Hacker attacks as well!

| | Comments (1)
If spam wasn't enough, my machines are also getting hit by hackers trying to get through the sshd port:
Jun  5 00:35:31 kyoto sshd[59150]: Invalid user prueba from 62.27.42.80
Jun  5 00:35:32 kyoto sshd[59152]: Invalid user postgres from 62.27.42.80
Jun  5 00:35:32 kyoto sshd[59154]: Invalid user postgres from 62.27.42.80
Jun  5 00:35:33 kyoto sshd[59156]: Invalid user postgres from 62.27.42.80
Jun  5 00:35:34 kyoto sshd[59158]: Invalid user postgres from 62.27.42.80
Jun  5 00:35:34 kyoto sshd[59160]: Invalid user postgres from 62.27.42.80
Jun  5 00:35:35 kyoto sshd[59162]: Invalid user postgres from 62.27.42.80
Jun  5 00:35:36 kyoto sshd[59164]: Invalid user postgres from 62.27.42.80
Jun  5 00:35:37 kyoto sshd[59170]: Invalid user postgres from 62.27.42.80
Jun  5 00:35:37 kyoto sshd[59172]: Invalid user postgres from 62.27.42.80
Jun  5 00:35:38 kyoto sshd[59174]: Invalid user postgres from 62.27.42.80
Jun  5 00:35:39 kyoto sshd[59176]: Invalid user hadoop from 62.27.42.80
Jun  5 00:35:39 kyoto sshd[59178]: Invalid user hadoop from 62.27.42.80
Jun  5 00:35:40 kyoto sshd[59180]: Invalid user hadoop from 62.27.42.80
Jun  5 00:35:41 kyoto sshd[59182]: Invalid user hadoop from 62.27.42.80
I've installed denyhost, let's hope that it can work to cut back on some of this nonsense.
According to whatismyipaddress, the hackers are from Germany and China!
Hostname:	62.27.42.80
ISP:	nacamar GmbH
Organization:	ecotel communication AG (extern)
Proxy:	None detected
Type:	Corporate
Assignment:	Static IP


Hostname:	218.87.16.140
ISP:	Data Communication Division
Organization:	CHINANET Jiangxi province network
Proxy:	None detected
Type:	Broadband
Assignment:	Static IP
Blacklist:	

1 Comments

Yay! Cut down considerably on the sshd attacks. They were coming from just a few IPs (interestingly, all over the world, most probably a zombie army):


kyoto:data karen$ more hosts-restricted
108.16.139.210:95:Sun Jun 12 00:14:50 2011
113.105.159.162:3:Sun Jun 12 00:14:51 2011
119.62.128.115:0:Sun Jun 12 00:15:53 2011
121.9.206.64:156:Sun Jun 12 00:15:42 2011
123.13.201.202:6:Sun Jun 12 00:14:50 2011
123.232.6.120:148:Sun Jun 12 00:14:51 2011
128.95.92.201:2:Sun Jun 12 00:15:54 2011
129.10.105.77:2:Sun Jun 12 00:15:54 2011
173.201.36.48:52:Sun Jun 12 00:15:53 2011
182.18.24.7:28:Sun Jun 12 00:14:50 2011
186.3.71.250:4:Sun Jun 12 00:15:54 2011
190.208.34.228:7:Sun Jun 12 00:15:53 2011
201.56.254.145:1:Sun Jun 12 00:14:50 2011
202.131.105.99:2:Sun Jun 12 00:15:54 2011
208.79.211.112:0:Thu Jun 9 14:56:14 2011
211.136.163.126:1014:Sun Jun 12 00:15:42 2011
211.143.168.60:0:Sun Jun 12 00:14:50 2011
217.149.195.108:3:Sun Jun 12 00:14:51 2011
218.64.53.176:235:Sun Jun 12 00:14:50 2011
218.87.16.140:24:Sun Jun 12 00:15:54 2011
220.225.226.91:0:Sun Jun 12 00:15:54 2011
221.2.163.252:3:Sun Jun 12 00:14:51 2011
222.106.248.24:0:Sun Jun 12 00:14:50 2011
41.241.220.103:0:Sat Jun 11 23:49:48 2011
46.246.111.28:38:Sun Jun 12 00:15:53 2011
46.4.76.168:9:Sun Jun 12 00:14:50 2011
49.212.44.104:28:Sun Jun 12 00:14:50 2011
61.177.191.219:0:Sun Jun 12 00:15:53 2011
61.19.213.42:20:Sun Jun 12 00:14:50 2011
62.27.42.80:46:Sun Jun 12 00:15:53 2011
64.50.172.184:0:Sun Jun 12 00:15:53 2011
71.234.233.130:0:Sat Jun 11 23:27:17 2011
77.247.158.162:2:Sun Jun 12 00:14:50 2011
80.69.92.87:241:Sun Jun 12 00:14:51 2011
88.190.17.174:10:Sun Jun 12 00:15:53 2011
88.191.137.219:2:Sun Jun 12 00:14:50 2011
94.102.1.81:4:Sun Jun 12 00:14:50 2011
95.142.51.22:7:Sun Jun 12 00:14:50 2011
97.74.206.32:8:Sun Jun 12 00:14:50 2011


One hacker (211.136.163.126) is in Shanghai, China and was responsible for over a 1000 break-in attempts!

I'll have to post the configuration instructions for denyhost as they were different on Mac OSX 10.6 than the ones on the web.


p.s. The creator of denyhost was hacked by a ssh breakin, read his story here: http://denyhosts.sourceforge.net/hack_tale.html

Leave a comment

New!: You can sign in using your Facebook, Google, OpenID, mixi, Yahoo, MovableType, or other third-party authentication system.


Type the characters you see in the picture above.

Monthly Archives

Sponsored Links

Powered by Movable Type 5.11

Sponsored by

 

Search

Sponsored Links

About this Entry

This page contains a single entry by Karen Nakamura published on June 9, 2011 2:40 PM.

QTSS spamming my secure.log (Mac OSX server) was the previous entry in this blog.

Configuring denyhost on Mac OSX 10.6 is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

August 2014

Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31