Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Bad Hacker, No Donut! (single IP white pages attack)

damn_registrars (1103043) writes | more than 2 years ago

The Internet 0

It's been a while since anyone has attempted to hack into my system at home. Really, quite a long while in comparison to how it used to go. This morning some idiot decided to go for it. No botnet this time, just one IP address (of course it could be multiple systems behind one IP address, but that isn't really very well distributed then, is it?). Last night they started with "abmsi" and worked their way through the alphabet from there. While I write this they are attempting accounts startinIt's been a while since anyone has attempted to hack into my system at home. Really, quite a long while in comparison to how it used to go. This morning some idiot decided to go for it. No botnet this time, just one IP address (of course it could be multiple systems behind one IP address, but that isn't really very well distributed then, is it?). Last night they started with "abmsi" and worked their way through the alphabet from there. While I write this they are attempting accounts starting with the letter "e".

The IP address is

119.254.32.169

They have made over 1,100 attempts up to now, in less than 12 hours.

The WHOIS shows they are in China:

inetnum: 119.254.0.0 - 119.255.255.255
netname: HUARUI
descr: Beijing Guanghuan Xinwang Digital Technology co.Ltd
descr: 2A-2F,Tower A,East Gate Plaza,NO.9 Dong Zhong Street, Dong Cheng Dstrict,Beijing
country: CN
admin-c: WH271-AP
tech-c: WH271-AP
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CNNIC-AP
mnt-routes: MAINT-CNNIC-AP
mnt-irt: IRT-CNNIC-CN
status: ALLOCATED PORTABLE
changed: hm-changed@apnic.net 20080313
source: APNIC

person: Wang Huijun
nic-hdl: WH271-AP
e-mail: chenbincb@sinnet.com.cn
address: Langfang university Langfang Development Area
phone: +86-13311166160
fax-no: +86-64181819
country: CN
changed: ipas@cnnic.cn 20080227
mnt-by: MAINT-CNNIC-AP
source: APNIC

I emailed all three of the email addresses listed, and two (ipas@cnnic.cn and hm-changed@apnic.net) have already failed. I'm not holding out high hopes for the last one (chenbincb@sinnet.com.cn) but we'll see.

Some of their first stuff:

grep 119.254.32.169 /var/log/messages | head -50
Aug 9 21:53:24 web sshd[42266]: error: PAM: authentication error for illegal user abmsi from 119.254.32.169
Aug 9 21:54:00 web sshd[42269]: error: PAM: authentication error for illegal user about from 119.254.32.169
Aug 9 21:54:36 web sshd[42272]: error: PAM: authentication error for illegal user abuhanif from 119.254.32.169
Aug 9 21:55:12 web sshd[42275]: error: PAM: authentication error for illegal user abuse from 119.254.32.169
Aug 9 21:55:48 web sshd[42292]: error: PAM: authentication error for illegal user academic from 119.254.32.169
Aug 9 21:56:25 web sshd[42295]: error: PAM: authentication error for illegal user account from 119.254.32.169
Aug 9 21:57:01 web sshd[42298]: error: PAM: authentication error for illegal user accounting from 119.254.32.169
Aug 9 21:57:37 web sshd[42303]: error: PAM: authentication error for illegal user accounts from 119.254.32.169
Aug 9 21:58:13 web sshd[42306]: error: PAM: authentication error for illegal user accountsc from 119.254.32.169
Aug 9 21:58:49 web sshd[42309]: error: PAM: authentication error for illegal user achang5884 from 119.254.32.169
Aug 9 21:59:25 web sshd[42312]: error: PAM: authentication error for illegal user acharya from 119.254.32.169
Aug 9 22:00:01 web sshd[42315]: error: PAM: authentication error for illegal user acision from 119.254.32.169
Aug 9 22:00:37 web sshd[42334]: error: PAM: authentication error for illegal user aclinch from 119.254.32.169
Aug 9 22:01:13 web sshd[42337]: error: PAM: authentication error for illegal user acreddy from 119.254.32.169
Aug 9 22:01:50 web sshd[42340]: error: PAM: authentication error for illegal user actaism from 119.254.32.169
Aug 9 22:02:26 web sshd[42343]: error: PAM: authentication error for illegal user activemq from 119.254.32.169

Some of their most recent:

tail /var/log/messages
Aug 10 09:50:25 web sshd[47473]: error: PAM: authentication error for illegal user eddiel from 119.254.32.169
Aug 10 09:51:03 web sshd[47478]: error: PAM: authentication error for illegal user eddyl from 119.254.32.169
Aug 10 09:51:42 web sshd[47481]: error: PAM: authentication error for illegal user edi from 119.254.32.169
Aug 10 09:52:20 web sshd[47484]: error: PAM: authentication error for illegal user ediishu from 119.254.32.169
Aug 10 09:52:58 web sshd[47487]: error: PAM: authentication error for illegal user edincek from 119.254.32.169
Aug 10 09:53:37 web sshd[47491]: error: PAM: authentication error for illegal user editor from 119.254.32.169
Aug 10 09:54:15 web sshd[47495]: error: PAM: authentication error for illegal user edphyd from 119.254.32.169
Aug 10 09:54:53 web sshd[47498]: error: PAM: authentication error for illegal user eds from 119.254.32.169
Aug 10 09:55:32 web sshd[47501]: error: PAM: authentication error for illegal user edwardchuang from 119.254.32.169
Aug 10 09:56:10 web sshd[47518]: error: PAM: authentication error for illegal user edwardsm from 119.254.32.169

Unsurprisingly they make only one attempt per account. Hence even if they hit a valid account they wouldn't go far enough to try to figure out a password (I presume they are trying blank passwords?). Looks like one attempt every 38-39 seconds. Which for one system, is a pretty good clip - even when it's automated.

cancel ×

0 comments

Sorry! There are no comments related to the filter you selected.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>