Bad Hacker, No Donut! (single IP white pages attack)

Journal damn_registrars's Journal: Bad Hacker, No Donut! (single IP white pages attack)

Journal by damn_registrars on Friday August 10, 2012 @09:58AM

It's been a while since anyone has attempted to hack into my system at home. Really, quite a long while in comparison to how it used to go. This morning some idiot decided to go for it. No botnet this time, just one IP address (of course it could be multiple systems behind one IP address, but that isn't really very well distributed then, is it?). Last night they started with "abmsi" and worked their way through the alphabet from there. While I write this they are attempting accounts starting with the letter "e".

The IP address is

119.254.32.169

They have made over 1,100 attempts up to now, in less than 12 hours.

The WHOIS shows they are in China:

inetnum: 119.254.0.0 - 119.255.255.255 netname: HUARUI descr: Beijing Guanghuan Xinwang Digital Technology co.Ltd descr: 2A-2F,Tower A,East Gate Plaza,NO.9 Dong Zhong Street, Dong Cheng Dstrict,Beijing country: CN admin-c: WH271-AP tech-c: WH271-AP mnt-by: MAINT-CNNIC-AP mnt-lower: MAINT-CNNIC-AP mnt-routes: MAINT-CNNIC-AP mnt-irt: IRT-CNNIC-CN status: ALLOCATED PORTABLE changed: hm-changed@apnic.net 20080313 source: APNIC person: Wang Huijun nic-hdl: WH271-AP e-mail: chenbincb@sinnet.com.cn address: Langfang university Langfang Development Area phone: +86-13311166160 fax-no: +86-64181819 country: CN changed: ipas@cnnic.cn 20080227 mnt-by: MAINT-CNNIC-AP source: APNIC

I emailed all three of the email addresses listed, and two (ipas@cnnic.cn and hm-changed@apnic.net) have already failed. I'm not holding out high hopes for the last one (chenbincb@sinnet.com.cn) but we'll see.

Some of their first stuff:

grep 119.254.32.169 /var/log/messages | head -50 Aug 9 21:53:24 web sshd[42266]: error: PAM: authentication error for illegal user abmsi from 119.254.32.169 Aug 9 21:54:00 web sshd[42269]: error: PAM: authentication error for illegal user about from 119.254.32.169 Aug 9 21:54:36 web sshd[42272]: error: PAM: authentication error for illegal user abuhanif from 119.254.32.169 Aug 9 21:55:12 web sshd[42275]: error: PAM: authentication error for illegal user abuse from 119.254.32.169 Aug 9 21:55:48 web sshd[42292]: error: PAM: authentication error for illegal user academic from 119.254.32.169 Aug 9 21:56:25 web sshd[42295]: error: PAM: authentication error for illegal user account from 119.254.32.169 Aug 9 21:57:01 web sshd[42298]: error: PAM: authentication error for illegal user accounting from 119.254.32.169 Aug 9 21:57:37 web sshd[42303]: error: PAM: authentication error for illegal user accounts from 119.254.32.169 Aug 9 21:58:13 web sshd[42306]: error: PAM: authentication error for illegal user accountsc from 119.254.32.169 Aug 9 21:58:49 web sshd[42309]: error: PAM: authentication error for illegal user achang5884 from 119.254.32.169 Aug 9 21:59:25 web sshd[42312]: error: PAM: authentication error for illegal user acharya from 119.254.32.169 Aug 9 22:00:01 web sshd[42315]: error: PAM: authentication error for illegal user acision from 119.254.32.169 Aug 9 22:00:37 web sshd[42334]: error: PAM: authentication error for illegal user aclinch from 119.254.32.169 Aug 9 22:01:13 web sshd[42337]: error: PAM: authentication error for illegal user acreddy from 119.254.32.169 Aug 9 22:01:50 web sshd[42340]: error: PAM: authentication error for illegal user actaism from 119.254.32.169 Aug 9 22:02:26 web sshd[42343]: error: PAM: authentication error for illegal user activemq from 119.254.32.169

Some of their most recent:

tail /var/log/messages Aug 10 09:50:25 web sshd[47473]: error: PAM: authentication error for illegal user eddiel from 119.254.32.169 Aug 10 09:51:03 web sshd[47478]: error: PAM: authentication error for illegal user eddyl from 119.254.32.169 Aug 10 09:51:42 web sshd[47481]: error: PAM: authentication error for illegal user edi from 119.254.32.169 Aug 10 09:52:20 web sshd[47484]: error: PAM: authentication error for illegal user ediishu from 119.254.32.169 Aug 10 09:52:58 web sshd[47487]: error: PAM: authentication error for illegal user edincek from 119.254.32.169 Aug 10 09:53:37 web sshd[47491]: error: PAM: authentication error for illegal user editor from 119.254.32.169 Aug 10 09:54:15 web sshd[47495]: error: PAM: authentication error for illegal user edphyd from 119.254.32.169 Aug 10 09:54:53 web sshd[47498]: error: PAM: authentication error for illegal user eds from 119.254.32.169 Aug 10 09:55:32 web sshd[47501]: error: PAM: authentication error for illegal user edwardchuang from 119.254.32.169 Aug 10 09:56:10 web sshd[47518]: error: PAM: authentication error for illegal user edwardsm from 119.254.32.169

Unsurprisingly they make only one attempt per account. Hence even if they hit a valid account they wouldn't go far enough to try to figure out a password (I presume they are trying blank passwords?). Looks like one attempt every 38-39 seconds. Which for one system, is a pretty good clip - even when it's automated.

This discussion has been archived. No new comments can be posted.