• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Examining Logs

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

aftermath

Member
Joined
Jan 29, 2002
Location
The Big Brother Nation
Intelligence advisory (like parental advisory)
This post is for the intellectually mature!
This is in no way condoning hacking but Strongly encourages the hardening of perimeters against attack!
Managers/admins of networks are encouraged to approach the owners of managed networks and stress the benefits of dynamic security appliances to protect websites and systems of interest and, in the experience of this individual also would, strongly suggest that ANY IP on a solid business network will be targeted!

It is recommended that abuse@Host/ISP is contacted as are the IP Block list providers which record abuse.
Together we can build a safer web!




There are no reasons for any remote IP to connect to me, I no longer host any service!







As should be known I run a honey pot, or two :) as should any "Security Expert"

I have an IDS and a Hardened firewall between me and my honey pot. Two separate devices, then there are ACLs on the internal VLAns, 802x, and that is home

So looking at my logs I see this:
Code:
2811ADSL#sh logi f | inc 91.220.131.33
admin           91.220.131.33   22    2     00:19:14 UTC Thu Nov 6 2014
support         91.220.131.33   22    2     09:50:46 UTC Thu Nov 6 2014
info            91.220.131.33   22    2     15:53:22 UTC Thu Nov 6 2014
guest           91.220.131.33   22    2     17:08:33 UTC Thu Nov 6 2014
user            91.220.131.33   22    2     01:00:55 UTC Fri Nov 7 2014
postmaster      91.220.131.33   22    2     08:53:09 UTC Fri Nov 7 2014
web             91.220.131.33   22    2     16:44:12 UTC Fri Nov 7 2014

This is interesting because :


  1. Each 'user' attempt has been made twice out side the 'watch window', my system has been configured to block an IP for three failures. This indicates a possible premeditated pre planed access attempt. Or possibly a human child attempt at hacking.
  2. The IP launching this access attempt has not run a port scan on my system.
  3. Chinese IP Blocks are all blocked (You bore me) :eek:
  4. Russian IP Blocks are rare.

So most likely the Originator is not the controller of the sytem at 91.220.131.33 which has been compromised.

The IP Locates to a Russian IP block and hosts a SSH and Web server running Ubuntu/Apache
http://91.220.131.33/

The default page would indicate a novice or beginner user who has probably left the system open to abuse and has been hijacked.

There are no NS/DNS/MX records to the IP and no SMTP with a HELO/EHLO which whould give me admin contact information to the IP.


The last decent attempt (ie not root) brute force hack on my system steamed from a compromised system for which I was able to Identify the MD, Head of ICT/CTO and the hosting provider and contact them with logs and and a link to the blocklist.de site.
This could be done with the
Code:
Telnet Ip-Of-Offender 25
command which returned a correct HELO.
This allowed me to I.D. the domain,A quick Google showed the web site from which I could find the relevant contact details.


So How would one contact the operator of such a system?

It's unlikely they are looking at log-in logs but you could SSH and leave a message.... or two!
Block list de
Shows that the IP has been compromised or the "occupier" has been abusing the internet for some time. Since the Connections to my IP have no previous sings of identifying my system I continue wiht the assumption that the operator of this IP has been compromised most likely due to
  1. Week passwords
  2. OR Collusion between states
  3. OR Hosted server rental use by spooks.

Now the ripe look-up returned
Code:
This is the RIPE Database search service. 
The objects are in RPSL format. 
The RIPE Database is subject to Terms and Conditions. 
See http://www.ripe.net/db/support/db-terms-conditions.pdf 

Note: this output has been filtered. 
To see full objects, check the "Show full object details" box.
inetnum:         91.220.131.0 - 91.220.131.255
netname:         hostpro247-net
descr:           teterin Igor Ahmatovich
country:         RU
remarks:         
remarks:         SPAM [email protected]
remarks:         Network security issues: [email protected]
remarks:         Customer support: [email protected]
remarks:         
org:             ORG-tIA16-RIPE
admin-c:         tih12-RIPE
tech-c:          tih12-RIPE
status:          ASSIGNED PI
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-by:          MNT-HOSTPRO247
mnt-routes:      MNT-PIN
mnt-domains:     MNT-HOSTPRO247
source:          RIPE # Filtered
sponsoring-org:  ORG-PINl1-RIPE


organisation:    ORG-tIA16-RIPE
org-name:        teterin Igor Ahmatovich
org-type:        OTHER
address:         Russia, Barnaul, Lenina str., 1 app. 34
mnt-ref:         MNT-HOSTPRO247
mnt-by:          MNT-HOSTPRO247
source:          RIPE # Filtered


person:          teterin Irog ahmatovich
address:         Russia, Barnaul, Lenina str., 1 app. 34
phone:           +74959645752
nic-hdl:         tih12-RIPE
mnt-by:          MNT-HOSTPRO247
source:          RIPE # Filtered


route:           91.220.131.0/24
descr:           hostpro2 PIN
origin:          as44050
mnt-by:          MNT-PIN
source:          RIPE # Filtered


No abuse address is listed but Customer service is as
[email protected]


So you should email this address.


Lets be honest though....

German ISPs respond.
USA ISPs Block
French ISPs seem to Block ( breaches stop)

Russia...
China....
Ignore and continue.


Conclusion



This is not discouraged or at worst state sponsored and demonstrates collusion between these two states....

The cyber war continues but not logged to this site!

Code:
      111111111111111111111111111111111111111111111111111111111111
      666665555555555555555555555555555552222255555666664444455555
  100
   90
   80
   70
   60
   50
   40
   30
   20 ***********************************     **********     *****
   10 ************************************************************
     0....5....1....1....2....2....3....3....4....4....5....5....6
               0    5    0    5    0    5    0    5    0    5    0
               CPU% per second (last 60 seconds)




      1173211126112211       11   1   1                 22    3 1
      669918992578466744433742744743431439475443433343441144550484
  100
   90
   80   *
   70   *      *
   60   *      *
   50   *      #
   40   **     #
   30   **     #   *                                          *
   20 *#############**        *                         **    * *
   10 ################     * **  **   *  * **           ##  **# *
     0....5....1....1....2....2....3....3....4....4....5....5....6
               0    5    0    5    0    5    0    5    0    5    0
               CPU% per minute (last 60 minutes)
              * = maximum CPU%   # = average CPU%




      719758128118971811886987333965619815981151858528793635187828911151781112
      898640919890818879817019150843788483088578472306763141817802885838315986
  100   *         *              *    *                *          *
   90   *     *   *  *  *  *     *    *   **         * *       *  *
   80 * ** *  *  **  *  ** ***   *    **  **    * *  ***     *** **      *
   70 * ** *  *  *** *  ******   *  * **  **    * *  ***     *** **     **
   60 * ** *  *  *** *  ******   ** * **  **  * ***  *** *   *** **     **
   50 * ****  *  *** *  ******   **** ** ***  * **** *** * * *** **   * **
   40 * ****  *  *** *  ****** * **** ** ***  * **** *** * * *** **   * **
   30 * ****  *  *** *  ************* ** ***  * **** ******* *** **   * **   *
   20 ************************###**********************#**********************
   10 **##****#**************#####*******************######**##***************
     0....5....1....1....2....2....3....3....4....4....5....5....6....6....7..
               0    5    0    5    0    5    0    5    0    5    0    5    0
                   CPU% per hour (last 72 hours)
                  * = maximum CPU%   # = average CPU%

Max CPU is rebuffing Chinese IP Blocks These have been connecting to a home IP!!!!!! Why?

State sponsored/encouraged espionage against the west.

IF YOU RUN HARDWARE THEY BUILT YOU ARE PWND!
There are more Back doors in most mainstream routers than my house.


24 Hour matches
Code:
 20 permit udp any host 172.16.250.251 eq 46583 (3 matches)
    10 permit tcp any host 172.16.250.251 eq 3389 (431 matches)
    20 permit udp any host 172.16.250.251 eq 1194 (1 match)
    30 permit tcp any host 172.16.250.251 eq 1194 (1 match)
    50 deny tcp any any eq 22 log (33148 matches)
    610 deny ip 1.92.0.0 0.1.255.255 any (7 matches)
    690 deny ip 1.204.0.0 0.3.255.255 any (2 matches)
    1240 deny ip 14.16.0.0 0.15.255.255 any (1 match)
    1290 deny ip 14.112.0.0 0.15.255.255 any (2 matches)
    1320 deny ip 14.144.0.0 0.15.255.255 any (2 matches)
    1390 deny ip 27.16.0.0 0.15.255.255 any (1 match)
    1660 deny ip 27.152.0.0 0.7.255.255 any (4 matches)
    1670 deny ip 27.184.0.0 0.7.255.255 any (1 match)
    1690 deny ip 27.224.0.0 0.3.255.255 any (6 matches)
    1930 deny ip 36.248.0.0 0.3.255.255 any (2 matches)
    2360 deny ip 42.88.0.0 0.7.255.255 any (2 matches)
    2410 deny ip 42.96.128.0 0.0.127.255 any (1 match)
    2420 deny ip 42.97.0.0 0.0.255.255 any (3 matches)
    3000 deny ip 49.64.0.0 0.31.255.255 any (3 matches)
    3150 deny ip 58.16.0.0 0.0.255.255 any (1 match)
    3180 deny ip 58.18.0.0 0.0.255.255 any (2 matches)
    3200 deny ip 58.20.0.0 0.0.255.255 any (1 match)
    3240 deny ip 58.30.0.0 0.1.255.255 any (1 match)
    3250 deny ip 58.32.0.0 0.7.255.255 any (1 match)
 3270 deny ip 58.42.0.0 0.0.255.255 any (1 match)
    3310 deny ip 58.56.0.0 0.1.255.255 any (1 match)
    3330 deny ip 58.59.0.0 0.0.127.255 any (1 match)
    3370 deny ip 58.66.0.0 0.1.255.255 any (3 matches)
    3440 deny ip 58.116.0.0 0.3.255.255 any (2 matches)
    3450 deny ip 58.128.0.0 0.7.255.255 any (1 match)
    3530 deny ip 58.208.0.0 0.15.255.255 any (47 matches)
    3540 deny ip 58.240.0.0 0.1.255.255 any (1 match)
    3550 deny ip 58.242.0.0 0.1.255.255 any (15 matches)
    3560 deny ip 58.244.0.0 0.1.255.255 any (3 matches)
    3570 deny ip 58.246.0.0 0.1.255.255 any (1 match)
    3580 deny ip 58.248.0.0 0.7.255.255 any (1 match)
    3590 deny ip 59.32.0.0 0.7.255.255 any (1 match)
    3600 deny ip 59.40.0.0 0.1.255.255 any (1 match)
    3630 deny ip 59.44.0.0 0.3.255.255 any (1 match)
    3680 deny ip 59.51.0.0 0.0.127.255 any (1 match)
    3700 deny ip 59.52.0.0 0.3.255.255 any (1 match)
    3710 deny ip 59.56.0.0 0.3.255.255 any (1 match)
    3760 deny ip 59.72.0.0 0.1.255.255 any (2 matches)
    3880 deny ip 59.172.0.0 0.1.255.255 any (2 matches)
    3890 deny ip 59.174.0.0 0.1.255.255 any (2 matches)
    3920 deny ip 59.192.0.0 0.63.255.255 any (2 matches)
    3950 deny ip 60.10.0.0 0.0.255.255 any (4 matches)
    3960 deny ip 60.11.0.0 0.0.255.255 any (1 match)
    3970 deny ip 60.12.0.0 0.0.255.255 any (1 match)
    4000 deny ip 60.13.128.0 0.0.127.255 any (1 match)
    4020 deny ip 60.16.0.0 0.7.255.255 any (3 matches)
    4040 deny ip 60.28.0.0 0.1.255.255 any (1 match)
    4090 deny ip 60.160.0.0 0.1.255.255 any (1 match)
    4110 deny ip 60.164.0.0 0.1.255.255 any (2 matches)
    4130 deny ip 60.168.0.0 0.7.255.255 any (21 matches)
    4140 deny ip 60.176.0.0 0.15.255.255 any (7 matches)
    4190 deny ip 60.206.0.0 0.1.255.255 any (1 match)
    4200 deny ip 60.208.0.0 0.7.255.255 any (1 match)
    4220 deny ip 60.218.0.0 0.1.255.255 any (1 match)
    4230 deny ip 60.220.0.0 0.3.255.255 any (3 matches)
    4470 deny ip 61.48.0.0 0.3.255.255 any (4 matches)
    4480 deny ip 61.52.0.0 0.1.255.255 any (2 matches)
    4490 deny ip 61.54.0.0 0.0.255.255 any (1 match)
    4540 deny ip 61.132.0.0 0.0.255.255 any (1 match)
    4570 deny ip 61.134.0.0 0.0.63.255 any (1 match)
    4640 deny ip 61.136.64.0 0.0.63.255 any (1 match)
    4760 deny ip 61.144.0.0 0.3.255.255 any (8 matches)
    4770 deny ip 61.148.0.0 0.1.255.255 any (1 match)
    4820 deny ip 61.156.0.0 0.0.255.255 any (1 match)
    4890 deny ip 61.160.0.0 0.0.255.255 any (47 matches)
    4940 deny ip 61.163.0.0 0.0.255.255 any (1 match)
    4970 deny ip 61.166.0.0 0.0.255.255 any (3 matches)
    5020 deny ip 61.172.0.0 0.3.255.255 any (29 matches)
    5050 deny ip 61.178.0.0 0.0.255.255 any (2 matches)
    5120 deny ip 61.184.0.0 0.3.255.255 any (1 match)
    5170 deny ip 61.232.0.0 0.3.255.255 any (2 matches)
    5310 deny ip 101.4.0.0 0.3.255.255 any (11 matches)
    5850 deny ip 101.224.0.0 0.7.255.255 any (3 matches)
    7910 deny ip 103.27.24.0 0.0.3.255 any (1 match)
    9670 deny ip 106.32.0.0 0.15.255.255 any (3 matches)
    9730 deny ip 106.80.0.0 0.15.255.255 any (2 matches)
    9760 deny ip 106.120.0.0 0.7.255.255 any (4 matches)
    9990 deny ip 110.80.0.0 0.7.255.255 any (3 matches)
    10000 deny ip 110.88.0.0 0.3.255.255 any (2 matches)
    10070 deny ip 110.166.0.0 0.1.255.255 any (1 match)
    10150 deny ip 110.184.0.0 0.7.255.255 any (1 match)
    10210 deny ip 111.0.0.0 0.63.255.255 any (5 matches)
    10250 deny ip 111.72.0.0 0.7.255.255 any (7 matches)
    10340 deny ip 111.120.0.0 0.3.255.255 any (4 matches)
    10360 deny ip 111.126.0.0 0.1.255.255 any (1 match)
    10400 deny ip 111.172.0.0 0.3.255.255 any (4 matches)
    10430 deny ip 111.192.0.0 0.15.255.255 any (1 match)
    10550 deny ip 112.0.0.0 0.63.255.255 any (2 matches)
    10560 deny ip 112.64.0.0 0.1.255.255 any (1 match)
    10600 deny ip 112.80.0.0 0.7.255.255 any (1 match)
    10610 deny ip 112.88.0.0 0.7.255.255 any (1 match)
    10660 deny ip 112.111.0.0 0.0.255.255 any (1 match)
    10690 deny ip 112.122.0.0 0.1.255.255 any (10 matches)
    10700 deny ip 112.124.0.0 0.3.255.255 any (3 matches)
    10760 deny ip 113.0.0.0 0.7.255.255 any (2 matches)
    10790 deny ip 113.12.0.0 0.3.255.255 any (3 matches)
    10800 deny ip 113.16.0.0 0.1.255.255 any (17 matches)
    10880 deny ip 113.56.0.0 0.1.255.255 any (2 matches)
    10930 deny ip 113.64.0.0 0.31.255.255 any (7 matches)
    10940 deny ip 113.96.0.0 0.15.255.255 any (17 matches)
    11000 deny ip 113.132.0.0 0.3.255.255 any (2 matches)
    11010 deny ip 113.136.0.0 0.7.255.255 any (5 matches)
    11020 deny ip 113.194.0.0 0.1.255.255 any (7 matches)
    11060 deny ip 113.204.0.0 0.3.255.255 any (1 match)
    11180 deny ip 113.240.0.0 0.7.255.255 any (1 match)
    11260 deny ip 114.80.0.0 0.15.255.255 any (6 matches)
    11280 deny ip 114.104.0.0 0.3.255.255 any (2 matches)
    11330 deny ip 114.112.0.0 0.3.255.255 any (1 match)
    11370 deny ip 114.135.0.0 0.0.255.255 any (1 match)
    11480 deny ip 114.224.0.0 0.15.255.255 any (2 matches)
    11490 deny ip 114.240.0.0 0.15.255.255 any (2 matches)
    11560 deny ip 115.48.0.0 0.15.255.255 any (1 match)
    11760 deny ip 115.192.0.0 0.31.255.255 any (4 matches)
    11770 deny ip 115.224.0.0 0.15.255.255 any (50 matches)
    11830 deny ip 116.8.0.0 0.3.255.255 any (3 matches)
    11850 deny ip 116.16.0.0 0.15.255.255 any (2 matches)
    12020 deny ip 116.112.0.0 0.3.255.255 any (1 match)
    12160 deny ip 116.208.0.0 0.3.255.255 any (2 matches)
    12250 deny ip 116.224.0.0 0.15.255.255 any (7 matches)
    12350 deny ip 117.21.0.0 0.0.255.255 any (14 matches)
    12370 deny ip 117.24.0.0 0.7.255.255 any (12 matches)
    12380 deny ip 117.32.0.0 0.7.255.255 any (4 matches)
    12390 deny ip 117.40.0.0 0.3.255.255 any (1 match)
    12540 deny ip 117.76.0.0 0.3.255.255 any (2 matches)
    12550 deny ip 117.80.0.0 0.15.255.255 any (3 matches)
    12630 deny ip 117.112.0.0 0.7.255.255 any (1 match)
    12900 deny ip 118.112.0.0 0.7.255.255 any (2 matches)
    12910 deny ip 118.120.0.0 0.3.255.255 any (3 matches)
    12920 deny ip 118.124.0.0 0.1.255.255 any (2 matches)
    12980 deny ip 118.180.0.0 0.3.255.255 any (2 matches)
    13030 deny ip 118.192.0.0 0.1.255.255 any (1 match)
    13050 deny ip 118.194.128.0 0.0.127.255 any (1 match)
    13160 deny ip 118.242.0.0 0.0.255.255 any (1 match)
    13180 deny ip 118.248.0.0 0.7.255.255 any (4 matches)
    13190 deny ip 119.0.0.0 0.1.255.255 any (1 match)
    13410 deny ip 119.32.0.0 0.3.255.255 any (1 match)
    13600 deny ip 119.44.0.0 0.1.255.255 any (1 match)
    13750 deny ip 119.96.0.0 0.7.255.255 any (1 match)
    13790 deny ip 119.128.0.0 0.15.255.255 any (2 matches)
    13800 deny ip 119.144.0.0 0.3.255.255 any (1 match)
    14000 deny ip 120.32.0.0 0.7.255.255 any (4 matches)
    14010 deny ip 120.40.0.0 0.3.255.255 any (1 match)
    14060 deny ip 120.68.0.0 0.3.255.255 any (4 matches)
    14100 deny ip 120.80.0.0 0.7.255.255 any (7 matches)
    14160 deny ip 120.128.0.0 0.3.255.255 any (1 match)
    14240 deny ip 120.192.0.0 0.63.255.255 any (1 match)
    14280 deny ip 121.8.0.0 0.7.255.255 any (3 matches)
    14330 deny ip 121.31.0.0 0.0.255.255 any (1 match)
    14340 deny ip 121.32.0.0 0.3.255.255 any (2 matches)
    14670 deny ip 121.196.0.0 0.3.255.255 any (1 match)
    14700 deny ip 121.204.0.0 0.3.255.255 any (2 matches)
    14740 deny ip 122.0.64.0 0.0.63.255 any (1 match)
    14760 deny ip 122.4.0.0 0.3.255.255 any (1 match)
    14880 deny ip 122.64.0.0 0.31.255.255 any (2 matches)
    14930 deny ip 122.112.0.0 0.3.255.255 any (1 match)
    14960 deny ip 122.136.0.0 0.7.255.255 any (1 match)
    15060 deny ip 122.224.0.0 0.15.255.255 any (128 matches)
    15130 deny ip 123.8.0.0 0.7.255.255 any (1 match)
    15220 deny ip 123.64.0.0 0.31.255.255 any (2 matches)
    15310 deny ip 123.112.0.0 0.15.255.255 any (6 matches)
    15320 deny ip 123.128.0.0 0.7.255.255 any (5 matches)
    15390 deny ip 123.150.0.0 0.1.255.255 any (4 matches)
    15400 deny ip 123.152.0.0 0.7.255.255 any (1 match)
    15560 deny ip 123.232.0.0 0.3.255.255 any (3 matches)
    15580 deny ip 123.244.0.0 0.3.255.255 any (1 match)
    15590 deny ip 123.249.0.0 0.0.255.255 any (4 matches)
    15970 deny ip 124.114.0.0 0.1.255.255 any (2 matches)
    15990 deny ip 124.117.0.0 0.0.255.255 any (3 matches)
    16010 deny ip 124.126.0.0 0.1.255.255 any (4 matches)
    16120 deny ip 124.172.0.0 0.1.255.255 any (1 match)
    16160 deny ip 124.200.0.0 0.7.255.255 any (2 matches)
    16220 deny ip 124.232.0.0 0.1.255.255 any (92 matches)
    16400 deny ip 125.40.0.0 0.7.255.255 any (46 matches)
    16440 deny ip 125.64.0.0 0.7.255.255 any (4 matches)
    16470 deny ip 125.74.0.0 0.1.255.255 any (1 match)
    16490 deny ip 125.76.128.0 0.0.127.255 any (1 match)
    16510 deny ip 125.78.0.0 0.1.255.255 any (1 match)
    16570 deny ip 125.112.0.0 0.15.255.255 any (1 match)
    16870 deny ip 139.200.0.0 0.7.255.255 any (2 matches)
    16940 deny ip 140.205.0.0 0.0.255.255 any (1 match)
    16950 deny ip 140.206.0.0 0.1.255.255 any (2 matches)
    16970 deny ip 140.224.0.0 0.0.255.255 any (1 match)
    22450 deny ip 144.12.0.0 0.0.255.255 any (3 matches)
    22840 deny ip 171.8.0.0 0.7.255.255 any (2 matches)
    22910 deny ip 171.104.0.0 0.7.255.255 any (2 matches)
    22950 deny ip 171.208.0.0 0.15.255.255 any (3 matches)
    23250 deny ip 180.96.0.0 0.31.255.255 any (7 matches)
    23280 deny ip 180.136.0.0 0.7.255.255 any (2 matches)
    23350 deny ip 180.152.0.0 0.7.255.255 any (42 matches)
    23360 deny ip 180.160.0.0 0.15.255.255 any (6 matches)
    23380 deny ip 180.184.0.0 0.3.255.255 any (2 matches)
    23450 deny ip 180.210.224.0 0.0.31.255 any (1 match)
    23460 deny ip 180.212.0.0 0.1.255.255 any (2 matches)
    23570 deny ip 182.48.96.0 0.0.31.255 any (1 match)
    23670 deny ip 182.92.0.0 0.0.255.255 any (4 matches)
    23680 deny ip 182.96.0.0 0.15.255.255 any (2 matches)
    23700 deny ip 182.128.0.0 0.15.255.255 any (5 matches)
    23710 deny ip 182.144.0.0 0.7.255.255 any (3 matches)
    23800 deny ip 182.254.0.0 0.0.255.255 any (4 matches)
    23810 deny ip 183.0.0.0 0.63.255.255 any (11 matches)
    23890 deny ip 183.92.0.0 0.3.255.255 any (2 matches)
    23900 deny ip 183.128.0.0 0.31.255.255 any (7 matches)
    23910 deny ip 183.160.0.0 0.7.255.255 any (6 matches)
    23970 deny ip 183.192.0.0 0.63.255.255 any (3 matches)
    33410 deny ip 199.188.109.160 0.0.0.31 any (2 matches)
    36550 deny ip 202.97.128.0 0.0.63.255 any (2 matches)
    37330 deny ip 202.102.224.0 0.0.7.255 any (1 match)
    37490 deny ip 202.104.0.0 0.1.255.255 any (1 match)
    37530 deny ip 202.108.0.0 0.0.255.255 any (1 match)
    37910 deny ip 202.118.64.0 0.0.63.255 any (2 matches)
    39030 deny ip 202.173.8.0 0.0.7.255 any (1 match)
    39200 deny ip 202.192.0.0 0.7.255.255 any (3 matches)
    39210 deny ip 202.200.0.0 0.3.255.255 any (5 matches)
    47890 deny ip 203.100.80.0 0.0.15.255 any (1 match)
    48730 deny ip 203.195.128.0 0.0.127.255 any (1 match)
    49180 deny ip 210.22.0.0 0.0.255.255 any (1 match)
    49220 deny ip 210.28.0.0 0.3.255.255 any (2 matches)
    49240 deny ip 210.36.0.0 0.3.255.255 any (2 matches)
    49400 deny ip 210.73.64.0 0.0.63.255 any (2 matches)
    49530 deny ip 210.76.128.0 0.0.127.255 any (3 matches)
    49770 deny ip 211.86.0.0 0.1.255.255 any (1 match)
    49820 deny ip 211.94.0.0 0.1.255.255 any (1 match)
    49940 deny ip 211.103.0.0 0.0.127.255 any (1 match)
    49950 deny ip 211.103.128.0 0.0.127.255 any (1 match)
    49960 deny ip 211.136.0.0 0.3.255.255 any (1 match)
    50000 deny ip 211.143.0.0 0.0.255.255 any (1 match)
    50010 deny ip 211.144.0.0 0.1.255.255 any (1 match)
    50030 deny ip 211.147.0.0 0.0.255.255 any (2 matches)
    50050 deny ip 211.152.0.0 0.1.255.255 any (1 match)
    50910 deny ip 218.2.0.0 0.1.255.255 any (20 matches)
    50920 deny ip 218.4.0.0 0.1.255.255 any (1 match)
    50930 deny ip 218.6.0.0 0.0.255.255 any (2 matches)
    50940 deny ip 218.7.0.0 0.0.255.255 any (2 matches)
    50970 deny ip 218.11.0.0 0.0.255.255 any (4 matches)
    51000 deny ip 218.14.0.0 0.1.255.255 any (2 matches)
    51010 deny ip 218.16.0.0 0.3.255.255 any (3 matches)
    51050 deny ip 218.22.0.0 0.1.255.255 any (1 match)
    51060 deny ip 218.24.0.0 0.1.255.255 any (1 match)
    51090 deny ip 218.28.0.0 0.1.255.255 any (3 matches)
    51110 deny ip 218.56.0.0 0.3.255.255 any (10 matches)
    51130 deny ip 218.62.0.0 0.0.127.255 any (1 match)
    51160 deny ip 218.64.0.0 0.1.255.255 any (9 matches)
    51220 deny ip 218.72.0.0 0.3.255.255 any (1 match)
    51230 deny ip 218.76.0.0 0.1.255.255 any (140 matches)
    51250 deny ip 218.80.0.0 0.3.255.255 any (3 matches)
    51260 deny ip 218.84.0.0 0.3.255.255 any (7 matches)
    51270 deny ip 218.88.0.0 0.7.255.255 any (9 matches)
    51450 deny ip 218.106.0.0 0.1.255.255 any (2 matches)
    51550 deny ip 218.200.0.0 0.3.255.255 any (6 matches)
    51570 deny ip 218.206.0.0 0.1.255.255 any (1 match)
    51610 deny ip 218.249.0.0 0.0.255.255 any (1 match)
    51650 deny ip 219.128.0.0 0.15.255.255 any (3 matches)
    51660 deny ip 219.144.0.0 0.3.255.255 any (2 matches)
    51670 deny ip 219.148.0.0 0.0.255.255 any (2 matches)
    51880 deny ip 219.159.128.0 0.0.127.255 any (1 match)
    51990 deny ip 219.232.0.0 0.3.255.255 any (1 match)
    52080 deny ip 220.160.0.0 0.31.255.255 any (27 matches)
    52110 deny ip 220.196.0.0 0.3.255.255 any (2 matches)
    52190 deny ip 220.248.0.0 0.3.255.255 any (2 matches)
    52210 deny ip 221.0.0.0 0.1.255.255 any (2 matches)
    52250 deny ip 221.4.0.0 0.0.255.255 any (2 matches)
    52280 deny ip 221.6.0.0 0.0.255.255 any (1 match)
    52550 deny ip 221.176.0.0 0.7.255.255 any (5 matches)
    52580 deny ip 221.195.0.0 0.0.255.255 any (2 matches)
    52700 deny ip 221.206.0.0 0.0.255.255 any (3 matches)
    52740 deny ip 221.208.0.0 0.3.255.255 any (1 match)
    52770 deny ip 221.214.0.0 0.1.255.255 any (1 match)
    52780 deny ip 221.216.0.0 0.7.255.255 any (3 matches)
    52790 deny ip 221.224.0.0 0.7.255.255 any (4 matches)
    52800 deny ip 221.232.0.0 0.3.255.255 any (1 match)
    52930 deny ip 222.32.0.0 0.31.255.255 any (9 matches)
    52940 deny ip 222.64.0.0 0.7.255.255 any (3 matches)
    52980 deny ip 222.76.0.0 0.3.255.255 any (1 match)
    53050 deny ip 222.85.128.0 0.0.127.255 any (1 match)
    53140 deny ip 222.136.0.0 0.7.255.255 any (2 matches)
    53160 deny ip 222.162.0.0 0.0.255.255 any (1 match)
    53260 deny ip 222.174.0.0 0.1.255.255 any (1 match)
    53270 deny ip 222.176.0.0 0.7.255.255 any (2 matches)
    53280 deny ip 222.184.0.0 0.7.255.255 any (117 matches)
    53370 deny ip 222.216.0.0 0.1.255.255 any (1 match)
    53390 deny ip 222.219.0.0 0.0.255.255 any (1 match)
    53400 deny ip 222.220.0.0 0.1.255.255 any (8 matches)
    53410 deny ip 222.222.0.0 0.1.255.255 any (1 match)
    53420 deny ip 222.240.0.0 0.7.255.255 any (1 match)
    53670 deny ip 223.202.0.0 0.1.255.255 any (4 matches)
    53700 deny ip 223.214.0.0 0.1.255.255 any (3 matches)
    53710 deny ip 223.220.0.0 0.1.255.255 any (1 match)

this happened while posting. Look up the IPs !

12w4d: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 122.225.97.94] [localport: 22] [Reason: Login Authentication Failed] at 22:52:29 UTC Fri Nov 7 2014
2811ADSL#
2811ADSL#
2811ADSL#
12w4d: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 122.225.97.94] [localport: 22] [Reason: Login Authentication Failed] at 22:52:41 UTC Fri Nov 7 2014
12w4d: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 122.225.97.94] [localport: 22] [Reason: Login Authentication Failed] at 22:52:52 UTC Fri Nov 7 2014
12w4d: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 577 secs, [user: root] [Source: 122.225.97.94] [localport: 22] [Reason: Login Authentication Failed] [ACL: 123] at 22:52:52 UTC Fri Nov 7 2014
12w4d: %SEC-6-IPACCESSLOGP: list 123 denied tcp 122.225.97.94(53835) -> 0.0.0.0(22), 1 packet
12w4d: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 122.225.97.94] [localport: 22] [Reason: Login Authentication Failed] at 22:53:06 UTC Fri Nov 7 2014
12w4d: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 122.225.97.94] [localport: 22] [Reason: Login Authentication Failed] [ACL: 123] at 22:53:06 UTC Fri Nov 7 2014
12w4d: %SEC-6-IPACCESSLOGP: list 123 denied tcp 122.225.97.94(2529) -> 0.0.0.0(22), 1 packet

2811ADSL#
2811ADSL#
2811ADSL#
12w4d: %SEC-6-IPACCESSLOGP: list 123 denied tcp 122.225.97.94(6638) -> 0.0.0.0(22), 1 packet
2811ADSL#
2811ADSL#
2811ADSL#
12w4d: %SEC-6-IPACCESSLOGP: list 123 denied tcp 122.225.97.94(2529) -> 0.0.0.0(22), 2 packets
2811ADSL#
2811ADSL#
2811ADSL#
12w4d: %SEC-6-IPACCESSLOGP: list 123 denied tcp 122.225.97.94(6638) -> 0.0.0.0(22), 2 packets


The Cyber war continues!

Fight the EAST!

PS all servers I manage run ACLS that blcok problematic ISPs, over 10000 lines are in China.

Am I stereo-typing?
Look up the AS of these IPs where are most from?
Code:
Detailed information about last 50 failures

Username        SourceIPAddr    lPort Count TimeStamp
root            61.174.51.224   22    3     09:43:02 UTC Wed Nov 5 2014
root            122.225.97.74   22    3     10:22:42 UTC Wed Nov 5 2014
admin           193.104.41.55   22    2     12:24:31 UTC Wed Nov 5 2014
ubnt            222.255.174.66  22    1     13:19:54 UTC Wed Nov 5 2014
cron            89.109.35.104   22    1     15:00:10 UTC Wed Nov 5 2014
root            89.109.35.104   22    1     15:00:32 UTC Wed Nov 5 2014
root            36.250.13.67    22    1     15:01:18 UTC Wed Nov 5 2014
root            218.106.254.121 22    1     16:33:34 UTC Wed Nov 5 2014
root            122.225.97.90   22    3     17:06:09 UTC Wed Nov 5 2014
root            61.174.51.212   22    3     18:54:36 UTC Wed Nov 5 2014
root            122.225.97.88   22    3     21:16:08 UTC Wed Nov 5 2014
root            222.187.220.246 22    3     21:28:51 UTC Wed Nov 5 2014
root            202.202.113.159 22    1     22:40:16 UTC Wed Nov 5 2014
admin           91.220.131.33   22    2     00:19:14 UTC Thu Nov 6 2014
root            122.225.109.212 22    3     01:21:10 UTC Thu Nov 6 2014
ubnt            183.110.253.233 22    1     01:53:27 UTC Thu Nov 6 2014
support         193.104.41.55   22    2     01:55:17 UTC Thu Nov 6 2014
root            122.225.109.221 22    3     02:54:09 UTC Thu Nov 6 2014
root            61.174.50.134   22    3     03:24:30 UTC Thu Nov 6 2014
zhangyan        212.84.78.38    22    1     04:10:55 UTC Thu Nov 6 2014
dff             212.84.78.38    22    1     04:11:07 UTC Thu Nov 6 2014
root            212.84.78.38    22    1     04:11:19 UTC Thu Nov 6 2014
123456          189.203.240.89  22    3     06:14:04 UTC Thu Nov 6 2014
root            122.225.97.80   22    3     09:04:49 UTC Thu Nov 6 2014
root            117.27.158.71   22    3     09:35:31 UTC Thu Nov 6 2014
support         91.220.131.33   22    2     09:50:46 UTC Thu Nov 6 2014
ubnt            193.104.41.55   22    2     10:53:23 UTC Thu Nov 6 2014
XXXXXXXXXXXXXXX 113.107.233.165 22    1     12:25:07 UTC Thu Nov 6 2014
root            122.225.97.125  22    3     13:15:19 UTC Thu Nov 6 2014
root            122.225.97.118  22    3     13:35:31 UTC Thu Nov 6 2014
info            91.220.131.33   22    2     15:53:22 UTC Thu Nov 6 2014
guest           91.220.131.33   22    2     17:08:33 UTC Thu Nov 6 2014
anonymous       193.104.41.55   22    2     17:53:49 UTC Thu Nov 6 2014
root            122.225.97.99   22    3     19:07:31 UTC Thu Nov 6 2014
root            122.225.109.117 22    3     22:20:59 UTC Thu Nov 6 2014
user            91.220.131.33   22    2     01:00:55 UTC Fri Nov 7 2014
admin           91.194.254.144  22    2     02:30:25 UTC Fri Nov 7 2014
root            91.194.254.142  22    1     02:30:10 UTC Fri Nov 7 2014
root            122.225.109.108 22    3     03:44:15 UTC Fri Nov 7 2014
root            122.225.97.106  22    3     06:30:12 UTC Fri Nov 7 2014
postmaster      91.220.131.33   22    2     08:53:09 UTC Fri Nov 7 2014
root            61.174.51.210   22    3     09:45:01 UTC Fri Nov 7 2014
root            91.218.78.58    22    1     10:42:41 UTC Fri Nov 7 2014
root            41.251.216.93   22    3     14:05:47 UTC Fri Nov 7 2014
web             91.220.131.33   22    2     16:44:12 UTC Fri Nov 7 2014
root            218.249.94.2    22    1     17:46:09 UTC Fri Nov 7 2014
root            218.2.0.133     22    2     17:48:12 UTC Fri Nov 7 2014
root            122.225.97.111  22    3     18:37:29 UTC Fri Nov 7 2014
root            117.27.158.89   22    3     19:30:25 UTC Fri Nov 7 2014
root            122.225.97.94   22    3     22:52:52 UTC Fri Nov 7 2014

Thanks for keeping me in expensive shirts and sports cars! none of which come from china.... (that is why shirts cost more than £50 ;) )
 
Last edited:
IP Reported to FBI due to possible financial record theft. 66.36.242.86


Repeated abuse continues after report to ISP (HopOne).

2811ADSL#sh logi f | inc 66.36.242.86
dup 66.36.242.86 22 2 19:56:59 UTC Sat Nov 8 2014
test 66.36.242.86 22 1 12:37:34 UTC Sat Nov 8 2014
postgres 66.36.242.86 22 1 15:28:25 UTC Sat Nov 8 2014
data 66.36.242.86 22 1 00:00:12 UTC Sun Nov 9 2014

Suspect hacker may have access to websites on the host at 66.36.242.86, these appear insurance related.
A Records for 66.36.242.86
calpacplumbing.com, dealsoninsurances.com, georgelopezcomedian.com, helpfulcms.com, insurancefirstquote.com, multipassinsurance.com, multipasssolutions.com, needfreeinsurancequotes.com, needinsurancequotes.net, sfcitynights.com
 
7 days 250 RDP connections to the honeypot no one got in..

d- must try harder!

Code:
 10 permit tcp any host 172.16.250.251 eq 3389 (681 matches)
 
last 3 Offenders:
77.95.95.118 Rostov-on-don in Russian Federation - Reported Not convinced there is a point but hey lets hope.
166.62.35.208 GO-DADDY-COM-LLC USA - Reported.
62.141.36.46 FASTIT-DE-DUS1-COLO1 Germany - Reported.



So whats is at 77.95.95.118?

NSLOOKUP
Nothing... home IP....?

166.62.35.208 no r dns? Home IP? Godady know for SSL and hosting.
ip-166-62-35-208.ip.secureserver.net


How about 62.141.36.46?
Has rDNS!
db1.austrogate.net

Possible company hacked?
http://www.austrogate.net/ looks like a hosting company but is on a separate IP Block 80.241.208.96...
 
IP 77.95.95.118

ISP Speckless LTD
Organisation Speckless Enterprises ltd
timezone Moscow (UTC+4)
state/region Rostov Oblast
city Rostov-on-don (1a)
coordinates 47.2181.39.7228

2.jpg

1.jpg

well its not residential. off the sea of azov. above the black sea ports (its mafia turf) just some hackers looking for loot working for the cosa nostra. enjoy. :D
 
Last edited:
Back