Results 1 to 15 of 15
  1. #1

    What's Wrong With This? Sudden Burst Of Hack Attempts.

    Edit: I think this is in the wrong Forum, feel free to move it to the Technical and Security Issues Forum.

    I woke up this morning to a nice big log sent to me from my server.

    sshd:
    Invalid Users:
    Unknown Account: 304 Time(s)
    Authentication Failures:
    adm (210.219.250.124 ): 8 Time(s)
    daemon (210.219.250.124 ): 8 Time(s)
    mysql (210.219.250.124 ): 16 Time(s)
    unknown (210.219.250.124 ): 304 Time(s)
    ftp (210.219.250.124 ): 16 Time(s)
    nobody (210.219.250.124 ): 8 Time(s)
    root (www.speedhost.com ): 1 Time(s)
    lp (210.219.250.124 ): 8 Time(s)

    I thought I should inform you guys of this IP in case they try anything on anyone who visits this Forum, they're damned persistent.

    I have no idea who the hell SpeedHost is, and why they tried to gain root access to my server. But the other IP is more confusing.

    Should I pretty much class this as a hack attempt?

  2. #2
    I did some quick follow up work in the APNIC database (Arin told me to go there.. ^_^).. and this is what I got.

    inetnum: 210.219.0.0 - 210.219.255.255
    netname: KRNIC-KR
    descr: KRNIC
    descr: Korea Network Information Center
    country: KR
    admin-c: HM127-AP
    tech-c: HM127-AP
    remarks: ******************************************
    remarks: KRNIC is the National Internet Registry
    remarks: in Korea under APNIC. If you would like to
    remarks: find assignment information in detail
    remarks: please refer to the KRNIC Whois DB
    remarks: http://whois.nic.or.kr/english/index.html
    remarks: ******************************************
    mnt-by: APNIC-HM
    mnt-lower: MNT-KRNIC-AP
    changed: [email protected] 19990324
    changed: [email protected] 20010606
    changed: [email protected] 20040319
    status: ALLOCATED PORTABLE
    source: APNIC

    person: Host Master
    address: 11F, KTF B/D, 1321-11, Seocho2-Dong, Seocho-Gu,
    address: Seoul, Korea, 137-857
    country: KR
    phone: +82-2-2186-4500
    fax-no: +82-2-2186-4496
    e-mail: [email protected]
    nic-hdl: HM127-AP
    mnt-by: MNT-KRNIC-AP
    changed: [email protected] 20020507
    source: APNIC

  3. #3
    Greetings:

    We've seen increases all across the board.

    We recently helped an NTT/Verio VPS generation 1 client who was hacked by a 19 year old Russian lady. She used a PHP exploit along with a PHP telnet program to deface a number of Web sites.

    SSH tidbits:

    1. Use protocol 2, make sure you don't allow empty passwords.

    2. If you have static IP's, use your firewall and tcpwrappers to limit SSH by IP.

    Apache Tidbit:

    mod_security from http://www.modsecurity.org/ is awesome.

    Lastly, security is a way of life. You harden, you watch daily, you adjust daily, you re-harden, etc.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  4. #4
    Join Date
    Jan 2003
    Location
    Lake Arrowhead, CA
    Posts
    789
    3) If you can't restrict logins by IP, at least limit login attempts (ssh and ftp) to something like 3 attempts before disconnect.
    http://www.srohosting.com
    Stability, redundancy and peace of mind

  5. #5
    Join Date
    Aug 2003
    Posts
    2,734
    Mm I haven't noticed any thing on mine

  6. #6
    Join Date
    Mar 2004
    Location
    Nottingham UK
    Posts
    176
    Could it be possible you have a simular IP range to speedhost and that someone there has miss keyed an address.

    Just an idea and would explain a single attempt.

    probably miles off

  7. #7
    This is sort off topic, but may help. What I personally do is place all clients under different domains then the one I use to host with.

    For instance, my hosting domain name may be called herodougshosting.com, and my clients may be under the domain name genericdns1.com (<= Not real).

    It should help provide a bit of extra security, especially if you host your main site off your main network/datacenter.

  8. #8
    Join Date
    Sep 2001
    Location
    Seattle, WA
    Posts
    3,084
    Seems like a really bored hacker.
    Jim Reardon - jim/amusive.com

  9. #9
    I'm not a host so I don't have to worry about any customers, I use it to host my personal sites though.

    Strong, they did it wrong 304 times ? They used a variety of usernames and passwords, more then I've listed above.

    Well I guess it gave me something to look at this morning.

  10. #10
    Join Date
    Jul 2002
    Location
    St. Louis, MO
    Posts
    1,652
    Maybe they were trying to brute force in? or hope for something left open.
    Happily hosting @ Dathorn.com (Since 3/2003), Ispeeds.net (Since 2004), & Quadspeedi.net (Since 7/2005)!
    Hosted @ FDC for 9 Years

  11. #11
    Join Date
    Aug 2003
    Location
    USA
    Posts
    1,030
    Seems like they tried everything?

    Doesn't look like an exploit of some sort was tried, just a brute force, which didn't produce much...
    CybexHost.com - Shared and Reseller Hosting Solutions on cPanel/WHM Linux Servers
    ModernTweak.com - Discount ModernBill Licenses, Hosted Installations, and Professional Services
    :: Pay for your discount ModernBill license with PayPal
    :: admin[at]cybexhost.com :: AIM: CybexH

  12. #12
    Join Date
    Sep 2003
    Posts
    169
    Originally posted by Vamp22
    Maybe they were trying to brute force in? or hope for something left open.
    yeah same thought. they must be script kiddie nooblets if they did use brute force. there should be a program that disallows access after a certain number of tries, this should effectively render brute force useless.

  13. #13

  14. #14
    Join Date
    Sep 2003
    Location
    Washington, USA
    Posts
    3,219
    Well whoever it is I wouldn't be too worried, just keep your software and kernel updated and run some vuln scanners on it (99.9% of kiddie hackers will run vuln scanners then use some program to exploit it).
    SHAW NETWORKS Simple. Professional. Reliable. Web Hosting Done Right.
    Low Cost & Award-Winning: cPanel Reseller Plans 24/7/365 Live Technical Support
    Website: www.shawnetworks.com Fast Response E-mail: sales @ shawnetworks.com
    Sick of downtime? Fed up with excuses? Drop your host! Switch to Shaw Networks.

  15. #15
    Sorry to disagree with you ebradsha, but someone using burgulary tools on my front door is a criminal. No honest person would would try to jimmy a lock.

    If it is a juvinile, that is why we have juvinile courts, to socialize the members growing up in society who have parents who lack parenting skills.

    I don't think you would be so lient if your system was broken into and all files erased.

    regards,

    kenobi

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •