Results 1 to 10 of 10
  1. #1
    Join Date
    Jul 2002
    Location
    USA
    Posts
    1,125

    I strongly suggest blocking this IP

    This IP has scanned 3 of our machines and 5 of our customers all on three different networks in the past week.

    test1/password from 210.219.250.124: 9 Time(s)
    test2/none from 210.219.250.124: 18 Time(s)
    test2/password from 210.219.250.124: 9 Time(s)
    user/none from 210.219.250.124: 36 Time(s)
    user/password from 210.219.250.124: 18 Time(s)
    webmaster/none from 210.219.250.124: 36 Time(s)
    webmaster/password from 210.219.250.124: 18 Time(s)

    The guy goes around looking for default logins attempting to use generic passwords. So far, he has not found anything, but I would enter that IP into your firewalls. Looks to be from Korea.

    Regards,
    Rob

  2. #2
    Join Date
    Feb 2003
    Location
    Kuala Lumpur, Malaysia
    Posts
    4,974
    I believe that is from a hacked box.

  3. #3
    Greetings:

    FYI.

    inetnum: 210.219.0.0 - 210.219.255.255
    netname: KRNIC-KR
    descr: KRNIC
    descr: Korea Network Information Center
    country: KR
    admin-c: HM127-AP
    tech-c: HM127-AP
    remarks: ******************************************
    remarks: KRNIC is the National Internet Registry
    remarks: in Korea under APNIC. If you would like to
    remarks: find assignment information in detail
    remarks: please refer to the KRNIC Whois DB
    remarks: http://whois.nic.or.kr/english/index.html
    remarks: ******************************************
    mnt-by: APNIC-HM
    mnt-lower: MNT-KRNIC-AP
    changed: [email protected] 19990324
    changed: [email protected] 20010606
    changed: [email protected] 20040319
    status: ALLOCATED PORTABLE
    source: APNIC

    person: Host Master
    address: 11F, KTF B/D, 1321-11, Seocho2-Dong, Seocho-Gu,
    address: Seoul, Korea, 137-857
    country: KR
    phone: +82-2-2186-4500
    fax-no: +82-2-2186-4496
    e-mail: [email protected]
    nic-hdl: HM127-AP
    mnt-by: MNT-KRNIC-AP
    changed: [email protected] 20020507
    source: APNIC


    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  4. #4
    There's a thread on this IP already.

    Here's my experience with him.

    Authentication Failures:
    adm (210.219.250.124 ): 8 Time(s)
    daemon (210.219.250.124 ): 8 Time(s)
    mysql (210.219.250.124 ): 16 Time(s)
    unknown (210.219.250.124 ): 304 Time(s)
    ftp (210.219.250.124 ): 16 Time(s)
    nobody (210.219.250.124 ): 8 Time(s)
    lp (210.219.250.124 ): 8 Time(s)

    Email [email protected] with a report.

  5. #5
    Join Date
    Jul 2002
    Location
    USA
    Posts
    1,125
    Originally posted by UltraUnixNET
    I believe that is from a hacked box.
    No, those were failed login attempts. And that is just a small percentage of them too!

  6. #6
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    Rob_AcuNett,

    I belive he was saying, it was a hacked box running a bot scanning your server.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  7. #7
    Join Date
    Nov 2003
    Location
    on the 'net
    Posts
    1,187
    Hey Rob,

    When I first saw this thread I thought "That would be a great way to mess with someone - get everyone to block their IP"... then I saw the message was from a trusted source (you).

    I just add the IP to APF's deny_hosts.rules, right?

  8. #8
    Join Date
    Jul 2002
    Location
    USA
    Posts
    1,125
    yes, that is correct.

    It most likely is a hacked machine because they have hit so many different networks in only one week!

  9. #9
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    Originally posted by sightz
    Hey Rob,

    When I first saw this thread I thought "That would be a great way to mess with someone - get everyone to block their IP"... then I saw the message was from a trusted source (you).

    I just add the IP to APF's deny_hosts.rules, right?
     

    if you have apf

    /etc/apf/apf -d IP
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  10. #10
    Also I doubt those scanning is much source for concern unless you really like using those common logins/passwords. This is one of the reason why dictionary passwords are not a good idea.
    Like us on Facebook to qualify for discounts!
    http://www.sprintserve.net
    Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
    Services: | Managed Multiple Cores 64bit Servers | Server Management |

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •