MoonPoint Support Logo


Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals

Advanced Search
Sun Mon Tue Wed Thu Fri Sat
23 24 25 26 27 28
29 30          

Fri, Sep 22, 2017 11:18 pm

Failed POP3 login attempts from

While checking the mail log file, /var/log/maillog, on an email server today, I noticed an attempted login from an IP address in an address range I didn't recognize. The entry in the log file contained the following text:

dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=

I checked the country associated with the IP address ( with geoiplookup (you can install the GeoIP package on a CentOS Linux system with yum install GeoIP) and found it was an address assigned to an entity in Great Britain.

$ geoiplookup
GeoIP Country Edition: GB, United Kingdom

[ More Info ]

[/security/attacks/pop3] permanent link

Wed, Jan 04, 2017 10:32 pm

SSH brute-force break-in attempts from

While troubleshooting a problem with a Linux system this evening, I opened Wireshark and noticed a Secure Shell (SSH) packet from an unexpected source address, When I checked the fail2ban log on the system, I noticed that the IP address had been banned temporarily several times today, but break-in attempts resumed whenever the timeout period for the ban expired.

# grep '' /var/log/fail2ban.log | grep 'Ban\|Unban'
2017-01-04 17:20:46,190 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 17:30:47,135 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 17:31:15,276 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 17:41:16,250 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 17:41:43,390 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 17:51:44,299 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 17:52:14,441 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 18:02:15,243 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 18:02:43,383 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 18:12:44,182 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 18:13:13,323 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 18:23:14,227 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 18:24:23,414 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 18:34:24,183 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 18:35:33,368 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 18:45:34,148 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 18:46:44,331 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 18:56:45,126 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 18:57:14,282 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 19:07:15,124 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 19:07:44,270 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 19:17:45,043 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 19:18:14,190 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 19:28:15,111 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 19:29:23,297 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 19:39:23,304 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 19:39:51,441 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 19:49:52,326 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 19:50:21,472 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 20:00:22,251 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 20:00:49,390 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 20:10:50,192 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 20:11:19,338 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 20:21:20,121 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 20:21:49,263 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 20:31:50,036 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 20:33:38,258 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 20:43:39,059 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 20:44:37,358 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 20:54:37,372 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan

[ More Info ]

[/security/attacks/ssh] permanent link

Fri, Dec 30, 2016 7:45 pm

SSH break-in attempts from IP addresses

Yesterday, while using the free and open source packet analyzer software Wireshark to observe network traffic reaching a router, I had set a packet filter in Wireshark to filter on Internet Control Message Protocol (ICMP) traffic. I saw a lot of unexpected ICMP "port unreachable" packets coming from a server behind the router headed outbound to the Internet to the IP address

Internet Control Message Protocol
Type: 3 (Destination unreachable) Code: 3 (port unreachable) Checksum: 0xa821 [correct] [Checksum Status: Good] Unused: 00000000

ICMP destination unreachable packets are "generated by the host or its inbound gateway to inform the client that the destination is unreachable for some reason." There is a "code" field that follows the "type" field in an ICMP packet. If the code is 3, then it indicates a port unreachable error (the designated protocol is unable to inform the host of the incoming message). When I checked the destination port at the server end, I saw it was 22, which is the well-known port for the Secure Shell (SSH) protocol.

[ More Info ]

[/security/attacks/ssh] permanent link

Tue, Aug 09, 2016 10:26 pm

SSH break-in attempt from

When I checked the fail2ban log on one of my servers today, I found that fail2ban had banned IP address for failed attempts to log into the system via Secure Shell (SSH).

# tail -n 10 /var/log/fail2ban.log
2016-08-09 10:12:56,296 fail2ban.filter         [1590]: INFO    [sshd] Found
2016-08-09 10:12:57,914 fail2ban.filter         [1590]: INFO    [sshd] Found
2016-08-09 10:12:58,663 fail2ban.filter         [1590]: INFO    [sshd] Found
2016-08-09 10:12:59,143 fail2ban.filter         [1590]: INFO    [sshd] Found
2016-08-09 10:12:59,870 fail2ban.actions        [1590]: NOTICE  [sshd] Ban
2016-08-09 10:13:00,591 fail2ban.filter         [1590]: INFO    [sshd] Found
2016-08-09 10:13:01,298 fail2ban.filter         [1590]: INFO    [sshd] Found
2016-08-09 10:13:01,522 fail2ban.filter         [1590]: INFO    [sshd] Found
2016-08-09 10:13:03,538 fail2ban.filter         [1590]: INFO    [sshd] Found
2016-08-09 10:13:04,075 fail2ban.filter         [1590]: INFO    [sshd] Found

When I checked the country where that IP address is assigned using the geoiplookup tool, I found it is assigned to an entity in China. The tool is in GeoIP, a geolocation package, which can be installed on Red Hat derived distributions of Linux, such as CentOS with yum install geoip. The free version of the software which I use is provided by MaxMind

$ geoiplookup
GeoIP Country Edition: CN, China

[ More Info ]

[/security/attacks/ssh] permanent link

Mon, Mar 24, 2014 8:17 am

Attempted SQL injection attack

When I checked the webserver's error log file this morning, I noticed the following two entries related to the IP address

[Mon Mar 24 08:15:07 2014] [error] [client] File does not exist: / home/jdoe/public_html/ctscms
[Mon Mar 24 08:15:12 2014] [error] [client] File does not exist: /home/jdoe/public_html/plus, referer:[111%3D@`\\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\\'`+]=a

There is no ctscms file nor directory, nor do I use a search.php file, nor even have a directory named plus on this web site, so the queries seemed suspicious.

Performing a Google search on the attempted query to search.php, which appears to be an SQL query, I found links to a number of sites in the Chinese language. E.g., dedecms plus / search.php latest injection vulnerability (translated to English).

The query I saw in the Apache error log appeared to be an SQL injection attack. In Arrays in requests, PHP and DedeCMS, an InfoSec Handlers Diary Blog entry, I found the following in relation to an SQL injection attack used against /plus/download.php, which is a PHP script associated with the DedeCMS Content Management System (CMS):

And this definitely looks malicious. After a bit of research, it turned out that this is an attack against a known vulnerability in the DedeCMS, a CMS written in PHP that appears to be popular in Asia. This CMS has a pretty nasty SQL injection vulnerability that can be exploited with the request shown above.

So I blocked any further access to the server hosting this site from that IP address using a route reject command.

# route add reject
[root@frostdragon ~]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface   -      !H    0      -        0 -    -      !H    0      -        0 -

The IP address is allocated to an entity in China. I blocked another Chinese IP address, two days ago.

The Arrays in requests, PHP and DedeCMS blog entry indicated the attacker discussed in that article was using a script that identified itself with a user agent string of WinHttp.WinHttpRequest:

Additionally, as you can see in the log at the top, the User Agent string has been set to WinHttp.WinHttpRequest, which indicates that this request was created by a script or an attack tool executed on a Windows machine.

When I checked the Apache CustomLog to see what user agent string was submitted with the queries to this site, I saw it was "Googlebot/2.1", so the attacker appears to be using an updated script. that misidentifies itself as Googlebot. The Internet Storm Center blog entry was posted 6 months ago and discusses a log entry from September 5, 2013. The log entry posted in that article shows a source IP address of, which is a private IP address substituted in the article for the actual IP address from which the attack originated.

I saw the following in my log: - - [24/Mar/2014:08:15:07 -0400] "GET /ctscms/ HTTP/1.1" 404 291 "
-" "Googlebot/2.1 (+" - - [24/Mar/2014:08:15:12 -0400] "GET /plus/search.php?keyword=as&
1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\\'`+]=a HTTP/1.1" 404
 299 "[111%3D@`\\
rmation_schema.tables+group+by+a)b)%23@`\\'`+]=a" "Googlebot/2.1 (+http://www.go image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, a
pplication/x-shockwave-flash, application/, application/
point, application/msword, */*"


  1. Stopping an Attacker with the Route Reject Command
    MoonPoint Support
    Date: April 15, 2007
  2. Arrays in requests, PHP and DedeCMS
    Internet Storm Center
    By: Bojan, ISC Handler

[/security/attacks] permanent link

Fri, Jan 08, 2010 12:53 pm

Hostile Host Check

I created a Bash script hostile-host-check to allow me to query DShield, a "cooperative network security community" to determine if an IP address I've been notified is engaged in hostile activity is also listed in DShield's database of IP addresses found by others to be associated with hostile activity noted at their firewalls.

[/security/attacks] permanent link

Wed, Feb 13, 2008 9:25 pm

FTP Attacks from and

The system became unresponsive for a time. I ran kripp and found two systems conducting FTP brute-force password guessing attempts.

ftp password :: -> :: anna :: poiuyt [F]
ftp password :: -> :: james :: purple [F]
ftp password :: -> :: james :: ranger [F]
ftp password :: -> :: anna :: 111111 [F]

ftp password :: -> :: james :: purple [F]
ftp password :: -> :: james :: ranger [F]
ftp password :: -> :: anna :: 111111 [F]
ftp password :: -> :: james :: 123go [F]
ftp password :: -> :: anna :: 000000 [F]
ftp password :: -> :: james :: Airhead [F]
ftp password :: -> :: anna :: oracle [F]
ftp password :: -> :: james :: Braves [F]
ftp password :: -> :: anna :: library [F]
ftp password :: -> :: james :: Sparky [F]
ftp password :: -> :: anna :: linux [F]
ftp password :: -> :: james :: angela [F]
ftp password :: -> :: anna :: unix [F]
ftp password :: -> :: james :: brandy [F]
ftp password :: -> :: anna :: amanda [F]
ftp password :: -> :: james :: cindy [F]

I blocked the system with route add reject . I then checked DShield to learn if it has been observed attacking other systems. The DShield report for showed it was first reported engaged in hostile activity on 2008-02-11 and the last reported incident was today 2008-02-13. The IP address is a Chinese address. When I checked the IP Details for the ports the system was attacking, I found it was listed only for port 21 attacks, i.e. FTP attacks.

It was also listed at myNetWatchman. The Incident Detail report for that IP address at myNetWatchman showed the system had been attacking other systems on port 21 and port 22 (SSH) as well from February 5, 2008 onwards.

I then checked the second system attacking, which was The IP address for it is Note: a reverse lookup on yields a Fully Qualified Domain Name (FQDN) of, but a forward lookup on does not yield an IP address.

I ran an nmap scan of it to see what operating system it was running. I got the following results:

# nmap -P0 -O

Starting nmap V. 3.00 ( )
Insufficient responses for TCP sequencing (1), OS detection may be less accurate
Interesting ports on (
(The 1588 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
80/tcp     open        http
111/tcp    open        sunrpc
135/tcp    filtered    loc-srv
137/tcp    filtered    netbios-ns
199/tcp    open        smux
443/tcp    open        https
445/tcp    filtered    microsoft-ds
3306/tcp   open        mysql
4444/tcp   filtered    krb524
8009/tcp   open        ajp13
8080/tcp   open        http-proxy
10000/tcp  open        snet-sensor-mgmt
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20

Nmap run completed -- 1 IP address (1 host up) scanned in 173 seconds

Visting with a browser showed "Welcome to".

When I checked DShield for any reports on hostile activity for that IP address, which is a Thai address, I found it was first reported engaged in hostile activity on 2008-02-08 with the most recent report dated 2008-02-09 (see IP Info ( The IP Details report showed all of the incidents to be FTP attacks.

There was also an Incident Detail report for it at myNetWatchman, which also showed the system engaged in FTP attacks from February 6 onwards.

I blocked it with route add reject. I also turned off the FTP service on the system, since it isn't needed at the moment.

[/security/attacks] permanent link

Mon, Jun 25, 2007 7:10 am

Pentagon Takes 1,500 Systems Offline

A Time article dated Thursday, June 21, 2007, titled Cyber Attack Hits Pentagon states that the Pentagon took as many as 1,500 computers offline because of a cyber attack, which occurred on Wednesday. The article stated that Defense Secretary Robert Gates said the Pentagon sees hundreds of attacks a day and this one had no adverse impact on department operations. Employees whose computers were affected could still use their handheld BlackBerrys.

I'm not surprised that the Pentagon sees hundreds of attacks a day, but It is hard for me to believe that taking 1,500 systems offline had no impact on department operations. Sure employees could still deal with email via their BlackBerry's, but, even if the systems were used solely for administrative purposes, I would expect the employees would be hampered by a lack of access to spreadsheets, presenations, and other documents normally used in an office environment. Hopefully, the attackers didn't glean sensitive data from any of those systems.

I was surprised by Mr. Gates response when he was asked if his own e-mail account was affected. He responded "I don't do e-mail. I'm a very low-tech person." I understand that for his generation (he's 63 years old) email may not be as much a part of the fabric of business life as for younger Americans, but I was surprised to hear him state he doesn't use it at all, especially since his prior position was president of Texas A&M University.

[/security/attacks] permanent link

Tue, Jun 19, 2007 8:12 pm

MPack Used to Compromise Thousands of Websites

I received a message from eWeek today titled MPack Trojan Attack Claims 10,000 Web Sites, which stated that as many as ten thousand websites may have been infected with malware that directs visitors to those websites to other sites where JavaScript code awaits that attempts to use a buffer overflow attack against vulnerable browser to cause malware to be downloaded to the systems of those visitors. I would have liked to have more detail in the eWeek article about what web server software was vulnerable to the MPack attack and what browsers might be vulnerable, but it appears many reports on the problem are just being posted today. The eWeek article was the first I had heard about the problem, so I appreciate the heads-up, though.

I also found information from Symantec at "Italy Under Attack: Mpack Gang Strikes Again!, after reading the eWeek article. There is another Symantec article titled MPack, Packed Full of Badness. I also located an ars technica article posted earlier today at " Security researchers uncover massive attack on Italian web sites, which had much more detail than the eWeek article.

According to that article the MPack software being used on compromised web servers "provides would-be malware installers with a complete package that can be installed on any web server that runs PHP with an SQL database." So that sounds like it can be used against both Apache web server software running on a variety of platforms, including Linux and Windows, as well as Microsoft's IIS web server software, since PHP along with MySQL or Microsoft's own SQL server software may be running on such systems. The article further states "The compromised web sites attempt to use exploits in unpatched versions of Internet Explorer, QuickTime, Windows 2000, Firefox, WinZip, and Opera, in order to install malware packages on end users' computers."

[/security/attacks] permanent link

Once You Know, You Newegg AliExpress by

Shop Amazon Local - Subscribe to Deals in Your Neighborhood

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo