[Plug-security] Interesting Targets ?

Lisa Kachold lisakachold at obnosis.com
Wed Sep 25 15:02:38 MST 2013 

[root at fly-obnosis-com asil]# nmap 110.173.96.6

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-25 13:34 MST
Nmap scan report for 110.173.96.6
Host is up (0.21s latency).
Not shown: 993 closed ports
PORT     STATE    SERVICE
25/tcp   filtered smtp
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
1025/tcp open     NFS-or-IIS
1028/tcp open     unknown
3389/tcp open     ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 20.84 seconds
[root at fly-obnosis-com asil]#

This IP is from denyhosts for people trying to get into a mail server via
port 22.

Of course the server administrators are clearly not going to be the
"responsible party"; it's a script kiddie hacker someplace looking for a
mail server they can use semi anonymously.

Another white-hat action would be to swip whois the ips and report the
access attempts to their administrators with a short contextual message
(for the complete idiot) related to what exactly this could mean.  Of
course logs are required (date/time [from denyhost logs]).

---------- Forwarded message ----------
From: DenyHosts <nobodymail.obnosis.com at mail.localdomain>
Date: Wed, Sep 25, 2013 at 6:13 AM
Subject: DenyHosts Report from mail
To: lisakachold at obnosis.com


Added the following hosts to /etc/hosts.deny:

110.173.96.6 (unknown)

----------------------------------------------------------------------

Here's the rest of the denyhosts entries:


root at mail ~]# cat /etc/hosts.deny
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# DenyHosts: Thu Aug 29 11:18:13 2013 | sshd: 24.39.234.235
sshd: 24.39.234.235
# DenyHosts: Thu Aug 29 18:13:13 2013 | sshd: 82.165.46.72
sshd: 82.165.46.72
# DenyHosts: Fri Aug 30 02:14:44 2013 | sshd: 61.143.33.222
sshd: 61.143.33.222
# DenyHosts: Fri Aug 30 17:18:44 2013 | sshd: 116.204.96.233
sshd: 116.204.96.233
# DenyHosts: Fri Aug 30 19:21:45 2013 | sshd: 200.199.74.91
sshd: 200.199.74.91
# DenyHosts: Fri Aug 30 21:32:15 2013 | sshd: 189.165.162.112
sshd: 189.165.162.112
# DenyHosts: Sat Aug 31 06:34:15 2013 | sshd: 188.132.176.143
sshd: 188.132.176.143
# DenyHosts: Sat Aug 31 19:35:16 2013 | sshd: 211.154.154.238
sshd: 211.154.154.238
# DenyHosts: Sat Aug 31 23:40:46 2013 | sshd: 183.62.48.44
sshd: 183.62.48.44
# DenyHosts: Sun Sep  1 06:58:47 2013 | sshd: 192.95.25.121
sshd: 192.95.25.121
# DenyHosts: Sun Sep  1 19:31:47 2013 | sshd: 211.147.80.2
sshd: 211.147.80.2
# DenyHosts: Tue Sep  3 01:46:58 2013 | sshd: 61.167.199.232
sshd: 61.167.199.232
# DenyHosts: Tue Sep  3 10:46:28 2013 | sshd: 210.245.23.136
sshd: 210.245.23.136
# DenyHosts: Tue Sep  3 14:07:58 2013 | sshd: 188.190.98.6
sshd: 188.190.98.6
# DenyHosts: Wed Sep  4 18:22:29 2013 | sshd: 218.64.114.103
sshd: 218.64.114.103
# DenyHosts: Thu Sep  5 01:45:59 2013 | sshd: 111.92.237.209
sshd: 111.92.237.209
# DenyHosts: Thu Sep  5 04:00:00 2013 | sshd: 117.41.237.226
sshd: 117.41.237.226
# DenyHosts: Thu Sep  5 05:47:30 2013 | sshd: 113.107.101.234
sshd: 113.107.101.234
# DenyHosts: Thu Sep  5 09:28:01 2013 | sshd: 189.26.255.11
sshd: 189.26.255.11
# DenyHosts: Thu Sep  5 10:44:31 2013 | sshd: 66.199.146.126
sshd: 66.199.146.126
# DenyHosts: Thu Sep  5 19:58:02 2013 | sshd: 75.126.186.26
sshd: 75.126.186.26
# DenyHosts: Fri Sep  6 01:44:02 2013 | sshd: 222.219.187.9
sshd: 222.219.187.9
# DenyHosts: Fri Sep  6 02:41:32 2013 | sshd: 190.29.99.249
sshd: 190.29.99.249
# DenyHosts: Fri Sep  6 03:40:33 2013 | sshd: 123.126.133.131
sshd: 123.126.133.131
# DenyHosts: Fri Sep  6 04:27:33 2013 | sshd: 61.7.235.203
sshd: 61.7.235.203
# DenyHosts: Sat Sep  7 00:41:33 2013 | sshd: 79.142.244.1
sshd: 79.142.244.1
# DenyHosts: Sat Sep  7 00:50:04 2013 | sshd: 210.74.146.146
sshd: 210.74.146.146
# DenyHosts: Sun Sep  8 03:37:04 2013 | sshd: 217.16.12.167
sshd: 217.16.12.167
# DenyHosts: Sun Sep  8 22:30:35 2013 | sshd: 82.165.133.118
sshd: 82.165.133.118
# DenyHosts: Tue Sep 10 04:21:05 2013 | sshd: 75.134.81.100
sshd: 75.134.81.100
# DenyHosts: Tue Sep 10 14:42:35 2013 | sshd: 193.104.68.210
sshd: 193.104.68.210
# DenyHosts: Tue Sep 10 23:03:36 2013 | sshd: 219.138.203.198
sshd: 219.138.203.198
# DenyHosts: Wed Sep 11 06:49:36 2013 | sshd: 172.246.131.170
sshd: 172.246.131.170
# DenyHosts: Wed Sep 11 20:08:07 2013 | sshd: 199.96.132.165
sshd: 199.96.132.165
# DenyHosts: Thu Sep 12 00:04:07 2013 | sshd: 79.143.184.12
sshd: 79.143.184.12
# DenyHosts: Thu Sep 12 11:17:08 2013 | sshd: 221.226.56.22
sshd: 221.226.56.22
# DenyHosts: Thu Sep 12 13:20:08 2013 | sshd: 137.175.46.104
sshd: 137.175.46.104
# DenyHosts: Thu Sep 12 15:06:38 2013 | sshd: 185.10.201.128
sshd: 185.10.201.128
# DenyHosts: Thu Sep 12 18:53:39 2013 | sshd: 121.134.21.116
sshd: 121.134.21.116
# DenyHosts: Fri Sep 13 00:06:39 2013 | sshd: 24.156.69.160
sshd: 24.156.69.160
# DenyHosts: Sat Sep 14 01:53:10 2013 | sshd: 218.108.0.91
sshd: 218.108.0.91
# DenyHosts: Sat Sep 14 04:03:40 2013 | sshd: 122.154.162.3
sshd: 122.154.162.3
# DenyHosts: Sat Sep 14 12:06:41 2013 | sshd: 85.91.136.121
sshd: 85.91.136.121
# DenyHosts: Sat Sep 14 19:49:41 2013 | sshd: 112.216.82.130
sshd: 112.216.82.130
# DenyHosts: Sat Sep 14 20:14:42 2013 | sshd: 210.51.10.65
sshd: 210.51.10.65
# DenyHosts: Sat Sep 14 20:15:12 2013 | sshd: 182.18.31.165
sshd: 182.18.31.165
# DenyHosts: Sun Sep 15 19:27:12 2013 | sshd: 61.191.23.99
sshd: 61.191.23.99
# DenyHosts: Sun Sep 15 23:41:13 2013 | sshd: 118.218.197.140
sshd: 118.218.197.140
# DenyHosts: Mon Sep 16 00:45:43 2013 | sshd: 112.78.3.234
sshd: 112.78.3.234
# DenyHosts: Mon Sep 16 10:44:04 2013 | sshd: 1.229.248.167
sshd: 1.229.248.167
# DenyHosts: Mon Sep 16 19:10:05 2013 | sshd: 61.142.106.34
sshd: 61.142.106.34
# DenyHosts: Tue Sep 17 06:08:05 2013 | sshd: 123.30.143.150
sshd: 123.30.143.150
# DenyHosts: Tue Sep 17 12:41:36 2013 | sshd: 195.143.228.59
sshd: 195.143.228.59
# DenyHosts: Tue Sep 17 23:20:36 2013 | sshd: 202.115.159.143
sshd: 202.115.159.143
# DenyHosts: Wed Sep 18 14:01:36 2013 | sshd: 5.199.137.222
sshd: 5.199.137.222
# DenyHosts: Wed Sep 18 16:19:07 2013 | sshd: 220.178.18.67
sshd: 220.178.18.67
# DenyHosts: Thu Sep 19 04:59:37 2013 | sshd: 203.212.67.4
sshd: 203.212.67.4
# DenyHosts: Thu Sep 19 09:48:38 2013 | sshd: 218.48.11.130
sshd: 218.48.11.130
# DenyHosts: Fri Sep 20 04:25:08 2013 | sshd: 183.232.32.24
sshd: 183.232.32.24
# DenyHosts: Fri Sep 20 14:45:39 2013 | sshd: 189.109.86.114
sshd: 189.109.86.114
# DenyHosts: Sat Sep 21 03:46:10 2013 | sshd: 74.207.240.217
sshd: 74.207.240.217
# DenyHosts: Sat Sep 21 18:36:10 2013 | sshd: 93.157.99.122
sshd: 93.157.99.122
# DenyHosts: Sun Sep 22 00:24:11 2013 | sshd: 219.245.190.5
sshd: 219.245.190.5
# DenyHosts: Mon Sep 23 11:39:41 2013 | sshd: 141.105.66.152
sshd: 141.105.66.152
# DenyHosts: Mon Sep 23 13:26:42 2013 | sshd: 88.150.232.218
sshd: 88.150.232.218
# DenyHosts: Mon Sep 23 17:45:42 2013 | sshd: 115.239.249.9
sshd: 115.239.249.9
# DenyHosts: Mon Sep 23 19:45:43 2013 | sshd: 203.201.42.237
sshd: 203.201.42.237
# DenyHosts: Tue Sep 24 02:41:13 2013 | sshd: 1.215.228.107
sshd: 1.215.228.107
# DenyHosts: Tue Sep 24 17:18:14 2013 | sshd: 60.190.217.184
sshd: 60.190.217.184
# DenyHosts: Wed Sep 25 06:13:44 2013 | sshd: 110.173.96.6
sshd: 110.173.96.6


See:

[root at fly-obnosis-com asil]# nmap 115.239.249.9

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-25 15:00 MST
Nmap scan report for 115.239.249.9
Host is up (0.21s latency).
Not shown: 994 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
25/tcp   filtered smtp
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
4444/tcp filtered krb524

Nmap done: 1 IP address (1 host up) scanned in 14.81 seconds
[root at fly-obnosis-com asil]#

It's a veritable hackfest.

DISCLAIMER:  Hacking any of these <ripe> targets, which clearly have
already been hacked by others, could/should/might constitute illegal acts
and consequences to you.

Warning, Warning, Warning!

But as you can see.  There are great many clueless systems administrators
and servers without management out there.
-- 

(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
it-clowns.com <http://it-clowns.com/c/>
Chief Clown
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-security/attachments/20130925/cd7f1e9a/attachment.html>

More information about the Plug-security mailing list