[Plug-security] Example Report to Hosting Providers

Lisa Kachold lisakachold at obnosis.com
Thu Sep 26 16:45:27 MST 2013 

It's a rare hosting shop that actually does anything with these, but I do
it anyway.

Here's the example complaint:

---------- Forwarded message ----------
From: Lisa Kachold <lisakachold at obnosis.com>
Date: Thu, Sep 26, 2013
Subject:  Aggressive Hacking Attempts from your IP
To: oles at ovh.net, abuse at ovh.com, support at ovh.net

Complaint:


Aggressive exploit attempts from your hosted IP:

Nmap scan report for 192.95.38.42
Host is up (0.087s latency).
Not shown: 998 filtered ports
PORT      STATE SERVICE
3389/tcp  open  ms-wbt-server
49154/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 12.64 seconds
[root at fly-obnosis-com asil]#

Easily exploited port 3389 is open.  SUSPECT it has been ENCROACHED.

Overview:  http://www.dome9.com/security-challenges/rdp-port-3389-security

IP Ownership:

  192.95.38.42 - Geo InformationIP Address
192.95.38.42<http://cqcounter.com/traceroute/?query=192.95.38.42>Host
192.95.38.42 Location[image: US] US, United States CityNewark, NJ
07102OrganizationOVH
Hosting ISPOVH Hosting AS NumberAS16276 OVH Systems Latitude40°73'55"
NorthLongitude74°17'41"
West Distance7593.96 km (4718.67 miles)

http://www.ovh.com/us/index.xml

This is a hosting account on an international hosting provider.

Might have to block all of OVH IP Ranges?

http://bgp.he.net/AS16276

---------- Forwarded message ----------
From: DenyHosts <nobody at mail.obnosis.com>
Date: Wed, Sep 25, 2013 at 5:07 PM
Subject: DenyHosts Report from mail
To: lisakachold at obnosis.com


Added the following hosts to /etc/hosts.deny:

192.95.38.42 (unknown)

---------------------------------------------------------------------

LOGs:

# DenyHosts: Wed Sep 25 17:07:15 2013 | sshd: 192.95.38.42
sshd: 192.95.38.42


[root at mail ~]#

Sep 25 17:07:10 server sshd[28818]: Did not receive identification string
from 192.95.38.42
Sep 25 17:07:12 server sshd[28821]: Invalid user admin from 192.95.38.42
Sep 25 17:07:12 server sshd[28821]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.95.38.42
Sep 25 17:07:12 server sshd[28824]: Invalid user admin from 192.95.38.42
Sep 25 17:07:12 server sshd[28830]: Invalid user admin from 192.95.38.42
Sep 25 17:07:13 server sshd[28824]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.95.38.42
Sep 25 17:07:13 server sshd[28830]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.95.38.42
Sep 25 17:07:13 server sshd[28837]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.95.38.42  user=root
Sep 25 17:07:14 server sshd[28841]: Did not receive identification string
from 192.95.38.42
Sep 25 17:07:14 server sshd[28829]: Invalid user admin from 192.95.38.42
Sep 25 17:07:14 server sshd[28829]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.95.38.42
Sep 25 17:07:15 server sshd[28821]: Failed password for invalid user admin
from 192.95.38.42 port 62644 ssh2
Sep 25 17:07:15 server sshd[28824]: Failed password for invalid user admin
from 192.95.38.42 port 62657 ssh2
Sep 25 17:07:15 server sshd[28830]: Failed password for invalid user admin
from 192.95.38.42 port 62671 ssh2
Sep 25 17:07:15 server sshd[28825]: Connection closed by 192.95.38.42
Sep 25 17:07:15 server sshd[28828]: Connection closed by 192.95.38.42
Sep 25 17:07:15 server sshd[28836]: Connection closed by 192.95.38.42
Sep 25 17:07:15 server sshd[28837]: Failed password for root from
192.95.38.42 port 62714 ssh2
Sep 25 17:07:15 server sshd[28840]: Connection closed by 192.95.38.42
Sep 25 17:07:16 server sshd[28829]: Failed password for invalid user admin
from 192.95.38.42 port 62672 ssh2
Sep 25 17:07:16 server sshd[28835]: Connection closed by 192.95.38.42
Sep 25 17:07:16 server sshd[28847]: Invalid user admin from 192.95.38.42
Sep 25 17:07:16 server sshd[28856]: Invalid user admin from 192.95.38.42
Sep 25 17:07:16 server sshd[28847]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.95.38.42
Sep 25 17:07:16 server sshd[28844]: Invalid user admin from 192.95.38.42
Sep 25 17:07:16 server sshd[28850]: Invalid user admin from 192.95.38.42
Sep 25 17:07:16 server sshd[28857]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.95.38.42  user=root
Sep 25 17:07:16 server sshd[28856]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.95.38.42
Sep 25 17:07:16 server sshd[28870]: refused connect from 192.95.38.42
(192.95.38.42)
Sep 25 17:07:16 server sshd[28844]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.95.38.42
Sep 25 17:07:17 server sshd[28873]: refused connect from 192.95.38.42
(192.95.38.42)
Sep 25 17:07:17 server sshd[28850]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.95.38.42
Sep 25 17:07:17 server sshd[28876]: refused connect from 192.95.38.42
(192.95.38.42)
Sep 25 17:07:17 server sshd[28879]: refused connect from 192.95.38.42
(192.95.38.42)
Sep 25 17:07:17 server sshd[28880]: refused connect from 192.95.38.42
(192.95.38.42)
Sep 25 17:07:18 server sshd[28847]: Failed password for invalid user admin
from 192.95.38.42 port 62827 ssh2
Sep 25 17:07:18 server sshd[28850]: Failed password for invalid user admin
from 192.95.38.42 port 62828 ssh2
Sep 25 17:07:19 server sshd[28854]: Connection closed by 192.95.38.42
Sep 25 17:07:19 server sshd[28857]: Failed password for root from
192.95.38.42 port 62834 ssh2
Sep 25 17:07:19 server sshd[28855]: Connection closed by 192.95.38.42
Sep 25 17:07:19 server sshd[28856]: Failed password for invalid user admin
from 192.95.38.42 port 62833 ssh2
Sep 25 17:07:19 server sshd[28844]: Failed password for invalid user admin
from 192.95.38.42 port 62823 ssh2
Sep 25 17:07:19 server sshd[28863]: Connection closed by 192.95.38.42
Sep 25 17:07:19 server sshd[28862]: Connection closed by 192.95.38.42
Sep 25 17:07:19 server sshd[28853]: Connection closed by 192.95.38.42
Sep 25 17:07:19 server sshd[28885]: refused connect from 192.95.38.42
(192.95.38.42)
Sep 25 17:07:19 server sshd[28888]: refused connect from 192.95.38.42
(192.95.38.42)
Sep 25 17:07:19 server sshd[28891]: refused connect from 192.95.38.42
(192.95.38.42)
Sep 25 17:07:19 server sshd[28894]: refused connect from 192.95.38.42
(192.95.38.42)
Sep 25 17:07:19 server sshd[28897]: refused connect from 192.95.38.42
(192.95.38.42)
Sep 25 17:08:25 server sshd[28904]: refused connect from 192.95.38.42
(192.95.38.42)
Sep 25 17:08:26 server sshd[28907]: refused connect from 192.95.38.42
(192.95.38.42)
Sep 25 17:08:26 server sshd[28910]: refused connect from 192.95.38.42
(192.95.38.42)
Sep 25 17:08:28 server sshd[28913]: refused connect from 192.95.38.42
(192.95.38.42)
Sep 25 17:08:28 server sshd[28916]: refused connect from 192.95.38.42
(192.95.38.42)
Sep 25 17:08:28 server sshd[28917]: refused connect from 192.95.38.42
(192.95.38.42)
Sep 25 17:08:28 server sshd[28918]: refused connect from 192.95.38.42
(192.95.38.42)
Sep 25 17:08:28 server sshd[28923]: refused connect from 192.95.38.42
(192.95.38.42)
Sep 25 17:08:28 server sshd[28928]: refused connect from 192.95.38.42
(192.95.38.42)
Sep 25 17:08:28 server sshd[28929]: refused connect from 192.95.38.42
(192.95.38.42)
Sep 25 17:09:31 server sshd[28936]: refused connect from 192.95.38.42
(192.95.38.42)
Sep 25 17:09:31 server sshd[28939]: refused connect from 192.95.38.42
(192.95.38.42)



Times are MST:

-- 

(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
it-clowns.com <http://it-clowns.com/c/>
Chief Clown
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-security/attachments/20130926/27dec56f/attachment.html>

More information about the Plug-security mailing list