Journal damn_registrars's Journal: The Distributed Hack Attempt, v3.0 2
I have, to this point, seen generally two versions of the distributed hack, with varied numbers of systems involved:
- Make zillions of attempts to get in through root
- Make about 5-10 attempts at each of a dictionary list of usernames
However, this new variant is a little different. They are again using an enormous number of systems to try to gain access to my poor home web server. They are again trying to get in through accounts that they'll never get in through, as they either don't exist or they aren't allowed in from remote. However, one thing of note has changed.
Now, the botnet is making many, many, more attempts for each login name. This iteration is currently trying the username "james" (which doesn't exist on my system; so have fun guys!), and they have tried it almost 200 times (and counting...) already.
Here are just a few recent attempts. Going through this extremely abridged list should make it obvious why I won't bother setting up any specific firewalling rules to counter this futile effort:
Apr 9 17:15:41 nfsbox sshd[58308]: error: PAM: authentication error for illegal user james from mail.stormbox.com.sg
Apr 9 17:16:22 nfsbox sshd[58311]: error: PAM: authentication error for illegal user james from 85.17.138.147
Apr 9 17:17:28 nfsbox sshd[58314]: error: PAM: authentication error for illegal user james from 202.82.25.161
Apr 9 17:18:14 nfsbox sshd[58317]: error: PAM: authentication error for illegal user james from server51081.uk2net.com
Apr 9 17:20:25 nfsbox sshd[58323]: error: PAM: authentication error for illegal user james from dsl212-235-75-147.bb.netvision.net.il
Apr 9 17:21:10 nfsbox sshd[58326]: error: PAM: authentication error for illegal user james from host162-245-static.57-88-b.business.telecomitalia.it
Apr 9 17:22:21 nfsbox sshd[58342]: error: PAM: authentication error for illegal user james from 117.41.24.55
Apr 9 17:23:03 nfsbox sshd[58347]: error: PAM: authentication error for illegal user james from 208.70.79.110
Apr 9 17:24:08 nfsbox sshd[58350]: error: PAM: authentication error for illegal user james from 83.149.114.69
Apr 9 17:24:59 nfsbox sshd[58353]: error: PAM: authentication error for illegal user james from 75.125.217.2
Apr 9 17:26:00 nfsbox sshd[58359]: error: PAM: authentication error for illegal user james from mail.prestigedayspa.com
Apr 9 17:27:14 nfsbox sshd[58372]: error: PAM: authentication error for illegal user james from 62.12.19.194
Apr 9 17:28:02 nfsbox sshd[58375]: error: PAM: authentication error for illegal user james from 125.89.72.210
Apr 9 17:29:52 nfsbox sshd[58382]: error: PAM: authentication error for illegal user james from 94.75.205.153
Apr 9 17:30:57 nfsbox sshd[58389]: error: PAM: authentication error for illegal user james from 68.185.60.9
Apr 9 17:32:09 nfsbox sshd[58392]: error: PAM: authentication error for illegal user james from intranet.araruama.unimed.com.br
Apr 9 17:32:53 nfsbox sshd[58397]: error: PAM: authentication error for illegal user james from 66.63.165.200
Apr 9 17:34:05 nfsbox sshd[58413]: error: PAM: authentication error for illegal user james from websvr01.dbhosting.nl
Apr 9 17:36:10 nfsbox sshd[58422]: error: PAM: authentication error for illegal user james from 94.75.215.27
Apr 9 17:36:56 nfsbox sshd[58428]: error: PAM: authentication error for illegal user james from famaitz.edu.br
Apr 9 17:37:59 nfsbox sshd[58433]: error: PAM: authentication error for illegal user james from 89.149.254.83
Apr 9 17:39:17 nfsbox sshd[58436]: error: PAM: authentication error for illegal user james from webmail.jknet.com.br
Apr 9 17:40:04 nfsbox sshd[58442]: error: PAM: authentication error for illegal user james from 62.17.136.223
Apr 9 17:41:11 nfsbox sshd[58445]: error: PAM: authentication error for illegal user james from servidor.lapavermelha.com.br
Apr 9 17:42:02 nfsbox sshd[58449]: error: PAM: authentication error for illegal user james from 207.210.83.77
Apr 9 17:43:13 nfsbox sshd[58454]: error: PAM: authentication error for illegal user james from 216-235-98-hcc-60.hcc.net
Apr 9 17:44:29 nfsbox sshd[58471]: error: PAM: authentication error for illegal user james from sunimg.securewebportal.com
Apr 9 17:45:11 nfsbox sshd[58478]: error: PAM: authentication error for illegal user james from 75.125.217.2
Apr 9 17:46:25 nfsbox sshd[58481]: error: PAM: authentication error for illegal user james from webmail.jknet.com.br
Apr 9 17:47:17 nfsbox sshd[58486]: error: PAM: authentication error for illegal user james from 61.47.61.89
For what it's worth I did look up the day spa with the compromised mail server and found they are located in Utah. I might have to send them an email and let them know that their system has been compromised and turned into a botnet zombie. Though they might figure it out on their own when they find that their email is taking several days to go out.
This could possibly invalidate my earlier craigslist hypothesis. The last time I saw a distributed attempt on my system was shortly after posting an ad on craigslist that had a link in it to my own site; I have not posted anything to craigslist in some time so it is highly unlikely that this was triggered by any information from there.
Report it to their ISP (Score:1)
and hopefully get them taken off the network until they fix their borked shit.
Re: (Score:2)
and hopefully get them taken off the network until they fix their borked shit.
If you are referring to the day spa specifically, I have already contacted them through their website and also through the contact email listed in the WHOIS entry for their domain. I figure their one system is such a trivial part of this problem that I don't see the need to punish their website if they can handle it themselves.
Though I may take it up with their ISP or hosting provider if they don't get back to me in a timely fashion.
Although either way it wouldn't make a dent in the unwanted ssh attem