Results 1 to 8 of 8
  1. #1
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,948

    Someone's dedicated server at burstnet has probably been rooted.

    I have reported this to BurstNET admin/abuse/NOC and have added a line to block them for now.

    Does this belong to anyone??? Nslookup/dig reveals nothing.

    This is my /var/log/messages
    Mar 19 19:24:50 ginger sshd[11565]: Failed password for root from 66.197.245.241 port 46346 ssh2
    Mar 19 19:24:50 ginger sshd[11565]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT!
    Mar 19 19:24:51 ginger sshd[11567]: Failed password for root from 66.197.245.241 port 46407 ssh2
    Mar 19 19:24:52 ginger sshd[11567]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT!
    Mar 19 19:24:53 ginger sshd[11569]: Failed password for root from 66.197.245.241 port 46468 ssh2
    Mar 19 19:24:53 ginger sshd[11569]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT!
    Mar 19 19:24:55 ginger sshd[11571]: Failed password for root from 66.197.245.241 port 46531 ssh2
    Mar 19 19:24:55 ginger sshd[11571]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT!
    Mar 19 19:24:57 ginger sshd[11573]: Failed password for root from 66.197.245.241 port 46584 ssh2
    Mar 19 19:24:57 ginger sshd[11573]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT!
    | John Edel Jetfire Networks L.L.C. Trusted Hosting Solutions
    | Consistent, Reliable, Stable OpenVZ & KVM Virtual Private Servers
    | SpamWall AV & Full SMTP Filtering
    Now an SSLStore Titanium Partner!

  2. #2
    Join Date
    Feb 2008
    Posts
    38
    Only BurstNet' team can help you.
    I have the same with my server on BurstNet
    Code:
    Mar 17 09:38:59 hst2 sshd[26819]: reverse mapping checking getaddrinfo for 66-197-255-197.hostnoc.net [66.197.255.197] failed - POSSIBLE BREAK-IN ATTEMPT!
    Mar 17 09:38:59 hst2 sshd[26821]: reverse mapping checking getaddrinfo for 66-197-255-197.hostnoc.net [66.197.255.197] failed - POSSIBLE BREAK-IN ATTEMPT!
    ...
    Last edited by Andrew_I; 03-20-2008 at 05:28 AM. Reason: Update
    Smart Power Asia - Electronics - Mobile Electronics Store. Sell i-mobile, Oppo, Samsung. Worldwide shipping.

  3. #3
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,948
    Quote Originally Posted by Andrew_I View Post
    Only BurstNet' team can help you.
    I know that.

    Hmm. Yours has a different IP. Masking? Compromised? Hmph. Either way I had to block them at the router until I hear back from the NOC over there.
    | John Edel Jetfire Networks L.L.C. Trusted Hosting Solutions
    | Consistent, Reliable, Stable OpenVZ & KVM Virtual Private Servers
    | SpamWall AV & Full SMTP Filtering
    Now an SSLStore Titanium Partner!

  4. #4
    Join Date
    Mar 2007
    Location
    UK
    Posts
    852
    Keep us update, if its more than one IP could means a very servers over at BurstNet that have been compromised, or being used for this specific purpose.
    Last edited by Ashley Merrick; 03-20-2008 at 08:34 AM. Reason: Spelling Correction
    ZXPlay
    Premium Virtual Private Servers | Dedicated Media Streaming Servers
    Dedicated Resources | EU Based
    www.zxplay.co.uk

  5. #5
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,948
    My feelings exactly, Ashley. I am watching /var/log/all on the machine that was hit last night, and I'm watching my other 5 machines as well.

    BurstNet is well aware now that there are reports from multiple IP's. Hopefully they'll get this fixed quick so I can remove the ACL stuff from the router and allow traffic to/from them again.
    | John Edel Jetfire Networks L.L.C. Trusted Hosting Solutions
    | Consistent, Reliable, Stable OpenVZ & KVM Virtual Private Servers
    | SpamWall AV & Full SMTP Filtering
    Now an SSLStore Titanium Partner!

  6. #6
    phreek338 Guest
    just block their entire subnet hehe

  7. #7
    Join Date
    Apr 2004
    Location
    Singapore
    Posts
    1,506
    Quote Originally Posted by phreek338 View Post
    just block their entire subnet hehe
    Those attack are from internal network. If block entire subnet, it is the same as blocking yourself if your machine fall on the same subnet
    tanfwc
    Singapore Managed Colocation
    Singapore BGP Announcement

  8. #8
    Join Date
    Mar 2008
    Location
    kolkata, India
    Posts
    102
    If you don't have any problem, can you please provide us all the IP / DNS ( may be all relating with IPs), so that we can do some audit.
    Sysfirm
    So you think your server is secure?
    Try our security Service
    With SysFirm

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •