Name and Shame Volume 1 82.98.131.66
So I’ve decided to start some name and shame posts for “naughty” ip’s that trip an ids, turn up in my log audits etc … and who are woefully ill prepared …
Dear 82.98.131.66,
This post is for you, I’m not sure what you hope to gain by failing repeatedly to gain access to this blog (god knows I hardly have time to update it …) but doing it from a host with all your ports open probably not the best idea in the world, so here’s some information on you.
And for anyone else reading this, I usually end up ignoring the standard user enumeration and brute force attacks (As the offender get blacklisted very quickly), in this case however it was a targeted attempt …
Your ISP’s whois
inetnum: 82.98.128.0 - 82.98.143.255
netname: DINA-HOSTING1
descr: PROVIDER Local Registry
descr: Dinahosting S.L.
country: ES
admin-c: RB1624-RIPE
tech-c: EP2912-RIPE
status: ASSIGNED PA
mnt-by: DINAHOSTING-MNT
mnt-lower: DINAHOSTING-MNT
mnt-routes: DINAHOSTING-MNT
source: RIPE # Filtered
person: Ruben Bouso
address: Rua das Salvadas, 41
15705 - Santiago de Compostela
Spain
phone: +34900854000
fax-no: +34981577449
e-mail: [email protected]
nic-hdl: RB1624-RIPE
mnt-by: DINAHOSTING-MNT
source: RIPE # Filtered
person: Eladio Perez
address: Rua das Salvadas, 41
15705 - Santiago de Compostela
Spain
phone: +34 900854000
e-mail: [email protected]
nic-hdl: EP2912-RIPE
mnt-by: DINAHOSTING-MNT
source: RIPE # Filtered
% Information related to '82.98.128.0/18AS42612'
route: 82.98.128.0/18
descr: First Dinahosting S.L. prefix
origin: AS42612
mnt-by: DINAHOSTING-MNT
mnt-lower: DINAHOSTING-MNT
mnt-routes: DINAHOSTING-MNT
source: RIPE # Filtered
Log of you attempting to get access to ftp
Jun 12 20:02:45 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=15007 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0
Jun 12 20:02:45 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=15008 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0
Jun 12 20:02:45 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=15009 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0
Jun 12 20:02:45 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=65 TOS=0x00 PREC=0x00 TTL=56 ID=15010 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0
Jun 12 20:02:45 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=65 TOS=0x00 PREC=0x00 TTL=56 ID=15011 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=58 TOS=0x00 PREC=0x00 TTL=56 ID=15012 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=15013 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=92 RES=0x00 ACK FIN URGP=0
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=48056 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=15014 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=48057 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=48058 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=65 TOS=0x00 PREC=0x00 TTL=56 ID=48059 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=69 TOS=0x00 PREC=0x00 TTL=56 ID=48060 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=58 TOS=0x00 PREC=0x00 TTL=56 ID=48061 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=48062 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=92 RES=0x00 ACK FIN URGP=0
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=18719 DF PROTO=TCP SPT=58295 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=48063 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=18720 DF PROTO=TCP SPT=58295 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=18721 DF PROTO=TCP SPT=58295 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=69 TOS=0x00 PREC=0x00 TTL=56 ID=18722 DF PROTO=TCP SPT=58295 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=65 TOS=0x00 PREC=0x00 TTL=56 ID=18723 DF PROTO=TCP SPT=58295 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0
Jun 12 20:02:52 132 fail2ban.actions: WARNING [vsftpd-iptables] Ban 82.98.131.66
Jun 12 20:32:53 132 fail2ban.actions: WARNING [vsftpd-iptables] Unban 82.98.131.66
...
Jun 12 20:02:46 132 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=saiweb rhost=hl45.dinaserver.com user=saiweb
Jun 12 20:02:48 132 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=saiweb rhost=hl45.dinaserver.com user=saiweb
Jun 12 20:02:51 132 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=saiwebcouk rhost=hl45.dinaserver.com
...
Can anyone say firewall?
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
587/tcp open submission
3306/tcp open mysql
You need to read this NOW!
Server: Apache/2.2.0 (Fedora) PHP/5.2.9 with Suhosin-Patch
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1
Debian? seriously?
SSH-2.0-OpenSSH_5.1p1 Debian-5
mySQL seems recent at least
5.1.32-log?yV!>VvoI?^~"(D\$::QjC^C
For the moment I am assuming a compromised box quiet why you wanted to come after this blog is beyond me.
- 12/06/2011 - This blog written and evidence sent to ISP
- 12/07/2011 - The Scheduled publication for this post