- Joined
- Jan 29, 2002
- Location
- The Big Brother Nation
Intelligence advisory (like parental advisory)
This post is for the intellectually mature!
This is in no way condoning hacking but Strongly encourages the hardening of perimeters against attack!
Managers/admins of networks are encouraged to approach the owners of managed networks and stress the benefits of dynamic security appliances to protect websites and systems of interest and, in the experience of this individual also would, strongly suggest that ANY IP on a solid business network will be targeted!
It is recommended that abuse@Host/ISP is contacted as are the IP Block list providers which record abuse.
Together we can build a safer web!
There are no reasons for any remote IP to connect to me, I no longer host any service!
As should be known I run a honey pot, or two as should any "Security Expert"
I have an IDS and a Hardened firewall between me and my honey pot. Two separate devices, then there are ACLs on the internal VLAns, 802x, and that is home
So looking at my logs I see this:
This is interesting because :
So most likely the Originator is not the controller of the sytem at 91.220.131.33 which has been compromised.
The IP Locates to a Russian IP block and hosts a SSH and Web server running Ubuntu/Apache
http://91.220.131.33/
The default page would indicate a novice or beginner user who has probably left the system open to abuse and has been hijacked.
There are no NS/DNS/MX records to the IP and no SMTP with a HELO/EHLO which whould give me admin contact information to the IP.
The last decent attempt (ie not root) brute force hack on my system steamed from a compromised system for which I was able to Identify the MD, Head of ICT/CTO and the hosting provider and contact them with logs and and a link to the blocklist.de site.
This could be done with the
command which returned a correct HELO.
This allowed me to I.D. the domain,A quick Google showed the web site from which I could find the relevant contact details.
So How would one contact the operator of such a system?
It's unlikely they are looking at log-in logs but you could SSH and leave a message.... or two!
Block list de
Shows that the IP has been compromised or the "occupier" has been abusing the internet for some time. Since the Connections to my IP have no previous sings of identifying my system I continue wiht the assumption that the operator of this IP has been compromised most likely due to
Now the ripe look-up returned
No abuse address is listed but Customer service is as
[email protected]
So you should email this address.
Lets be honest though....
German ISPs respond.
USA ISPs Block
French ISPs seem to Block ( breaches stop)
Russia...
China....
Ignore and continue.
Conclusion
This is not discouraged or at worst state sponsored and demonstrates collusion between these two states....
The cyber war continues but not logged to this site!
Max CPU is rebuffing Chinese IP Blocks These have been connecting to a home IP!!!!!! Why?
State sponsored/encouraged espionage against the west.
IF YOU RUN HARDWARE THEY BUILT YOU ARE PWND!
There are more Back doors in most mainstream routers than my house.
24 Hour matches
this happened while posting. Look up the IPs !
12w4d: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 122.225.97.94] [localport: 22] [Reason: Login Authentication Failed] at 22:52:29 UTC Fri Nov 7 2014
2811ADSL#
2811ADSL#
2811ADSL#
12w4d: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 122.225.97.94] [localport: 22] [Reason: Login Authentication Failed] at 22:52:41 UTC Fri Nov 7 2014
12w4d: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 122.225.97.94] [localport: 22] [Reason: Login Authentication Failed] at 22:52:52 UTC Fri Nov 7 2014
12w4d: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 577 secs, [user: root] [Source: 122.225.97.94] [localport: 22] [Reason: Login Authentication Failed] [ACL: 123] at 22:52:52 UTC Fri Nov 7 2014
12w4d: %SEC-6-IPACCESSLOGP: list 123 denied tcp 122.225.97.94(53835) -> 0.0.0.0(22), 1 packet
12w4d: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 122.225.97.94] [localport: 22] [Reason: Login Authentication Failed] at 22:53:06 UTC Fri Nov 7 2014
12w4d: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 122.225.97.94] [localport: 22] [Reason: Login Authentication Failed] [ACL: 123] at 22:53:06 UTC Fri Nov 7 2014
12w4d: %SEC-6-IPACCESSLOGP: list 123 denied tcp 122.225.97.94(2529) -> 0.0.0.0(22), 1 packet
2811ADSL#
2811ADSL#
2811ADSL#
12w4d: %SEC-6-IPACCESSLOGP: list 123 denied tcp 122.225.97.94(6638) -> 0.0.0.0(22), 1 packet
2811ADSL#
2811ADSL#
2811ADSL#
12w4d: %SEC-6-IPACCESSLOGP: list 123 denied tcp 122.225.97.94(2529) -> 0.0.0.0(22), 2 packets
2811ADSL#
2811ADSL#
2811ADSL#
12w4d: %SEC-6-IPACCESSLOGP: list 123 denied tcp 122.225.97.94(6638) -> 0.0.0.0(22), 2 packets
The Cyber war continues!
Fight the EAST!
PS all servers I manage run ACLS that blcok problematic ISPs, over 10000 lines are in China.
Am I stereo-typing?
Look up the AS of these IPs where are most from?
Thanks for keeping me in expensive shirts and sports cars! none of which come from china.... (that is why shirts cost more than £50 )
This post is for the intellectually mature!
This is in no way condoning hacking but Strongly encourages the hardening of perimeters against attack!
Managers/admins of networks are encouraged to approach the owners of managed networks and stress the benefits of dynamic security appliances to protect websites and systems of interest and, in the experience of this individual also would, strongly suggest that ANY IP on a solid business network will be targeted!
It is recommended that abuse@Host/ISP is contacted as are the IP Block list providers which record abuse.
Together we can build a safer web!
There are no reasons for any remote IP to connect to me, I no longer host any service!
As should be known I run a honey pot, or two as should any "Security Expert"
I have an IDS and a Hardened firewall between me and my honey pot. Two separate devices, then there are ACLs on the internal VLAns, 802x, and that is home
So looking at my logs I see this:
Code:
2811ADSL#sh logi f | inc 91.220.131.33
admin 91.220.131.33 22 2 00:19:14 UTC Thu Nov 6 2014
support 91.220.131.33 22 2 09:50:46 UTC Thu Nov 6 2014
info 91.220.131.33 22 2 15:53:22 UTC Thu Nov 6 2014
guest 91.220.131.33 22 2 17:08:33 UTC Thu Nov 6 2014
user 91.220.131.33 22 2 01:00:55 UTC Fri Nov 7 2014
postmaster 91.220.131.33 22 2 08:53:09 UTC Fri Nov 7 2014
web 91.220.131.33 22 2 16:44:12 UTC Fri Nov 7 2014
This is interesting because :
Each 'user' attempt has been made twice out side the 'watch window', my system has been configured to block an IP for three failures. This indicates a possible premeditated pre planed access attempt. Or possibly a human child attempt at hacking.
- The IP launching this access attempt has not run a port scan on my system.
- Chinese IP Blocks are all blocked (You bore me)
- Russian IP Blocks are rare.
So most likely the Originator is not the controller of the sytem at 91.220.131.33 which has been compromised.
The IP Locates to a Russian IP block and hosts a SSH and Web server running Ubuntu/Apache
http://91.220.131.33/
The default page would indicate a novice or beginner user who has probably left the system open to abuse and has been hijacked.
There are no NS/DNS/MX records to the IP and no SMTP with a HELO/EHLO which whould give me admin contact information to the IP.
The last decent attempt (ie not root) brute force hack on my system steamed from a compromised system for which I was able to Identify the MD, Head of ICT/CTO and the hosting provider and contact them with logs and and a link to the blocklist.de site.
This could be done with the
Code:
Telnet Ip-Of-Offender 25
This allowed me to I.D. the domain,A quick Google showed the web site from which I could find the relevant contact details.
So How would one contact the operator of such a system?
It's unlikely they are looking at log-in logs but you could SSH and leave a message.... or two!
Block list de
Shows that the IP has been compromised or the "occupier" has been abusing the internet for some time. Since the Connections to my IP have no previous sings of identifying my system I continue wiht the assumption that the operator of this IP has been compromised most likely due to
- Week passwords
- OR Collusion between states
- OR Hosted server rental use by spooks.
Now the ripe look-up returned
Code:
This is the RIPE Database search service.
The objects are in RPSL format.
The RIPE Database is subject to Terms and Conditions.
See http://www.ripe.net/db/support/db-terms-conditions.pdf
Note: this output has been filtered.
To see full objects, check the "Show full object details" box.
inetnum: 91.220.131.0 - 91.220.131.255
netname: hostpro247-net
descr: teterin Igor Ahmatovich
country: RU
remarks:
remarks: SPAM [email protected]
remarks: Network security issues: [email protected]
remarks: Customer support: [email protected]
remarks:
org: ORG-tIA16-RIPE
admin-c: tih12-RIPE
tech-c: tih12-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: MNT-HOSTPRO247
mnt-routes: MNT-PIN
mnt-domains: MNT-HOSTPRO247
source: RIPE # Filtered
sponsoring-org: ORG-PINl1-RIPE
organisation: ORG-tIA16-RIPE
org-name: teterin Igor Ahmatovich
org-type: OTHER
address: Russia, Barnaul, Lenina str., 1 app. 34
mnt-ref: MNT-HOSTPRO247
mnt-by: MNT-HOSTPRO247
source: RIPE # Filtered
person: teterin Irog ahmatovich
address: Russia, Barnaul, Lenina str., 1 app. 34
phone: +74959645752
nic-hdl: tih12-RIPE
mnt-by: MNT-HOSTPRO247
source: RIPE # Filtered
route: 91.220.131.0/24
descr: hostpro2 PIN
origin: as44050
mnt-by: MNT-PIN
source: RIPE # Filtered
No abuse address is listed but Customer service is as
[email protected]
So you should email this address.
Lets be honest though....
German ISPs respond.
USA ISPs Block
French ISPs seem to Block ( breaches stop)
Russia...
China....
Ignore and continue.
Conclusion
This is not discouraged or at worst state sponsored and demonstrates collusion between these two states....
The cyber war continues but not logged to this site!
Code:
111111111111111111111111111111111111111111111111111111111111
666665555555555555555555555555555552222255555666664444455555
100
90
80
70
60
50
40
30
20 *********************************** ********** *****
10 ************************************************************
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per second (last 60 seconds)
1173211126112211 11 1 1 22 3 1
669918992578466744433742744743431439475443433343441144550484
100
90
80 *
70 * *
60 * *
50 * #
40 ** #
30 ** # * *
20 *#############** * ** * *
10 ################ * ** ** * * ** ## **# *
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%
719758128118971811886987333965619815981151858528793635187828911151781112
898640919890818879817019150843788483088578472306763141817802885838315986
100 * * * * * *
90 * * * * * * * * ** * * * *
80 * ** * * ** * ** *** * ** ** * * *** *** ** *
70 * ** * * *** * ****** * * ** ** * * *** *** ** **
60 * ** * * *** * ****** ** * ** ** * *** *** * *** ** **
50 * **** * *** * ****** **** ** *** * **** *** * * *** ** * **
40 * **** * *** * ****** * **** ** *** * **** *** * * *** ** * **
30 * **** * *** * ************* ** *** * **** ******* *** ** * ** *
20 ************************###**********************#**********************
10 **##****#**************#####*******************######**##***************
0....5....1....1....2....2....3....3....4....4....5....5....6....6....7..
0 5 0 5 0 5 0 5 0 5 0 5 0
CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%
Max CPU is rebuffing Chinese IP Blocks These have been connecting to a home IP!!!!!! Why?
State sponsored/encouraged espionage against the west.
IF YOU RUN HARDWARE THEY BUILT YOU ARE PWND!
There are more Back doors in most mainstream routers than my house.
24 Hour matches
Code:
20 permit udp any host 172.16.250.251 eq 46583 (3 matches)
10 permit tcp any host 172.16.250.251 eq 3389 (431 matches)
20 permit udp any host 172.16.250.251 eq 1194 (1 match)
30 permit tcp any host 172.16.250.251 eq 1194 (1 match)
50 deny tcp any any eq 22 log (33148 matches)
610 deny ip 1.92.0.0 0.1.255.255 any (7 matches)
690 deny ip 1.204.0.0 0.3.255.255 any (2 matches)
1240 deny ip 14.16.0.0 0.15.255.255 any (1 match)
1290 deny ip 14.112.0.0 0.15.255.255 any (2 matches)
1320 deny ip 14.144.0.0 0.15.255.255 any (2 matches)
1390 deny ip 27.16.0.0 0.15.255.255 any (1 match)
1660 deny ip 27.152.0.0 0.7.255.255 any (4 matches)
1670 deny ip 27.184.0.0 0.7.255.255 any (1 match)
1690 deny ip 27.224.0.0 0.3.255.255 any (6 matches)
1930 deny ip 36.248.0.0 0.3.255.255 any (2 matches)
2360 deny ip 42.88.0.0 0.7.255.255 any (2 matches)
2410 deny ip 42.96.128.0 0.0.127.255 any (1 match)
2420 deny ip 42.97.0.0 0.0.255.255 any (3 matches)
3000 deny ip 49.64.0.0 0.31.255.255 any (3 matches)
3150 deny ip 58.16.0.0 0.0.255.255 any (1 match)
3180 deny ip 58.18.0.0 0.0.255.255 any (2 matches)
3200 deny ip 58.20.0.0 0.0.255.255 any (1 match)
3240 deny ip 58.30.0.0 0.1.255.255 any (1 match)
3250 deny ip 58.32.0.0 0.7.255.255 any (1 match)
3270 deny ip 58.42.0.0 0.0.255.255 any (1 match)
3310 deny ip 58.56.0.0 0.1.255.255 any (1 match)
3330 deny ip 58.59.0.0 0.0.127.255 any (1 match)
3370 deny ip 58.66.0.0 0.1.255.255 any (3 matches)
3440 deny ip 58.116.0.0 0.3.255.255 any (2 matches)
3450 deny ip 58.128.0.0 0.7.255.255 any (1 match)
3530 deny ip 58.208.0.0 0.15.255.255 any (47 matches)
3540 deny ip 58.240.0.0 0.1.255.255 any (1 match)
3550 deny ip 58.242.0.0 0.1.255.255 any (15 matches)
3560 deny ip 58.244.0.0 0.1.255.255 any (3 matches)
3570 deny ip 58.246.0.0 0.1.255.255 any (1 match)
3580 deny ip 58.248.0.0 0.7.255.255 any (1 match)
3590 deny ip 59.32.0.0 0.7.255.255 any (1 match)
3600 deny ip 59.40.0.0 0.1.255.255 any (1 match)
3630 deny ip 59.44.0.0 0.3.255.255 any (1 match)
3680 deny ip 59.51.0.0 0.0.127.255 any (1 match)
3700 deny ip 59.52.0.0 0.3.255.255 any (1 match)
3710 deny ip 59.56.0.0 0.3.255.255 any (1 match)
3760 deny ip 59.72.0.0 0.1.255.255 any (2 matches)
3880 deny ip 59.172.0.0 0.1.255.255 any (2 matches)
3890 deny ip 59.174.0.0 0.1.255.255 any (2 matches)
3920 deny ip 59.192.0.0 0.63.255.255 any (2 matches)
3950 deny ip 60.10.0.0 0.0.255.255 any (4 matches)
3960 deny ip 60.11.0.0 0.0.255.255 any (1 match)
3970 deny ip 60.12.0.0 0.0.255.255 any (1 match)
4000 deny ip 60.13.128.0 0.0.127.255 any (1 match)
4020 deny ip 60.16.0.0 0.7.255.255 any (3 matches)
4040 deny ip 60.28.0.0 0.1.255.255 any (1 match)
4090 deny ip 60.160.0.0 0.1.255.255 any (1 match)
4110 deny ip 60.164.0.0 0.1.255.255 any (2 matches)
4130 deny ip 60.168.0.0 0.7.255.255 any (21 matches)
4140 deny ip 60.176.0.0 0.15.255.255 any (7 matches)
4190 deny ip 60.206.0.0 0.1.255.255 any (1 match)
4200 deny ip 60.208.0.0 0.7.255.255 any (1 match)
4220 deny ip 60.218.0.0 0.1.255.255 any (1 match)
4230 deny ip 60.220.0.0 0.3.255.255 any (3 matches)
4470 deny ip 61.48.0.0 0.3.255.255 any (4 matches)
4480 deny ip 61.52.0.0 0.1.255.255 any (2 matches)
4490 deny ip 61.54.0.0 0.0.255.255 any (1 match)
4540 deny ip 61.132.0.0 0.0.255.255 any (1 match)
4570 deny ip 61.134.0.0 0.0.63.255 any (1 match)
4640 deny ip 61.136.64.0 0.0.63.255 any (1 match)
4760 deny ip 61.144.0.0 0.3.255.255 any (8 matches)
4770 deny ip 61.148.0.0 0.1.255.255 any (1 match)
4820 deny ip 61.156.0.0 0.0.255.255 any (1 match)
4890 deny ip 61.160.0.0 0.0.255.255 any (47 matches)
4940 deny ip 61.163.0.0 0.0.255.255 any (1 match)
4970 deny ip 61.166.0.0 0.0.255.255 any (3 matches)
5020 deny ip 61.172.0.0 0.3.255.255 any (29 matches)
5050 deny ip 61.178.0.0 0.0.255.255 any (2 matches)
5120 deny ip 61.184.0.0 0.3.255.255 any (1 match)
5170 deny ip 61.232.0.0 0.3.255.255 any (2 matches)
5310 deny ip 101.4.0.0 0.3.255.255 any (11 matches)
5850 deny ip 101.224.0.0 0.7.255.255 any (3 matches)
7910 deny ip 103.27.24.0 0.0.3.255 any (1 match)
9670 deny ip 106.32.0.0 0.15.255.255 any (3 matches)
9730 deny ip 106.80.0.0 0.15.255.255 any (2 matches)
9760 deny ip 106.120.0.0 0.7.255.255 any (4 matches)
9990 deny ip 110.80.0.0 0.7.255.255 any (3 matches)
10000 deny ip 110.88.0.0 0.3.255.255 any (2 matches)
10070 deny ip 110.166.0.0 0.1.255.255 any (1 match)
10150 deny ip 110.184.0.0 0.7.255.255 any (1 match)
10210 deny ip 111.0.0.0 0.63.255.255 any (5 matches)
10250 deny ip 111.72.0.0 0.7.255.255 any (7 matches)
10340 deny ip 111.120.0.0 0.3.255.255 any (4 matches)
10360 deny ip 111.126.0.0 0.1.255.255 any (1 match)
10400 deny ip 111.172.0.0 0.3.255.255 any (4 matches)
10430 deny ip 111.192.0.0 0.15.255.255 any (1 match)
10550 deny ip 112.0.0.0 0.63.255.255 any (2 matches)
10560 deny ip 112.64.0.0 0.1.255.255 any (1 match)
10600 deny ip 112.80.0.0 0.7.255.255 any (1 match)
10610 deny ip 112.88.0.0 0.7.255.255 any (1 match)
10660 deny ip 112.111.0.0 0.0.255.255 any (1 match)
10690 deny ip 112.122.0.0 0.1.255.255 any (10 matches)
10700 deny ip 112.124.0.0 0.3.255.255 any (3 matches)
10760 deny ip 113.0.0.0 0.7.255.255 any (2 matches)
10790 deny ip 113.12.0.0 0.3.255.255 any (3 matches)
10800 deny ip 113.16.0.0 0.1.255.255 any (17 matches)
10880 deny ip 113.56.0.0 0.1.255.255 any (2 matches)
10930 deny ip 113.64.0.0 0.31.255.255 any (7 matches)
10940 deny ip 113.96.0.0 0.15.255.255 any (17 matches)
11000 deny ip 113.132.0.0 0.3.255.255 any (2 matches)
11010 deny ip 113.136.0.0 0.7.255.255 any (5 matches)
11020 deny ip 113.194.0.0 0.1.255.255 any (7 matches)
11060 deny ip 113.204.0.0 0.3.255.255 any (1 match)
11180 deny ip 113.240.0.0 0.7.255.255 any (1 match)
11260 deny ip 114.80.0.0 0.15.255.255 any (6 matches)
11280 deny ip 114.104.0.0 0.3.255.255 any (2 matches)
11330 deny ip 114.112.0.0 0.3.255.255 any (1 match)
11370 deny ip 114.135.0.0 0.0.255.255 any (1 match)
11480 deny ip 114.224.0.0 0.15.255.255 any (2 matches)
11490 deny ip 114.240.0.0 0.15.255.255 any (2 matches)
11560 deny ip 115.48.0.0 0.15.255.255 any (1 match)
11760 deny ip 115.192.0.0 0.31.255.255 any (4 matches)
11770 deny ip 115.224.0.0 0.15.255.255 any (50 matches)
11830 deny ip 116.8.0.0 0.3.255.255 any (3 matches)
11850 deny ip 116.16.0.0 0.15.255.255 any (2 matches)
12020 deny ip 116.112.0.0 0.3.255.255 any (1 match)
12160 deny ip 116.208.0.0 0.3.255.255 any (2 matches)
12250 deny ip 116.224.0.0 0.15.255.255 any (7 matches)
12350 deny ip 117.21.0.0 0.0.255.255 any (14 matches)
12370 deny ip 117.24.0.0 0.7.255.255 any (12 matches)
12380 deny ip 117.32.0.0 0.7.255.255 any (4 matches)
12390 deny ip 117.40.0.0 0.3.255.255 any (1 match)
12540 deny ip 117.76.0.0 0.3.255.255 any (2 matches)
12550 deny ip 117.80.0.0 0.15.255.255 any (3 matches)
12630 deny ip 117.112.0.0 0.7.255.255 any (1 match)
12900 deny ip 118.112.0.0 0.7.255.255 any (2 matches)
12910 deny ip 118.120.0.0 0.3.255.255 any (3 matches)
12920 deny ip 118.124.0.0 0.1.255.255 any (2 matches)
12980 deny ip 118.180.0.0 0.3.255.255 any (2 matches)
13030 deny ip 118.192.0.0 0.1.255.255 any (1 match)
13050 deny ip 118.194.128.0 0.0.127.255 any (1 match)
13160 deny ip 118.242.0.0 0.0.255.255 any (1 match)
13180 deny ip 118.248.0.0 0.7.255.255 any (4 matches)
13190 deny ip 119.0.0.0 0.1.255.255 any (1 match)
13410 deny ip 119.32.0.0 0.3.255.255 any (1 match)
13600 deny ip 119.44.0.0 0.1.255.255 any (1 match)
13750 deny ip 119.96.0.0 0.7.255.255 any (1 match)
13790 deny ip 119.128.0.0 0.15.255.255 any (2 matches)
13800 deny ip 119.144.0.0 0.3.255.255 any (1 match)
14000 deny ip 120.32.0.0 0.7.255.255 any (4 matches)
14010 deny ip 120.40.0.0 0.3.255.255 any (1 match)
14060 deny ip 120.68.0.0 0.3.255.255 any (4 matches)
14100 deny ip 120.80.0.0 0.7.255.255 any (7 matches)
14160 deny ip 120.128.0.0 0.3.255.255 any (1 match)
14240 deny ip 120.192.0.0 0.63.255.255 any (1 match)
14280 deny ip 121.8.0.0 0.7.255.255 any (3 matches)
14330 deny ip 121.31.0.0 0.0.255.255 any (1 match)
14340 deny ip 121.32.0.0 0.3.255.255 any (2 matches)
14670 deny ip 121.196.0.0 0.3.255.255 any (1 match)
14700 deny ip 121.204.0.0 0.3.255.255 any (2 matches)
14740 deny ip 122.0.64.0 0.0.63.255 any (1 match)
14760 deny ip 122.4.0.0 0.3.255.255 any (1 match)
14880 deny ip 122.64.0.0 0.31.255.255 any (2 matches)
14930 deny ip 122.112.0.0 0.3.255.255 any (1 match)
14960 deny ip 122.136.0.0 0.7.255.255 any (1 match)
15060 deny ip 122.224.0.0 0.15.255.255 any (128 matches)
15130 deny ip 123.8.0.0 0.7.255.255 any (1 match)
15220 deny ip 123.64.0.0 0.31.255.255 any (2 matches)
15310 deny ip 123.112.0.0 0.15.255.255 any (6 matches)
15320 deny ip 123.128.0.0 0.7.255.255 any (5 matches)
15390 deny ip 123.150.0.0 0.1.255.255 any (4 matches)
15400 deny ip 123.152.0.0 0.7.255.255 any (1 match)
15560 deny ip 123.232.0.0 0.3.255.255 any (3 matches)
15580 deny ip 123.244.0.0 0.3.255.255 any (1 match)
15590 deny ip 123.249.0.0 0.0.255.255 any (4 matches)
15970 deny ip 124.114.0.0 0.1.255.255 any (2 matches)
15990 deny ip 124.117.0.0 0.0.255.255 any (3 matches)
16010 deny ip 124.126.0.0 0.1.255.255 any (4 matches)
16120 deny ip 124.172.0.0 0.1.255.255 any (1 match)
16160 deny ip 124.200.0.0 0.7.255.255 any (2 matches)
16220 deny ip 124.232.0.0 0.1.255.255 any (92 matches)
16400 deny ip 125.40.0.0 0.7.255.255 any (46 matches)
16440 deny ip 125.64.0.0 0.7.255.255 any (4 matches)
16470 deny ip 125.74.0.0 0.1.255.255 any (1 match)
16490 deny ip 125.76.128.0 0.0.127.255 any (1 match)
16510 deny ip 125.78.0.0 0.1.255.255 any (1 match)
16570 deny ip 125.112.0.0 0.15.255.255 any (1 match)
16870 deny ip 139.200.0.0 0.7.255.255 any (2 matches)
16940 deny ip 140.205.0.0 0.0.255.255 any (1 match)
16950 deny ip 140.206.0.0 0.1.255.255 any (2 matches)
16970 deny ip 140.224.0.0 0.0.255.255 any (1 match)
22450 deny ip 144.12.0.0 0.0.255.255 any (3 matches)
22840 deny ip 171.8.0.0 0.7.255.255 any (2 matches)
22910 deny ip 171.104.0.0 0.7.255.255 any (2 matches)
22950 deny ip 171.208.0.0 0.15.255.255 any (3 matches)
23250 deny ip 180.96.0.0 0.31.255.255 any (7 matches)
23280 deny ip 180.136.0.0 0.7.255.255 any (2 matches)
23350 deny ip 180.152.0.0 0.7.255.255 any (42 matches)
23360 deny ip 180.160.0.0 0.15.255.255 any (6 matches)
23380 deny ip 180.184.0.0 0.3.255.255 any (2 matches)
23450 deny ip 180.210.224.0 0.0.31.255 any (1 match)
23460 deny ip 180.212.0.0 0.1.255.255 any (2 matches)
23570 deny ip 182.48.96.0 0.0.31.255 any (1 match)
23670 deny ip 182.92.0.0 0.0.255.255 any (4 matches)
23680 deny ip 182.96.0.0 0.15.255.255 any (2 matches)
23700 deny ip 182.128.0.0 0.15.255.255 any (5 matches)
23710 deny ip 182.144.0.0 0.7.255.255 any (3 matches)
23800 deny ip 182.254.0.0 0.0.255.255 any (4 matches)
23810 deny ip 183.0.0.0 0.63.255.255 any (11 matches)
23890 deny ip 183.92.0.0 0.3.255.255 any (2 matches)
23900 deny ip 183.128.0.0 0.31.255.255 any (7 matches)
23910 deny ip 183.160.0.0 0.7.255.255 any (6 matches)
23970 deny ip 183.192.0.0 0.63.255.255 any (3 matches)
33410 deny ip 199.188.109.160 0.0.0.31 any (2 matches)
36550 deny ip 202.97.128.0 0.0.63.255 any (2 matches)
37330 deny ip 202.102.224.0 0.0.7.255 any (1 match)
37490 deny ip 202.104.0.0 0.1.255.255 any (1 match)
37530 deny ip 202.108.0.0 0.0.255.255 any (1 match)
37910 deny ip 202.118.64.0 0.0.63.255 any (2 matches)
39030 deny ip 202.173.8.0 0.0.7.255 any (1 match)
39200 deny ip 202.192.0.0 0.7.255.255 any (3 matches)
39210 deny ip 202.200.0.0 0.3.255.255 any (5 matches)
47890 deny ip 203.100.80.0 0.0.15.255 any (1 match)
48730 deny ip 203.195.128.0 0.0.127.255 any (1 match)
49180 deny ip 210.22.0.0 0.0.255.255 any (1 match)
49220 deny ip 210.28.0.0 0.3.255.255 any (2 matches)
49240 deny ip 210.36.0.0 0.3.255.255 any (2 matches)
49400 deny ip 210.73.64.0 0.0.63.255 any (2 matches)
49530 deny ip 210.76.128.0 0.0.127.255 any (3 matches)
49770 deny ip 211.86.0.0 0.1.255.255 any (1 match)
49820 deny ip 211.94.0.0 0.1.255.255 any (1 match)
49940 deny ip 211.103.0.0 0.0.127.255 any (1 match)
49950 deny ip 211.103.128.0 0.0.127.255 any (1 match)
49960 deny ip 211.136.0.0 0.3.255.255 any (1 match)
50000 deny ip 211.143.0.0 0.0.255.255 any (1 match)
50010 deny ip 211.144.0.0 0.1.255.255 any (1 match)
50030 deny ip 211.147.0.0 0.0.255.255 any (2 matches)
50050 deny ip 211.152.0.0 0.1.255.255 any (1 match)
50910 deny ip 218.2.0.0 0.1.255.255 any (20 matches)
50920 deny ip 218.4.0.0 0.1.255.255 any (1 match)
50930 deny ip 218.6.0.0 0.0.255.255 any (2 matches)
50940 deny ip 218.7.0.0 0.0.255.255 any (2 matches)
50970 deny ip 218.11.0.0 0.0.255.255 any (4 matches)
51000 deny ip 218.14.0.0 0.1.255.255 any (2 matches)
51010 deny ip 218.16.0.0 0.3.255.255 any (3 matches)
51050 deny ip 218.22.0.0 0.1.255.255 any (1 match)
51060 deny ip 218.24.0.0 0.1.255.255 any (1 match)
51090 deny ip 218.28.0.0 0.1.255.255 any (3 matches)
51110 deny ip 218.56.0.0 0.3.255.255 any (10 matches)
51130 deny ip 218.62.0.0 0.0.127.255 any (1 match)
51160 deny ip 218.64.0.0 0.1.255.255 any (9 matches)
51220 deny ip 218.72.0.0 0.3.255.255 any (1 match)
51230 deny ip 218.76.0.0 0.1.255.255 any (140 matches)
51250 deny ip 218.80.0.0 0.3.255.255 any (3 matches)
51260 deny ip 218.84.0.0 0.3.255.255 any (7 matches)
51270 deny ip 218.88.0.0 0.7.255.255 any (9 matches)
51450 deny ip 218.106.0.0 0.1.255.255 any (2 matches)
51550 deny ip 218.200.0.0 0.3.255.255 any (6 matches)
51570 deny ip 218.206.0.0 0.1.255.255 any (1 match)
51610 deny ip 218.249.0.0 0.0.255.255 any (1 match)
51650 deny ip 219.128.0.0 0.15.255.255 any (3 matches)
51660 deny ip 219.144.0.0 0.3.255.255 any (2 matches)
51670 deny ip 219.148.0.0 0.0.255.255 any (2 matches)
51880 deny ip 219.159.128.0 0.0.127.255 any (1 match)
51990 deny ip 219.232.0.0 0.3.255.255 any (1 match)
52080 deny ip 220.160.0.0 0.31.255.255 any (27 matches)
52110 deny ip 220.196.0.0 0.3.255.255 any (2 matches)
52190 deny ip 220.248.0.0 0.3.255.255 any (2 matches)
52210 deny ip 221.0.0.0 0.1.255.255 any (2 matches)
52250 deny ip 221.4.0.0 0.0.255.255 any (2 matches)
52280 deny ip 221.6.0.0 0.0.255.255 any (1 match)
52550 deny ip 221.176.0.0 0.7.255.255 any (5 matches)
52580 deny ip 221.195.0.0 0.0.255.255 any (2 matches)
52700 deny ip 221.206.0.0 0.0.255.255 any (3 matches)
52740 deny ip 221.208.0.0 0.3.255.255 any (1 match)
52770 deny ip 221.214.0.0 0.1.255.255 any (1 match)
52780 deny ip 221.216.0.0 0.7.255.255 any (3 matches)
52790 deny ip 221.224.0.0 0.7.255.255 any (4 matches)
52800 deny ip 221.232.0.0 0.3.255.255 any (1 match)
52930 deny ip 222.32.0.0 0.31.255.255 any (9 matches)
52940 deny ip 222.64.0.0 0.7.255.255 any (3 matches)
52980 deny ip 222.76.0.0 0.3.255.255 any (1 match)
53050 deny ip 222.85.128.0 0.0.127.255 any (1 match)
53140 deny ip 222.136.0.0 0.7.255.255 any (2 matches)
53160 deny ip 222.162.0.0 0.0.255.255 any (1 match)
53260 deny ip 222.174.0.0 0.1.255.255 any (1 match)
53270 deny ip 222.176.0.0 0.7.255.255 any (2 matches)
53280 deny ip 222.184.0.0 0.7.255.255 any (117 matches)
53370 deny ip 222.216.0.0 0.1.255.255 any (1 match)
53390 deny ip 222.219.0.0 0.0.255.255 any (1 match)
53400 deny ip 222.220.0.0 0.1.255.255 any (8 matches)
53410 deny ip 222.222.0.0 0.1.255.255 any (1 match)
53420 deny ip 222.240.0.0 0.7.255.255 any (1 match)
53670 deny ip 223.202.0.0 0.1.255.255 any (4 matches)
53700 deny ip 223.214.0.0 0.1.255.255 any (3 matches)
53710 deny ip 223.220.0.0 0.1.255.255 any (1 match)
this happened while posting. Look up the IPs !
12w4d: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 122.225.97.94] [localport: 22] [Reason: Login Authentication Failed] at 22:52:29 UTC Fri Nov 7 2014
2811ADSL#
2811ADSL#
2811ADSL#
12w4d: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 122.225.97.94] [localport: 22] [Reason: Login Authentication Failed] at 22:52:41 UTC Fri Nov 7 2014
12w4d: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 122.225.97.94] [localport: 22] [Reason: Login Authentication Failed] at 22:52:52 UTC Fri Nov 7 2014
12w4d: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 577 secs, [user: root] [Source: 122.225.97.94] [localport: 22] [Reason: Login Authentication Failed] [ACL: 123] at 22:52:52 UTC Fri Nov 7 2014
12w4d: %SEC-6-IPACCESSLOGP: list 123 denied tcp 122.225.97.94(53835) -> 0.0.0.0(22), 1 packet
12w4d: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 122.225.97.94] [localport: 22] [Reason: Login Authentication Failed] at 22:53:06 UTC Fri Nov 7 2014
12w4d: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 122.225.97.94] [localport: 22] [Reason: Login Authentication Failed] [ACL: 123] at 22:53:06 UTC Fri Nov 7 2014
12w4d: %SEC-6-IPACCESSLOGP: list 123 denied tcp 122.225.97.94(2529) -> 0.0.0.0(22), 1 packet
2811ADSL#
2811ADSL#
2811ADSL#
12w4d: %SEC-6-IPACCESSLOGP: list 123 denied tcp 122.225.97.94(6638) -> 0.0.0.0(22), 1 packet
2811ADSL#
2811ADSL#
2811ADSL#
12w4d: %SEC-6-IPACCESSLOGP: list 123 denied tcp 122.225.97.94(2529) -> 0.0.0.0(22), 2 packets
2811ADSL#
2811ADSL#
2811ADSL#
12w4d: %SEC-6-IPACCESSLOGP: list 123 denied tcp 122.225.97.94(6638) -> 0.0.0.0(22), 2 packets
The Cyber war continues!
Fight the EAST!
PS all servers I manage run ACLS that blcok problematic ISPs, over 10000 lines are in China.
Am I stereo-typing?
Look up the AS of these IPs where are most from?
Code:
Detailed information about last 50 failures
Username SourceIPAddr lPort Count TimeStamp
root 61.174.51.224 22 3 09:43:02 UTC Wed Nov 5 2014
root 122.225.97.74 22 3 10:22:42 UTC Wed Nov 5 2014
admin 193.104.41.55 22 2 12:24:31 UTC Wed Nov 5 2014
ubnt 222.255.174.66 22 1 13:19:54 UTC Wed Nov 5 2014
cron 89.109.35.104 22 1 15:00:10 UTC Wed Nov 5 2014
root 89.109.35.104 22 1 15:00:32 UTC Wed Nov 5 2014
root 36.250.13.67 22 1 15:01:18 UTC Wed Nov 5 2014
root 218.106.254.121 22 1 16:33:34 UTC Wed Nov 5 2014
root 122.225.97.90 22 3 17:06:09 UTC Wed Nov 5 2014
root 61.174.51.212 22 3 18:54:36 UTC Wed Nov 5 2014
root 122.225.97.88 22 3 21:16:08 UTC Wed Nov 5 2014
root 222.187.220.246 22 3 21:28:51 UTC Wed Nov 5 2014
root 202.202.113.159 22 1 22:40:16 UTC Wed Nov 5 2014
admin 91.220.131.33 22 2 00:19:14 UTC Thu Nov 6 2014
root 122.225.109.212 22 3 01:21:10 UTC Thu Nov 6 2014
ubnt 183.110.253.233 22 1 01:53:27 UTC Thu Nov 6 2014
support 193.104.41.55 22 2 01:55:17 UTC Thu Nov 6 2014
root 122.225.109.221 22 3 02:54:09 UTC Thu Nov 6 2014
root 61.174.50.134 22 3 03:24:30 UTC Thu Nov 6 2014
zhangyan 212.84.78.38 22 1 04:10:55 UTC Thu Nov 6 2014
dff 212.84.78.38 22 1 04:11:07 UTC Thu Nov 6 2014
root 212.84.78.38 22 1 04:11:19 UTC Thu Nov 6 2014
123456 189.203.240.89 22 3 06:14:04 UTC Thu Nov 6 2014
root 122.225.97.80 22 3 09:04:49 UTC Thu Nov 6 2014
root 117.27.158.71 22 3 09:35:31 UTC Thu Nov 6 2014
support 91.220.131.33 22 2 09:50:46 UTC Thu Nov 6 2014
ubnt 193.104.41.55 22 2 10:53:23 UTC Thu Nov 6 2014
XXXXXXXXXXXXXXX 113.107.233.165 22 1 12:25:07 UTC Thu Nov 6 2014
root 122.225.97.125 22 3 13:15:19 UTC Thu Nov 6 2014
root 122.225.97.118 22 3 13:35:31 UTC Thu Nov 6 2014
info 91.220.131.33 22 2 15:53:22 UTC Thu Nov 6 2014
guest 91.220.131.33 22 2 17:08:33 UTC Thu Nov 6 2014
anonymous 193.104.41.55 22 2 17:53:49 UTC Thu Nov 6 2014
root 122.225.97.99 22 3 19:07:31 UTC Thu Nov 6 2014
root 122.225.109.117 22 3 22:20:59 UTC Thu Nov 6 2014
user 91.220.131.33 22 2 01:00:55 UTC Fri Nov 7 2014
admin 91.194.254.144 22 2 02:30:25 UTC Fri Nov 7 2014
root 91.194.254.142 22 1 02:30:10 UTC Fri Nov 7 2014
root 122.225.109.108 22 3 03:44:15 UTC Fri Nov 7 2014
root 122.225.97.106 22 3 06:30:12 UTC Fri Nov 7 2014
postmaster 91.220.131.33 22 2 08:53:09 UTC Fri Nov 7 2014
root 61.174.51.210 22 3 09:45:01 UTC Fri Nov 7 2014
root 91.218.78.58 22 1 10:42:41 UTC Fri Nov 7 2014
root 41.251.216.93 22 3 14:05:47 UTC Fri Nov 7 2014
web 91.220.131.33 22 2 16:44:12 UTC Fri Nov 7 2014
root 218.249.94.2 22 1 17:46:09 UTC Fri Nov 7 2014
root 218.2.0.133 22 2 17:48:12 UTC Fri Nov 7 2014
root 122.225.97.111 22 3 18:37:29 UTC Fri Nov 7 2014
root 117.27.158.89 22 3 19:30:25 UTC Fri Nov 7 2014
root 122.225.97.94 22 3 22:52:52 UTC Fri Nov 7 2014
Thanks for keeping me in expensive shirts and sports cars! none of which come from china.... (that is why shirts cost more than £50 )
Last edited: