com/en_typical/253.asp

RTU for the radio station side, PLC / DCS control room and two in between the fiber

Different sectors of the largest or most complex systems there is a difference, here cite a typical example of SCADA system:

Readiness desert oilfield SCADA system, that is, a secondary instrument to the oil extraction plant control room by a company’s products to complete.

This project is located in the eastern Junggar Basin, Xinjiang, enter Gurban classical and big desert 80Km, sand cover thickness 200m ~ 300m, annual temperature variation of -45 ? ~ 42 ?, the maximum surface temperature of the working platform up to 60 degrees. Field length 16km, width of 8km. IO points at 17,200 points or so, there are two in the control room, 34 PLC station, a DCS station, 478 RTU stations.

This should be the most typical one. Some system of nodes in the one thousand or more, but less IO points.

  1. it “should search all” do
  2.     industry = Industry.create(:name => ‘Pickle’)
  3.     country  = Country.create(:name => ‘Coffee’)
  4.     gis       = Domain.find_by_name(‘GIS’)
  5.     wireless  = Domain.find_by_name(‘Wireless’)
  6.     scada     = Domain.find_by_name(‘SCADA’)
  7.     tag = Tag.create(:name => ‘zomg!!!!’)
  8.     @org1 = Organization.create(:name => ‘foo org’, :domains => [gis, wireless, scada], :industry => industry, :country => country, :tags => [tag])
  9.     @org2 = Organization.create(:name => ‘foo two’, :domains => [gis, wireless, scada], :industry => industry, :country => country, :tags => [tag])
  10.     @org3 = Organization.create(:name => ‘foo xxx’, :domains => [gis, wireless, scada], :industry => industry, :country => country, :tags => [tag])
  12.     @org1.should be_valid
  13.     @org2.should be_valid
  14.     @org3.should be_valid
  15.     results = {:organizations => [@org1, @org2, @org3]}
  17.     params = { :keywords => “foo”, :domains => [gis.id, scada.id, wireless.id], :models => ["organization"] }
  19.     put “create”, params
  20.     response.should render_template(:create)
  21.     flash[:notice_organizations].should_not == “No Corporation Found”
  23.   end

port number is 6722

port number is 6722

?????Project Node Project Node????Scada ?????

www.broadwin.com.tw/…/WebAccess_ … - Translate this page

File Format: PDF/Adobe Acrobat – Quick View

<GOTO>URL=http://192.168.200.220/broadweb/bwview.htm. <GOTO>URL=http:/ /192.168.200.220/broadweb/bwview.htm#proj=AHC2001. #proj=AHC2001

 

“SCADA and Industrial Automation Security,” http://www.scadasec.net/

“SCADA Security Blog”

http://www.digitalbond.com/SCADA_Blog/SCADA_blog.htm

“SCADA Gospel Archives (edited archives of the SCADA mailing list)”
“http://members.iinet.net.au/~ianw/archive/book1.htm

“21 Steps to Improve the Cyber Security of SCADA Networks,”

http://www.ea.doe.gov/pdfs/21stepsbooklet.pdf

“Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems”

http://www.gao.gov/new.items/d04354.pdf

“Myths and Facts Behind Cyber Security of Industrial Controls” http://www.pimaweb.org/conferences/
april2003/MythsAndFactsBehindCyberSecurity.pdf

Cisco’s “Integrating IT and Control System Security”

http://www.scadasec.net/local/37

modbus.org

protocols:

Ethernet - TCP/IP - Windows - RPC - SMB - 802.11b - HTTP/HTTPS - ASCII- Unix/Linux/Solaris - TFTP- - SQL - OPC - PLC - RTU - ModBus- -IEC 60870 - ICCP - HMI/MMI- S5/S7 - Fieldbus-  IED- TASE-2

ANSI X3.28BBC 7200CDC Types 1 and 2Conitel2020/2000/3000DCP 1DNP 3.0Gedac7020ICCPLandis & Gyr8979ModbusOPCControlNet

DeviceNetDH+ProfiBusTejas3 and 5TRW 9550UCA

OPC-DA, OPC-DX, OPC-A&E, OPC-HDA

Ethernet

SCADA & CS Components

•Sensors and Field Devices

•RTU –Remote Terminal Unit or Remote Telemetry Unit

•IED –Intelligent Electronic Device

•PLC –Programmable Logic Controller

•FEP / Protocol Pre-processor –Front End Processor

•HMI / Operator Console –Human Machine Interface

•PCS –Process Control System

•DCS –Distributed Control System

•SCADA –Supervisory Control and Data Acquisition

•EMS –Energy Management System

 

http://www.elp.com/index.html

form Stephen Scott Wright • presentation Critical Infrastructure attacks, that was part of an old presentation I put together titled “Today was forty years in the making..” note – this is not by any means all of them.

1. – Foreign intelligence service inserts Malicious Software into the Siberian Pipeline SCADA system and causes an explosion with an estimated 3 kiloton yield.

1. – Former Chevron employee disabled their alert system in 22 states.

1. – Hacker breaks into Roosevelt Dam SCADA flood system.

1. – Teenager hacks into NYNEX and cuts off Worcester airport for 6 hour affecting ground and air communications.

1. – Belham Wa. Gasoline pipeline SCADA failure resulting in 3 deaths.

1. – Hackers gain control of GAZPROM natural gas pipeline.

1. – Insider attack on sewage SCADA in Australia results in 1 million gallons of raw sewage being released.

1. – USA Northeast power system blackout believed to be caused by SCADA attack.

1. – CSX train signaling system attacked by Sobig virus.

1. – Auto plants attacked by ZOTOB worm.

1. – Unit 3 Browns Ferry nuclear plant shut down due to Cyber incident.

1. – Insider attacks California canal SCADA system.

1. – Hatch Nuclear Plant emergency shutdown due to Cyber incident.

1. DC Metro crash due to ATP failure – NTSB cites “parasitic oscillations and unintended signal paths”.

1. – Insider attack on US Hospital SCADA system.

 

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
10/20/11

U.S Needs to Change at Cyber Speed

In the last week so far, hackers hit the NYSE (New York Stock Exchange), hackers hit unmanned drones flying covert and military operations around the world. The U.S is still on hold why because  we need to know the legality of retaliation against a cyber attack on another country. You can bet your booties that the U.S has some pretty strong cyber weapons but when can they be used. If we use our new cyber weapons the others will see it and they can learn how to avoid it or plan around them. Just like in conventional weapons we keep the good stuff locked away until the day we need it. But other countries are watching us so if we launch an attack like the one we planned in Syria then other can do the same. By others I mean China, Russia Iran and India. Why include India in this mix is because India is unlike China but the same. India has a wealth of top notch brain power. India is now emerging as a power house in the cyber world. In some instance they are just elementary like a power station with all it’s control hooked up and accessible via a simple Google search.

Virus coming to a Computer near you

India is a great Nation but it’s still has masses of people living in a third world setting while others enjoy the 21st century living. Side by side you have a middle class home next to a shanty town and that cannot stay that way forever. India is a powerful cyber center of the world. It started with call centers and it’s evolve with new companies doing more and more innovation in the cyber arena. China is hitting India left and right for a reason. China has some personal reason for attacking countries like Taiwan but India is just for the technology that they have. More and more cyber experts are coming out of India than ever before. All it takes is one good computer researcher to start the attacks going and then blame whom ever you want.

The U.S needs to stop this slow pace of change and adapt to the cyber realm that swift change is the only thing that can save America in cyberspace.

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit