[blog.rayfoo] » blacklist http://blog.rayfoo.info Infosec, DFIR, tech geekery, thoughts and whatnot Wed, 25 Jan 2012 00:36:47 +0000 en hourly 1 SSH brute force connection attempts #fail http://blog.rayfoo.info/2009/10/ssh-brute-force-connection-attempts-fail http://blog.rayfoo.info/2009/10/ssh-brute-force-connection-attempts-fail#comments Tue, 20 Oct 2009 02:18:17 +0000 ray http://blog.rayfoo.info/?p=273 Collected these over the past few months, reverse chronological order. Seeing different machines attempting to connect hundreds of times a day each is just, wow.

Some might say that a SSH blacklist daemon might help, but it only increases the time taken for a brute force attempt, and is of no use against a botnet trying to brute force the ssh login.

There are plenty of things that can be done to lock down the ssh server, and restricting it to only publickey is by far one of the most effective, counting that the resource (the server) you're protecting is pretty important.

Plenty of interesting IPs/hosts in this list, take a look if you're really interested, heh. ;)

reverse mapping checking getaddrinfo for 93.184.69.3.vnet.sk [93.184.69.3] failed - POSSIBLE BREAK-IN ATTEMPT! : 237 time(s)
reverse mapping checking getaddrinfo for 95-128-245-59.wiseweb.ru [95.128.245.59] failed - POSSIBLE BREAK-IN ATTEMPT! : 567 time(s)
reverse mapping checking getaddrinfo for h-69-3-215-11-static.lsanca54.covad.net [69.3.215.11] failed - POSSIBLE BREAK-IN ATTEMPT! : 543 time(s)
reverse mapping checking getaddrinfo for iodc-74-206-96-142.ioconnect.net [74.206.96.142] failed - POSSIBLE BREAK-IN ATTEMPT! : 6 time(s)
reverse mapping checking getaddrinfo for 202-153-191-246-static.unigate.net.tw [202.153.191.246] failed - POSSIBLE BREAK-IN ATTEMPT! : 5 time(s)
reverse mapping checking getaddrinfo for corporat065-167059038.sta.etb.net.co [65.167.59.38] failed - POSSIBLE BREAK-IN ATTEMPT! : 19 time(s)
reverse mapping checking getaddrinfo for ev1s-75-125-43-50.theplanet.com [75.125.43.50] failed - POSSIBLE BREAK-IN ATTEMPT! : 46 time(s)
reverse mapping checking getaddrinfo for hst13.migrateplans.com [72.46.131.181] failed - POSSIBLE BREAK-IN ATTEMPT! : 68 time(s)
reverse mapping checking getaddrinfo for bzq-179-135-183.static.bezeqint.net [212.179.135.183] failed - POSSIBLE BREAK-IN ATTEMPT! : 298 time(s)
reverse mapping checking getaddrinfo for host112163.metrored.net.mx [200.77.249.163] failed - POSSIBLE BREAK-IN ATTEMPT! : 8 time(s)
Address 98.126.208.50 maps to customer.krypt.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! : 50 time(s)
reverse mapping checking getaddrinfo for corporat200-7543230.sta.etb.net.co [200.75.43.230] failed - POSSIBLE BREAK-IN ATTEMPT! : 97 time(s)
Address 61.168.44.5 maps to pc5.zz.ha.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! : 50 time(s)
reverse mapping checking getaddrinfo for ip36.70.inetmar.com [92.42.36.70] failed - POSSIBLE BREAK-IN ATTEMPT! : 50 time(s)
Address 218.28.20.135 maps to pc0.zz.ha.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! : 168 time(s)
reverse mapping checking getaddrinfo for 187-5-142-129.bnut3700.e.brasiltelecom.net.br [187.5.142.129] failed - POSSIBLE BREAK-IN ATTEMPT! : 478 time(s)
reverse mapping checking getaddrinfo for cliente-13108.iberbanda.es [82.198.115.50] failed - POSSIBLE BREAK-IN ATTEMPT! : 324 time(s)
reverse mapping checking getaddrinfo for host-203-92-76-19.lga.net.sg [203.92.76.19] failed - POSSIBLE BREAK-IN ATTEMPT! : 5 time(s)
reverse mapping checking getaddrinfo for 229.1.163.220.broad.km.yn.dynamic.163data.com.cn [220.163.1.229] failed - POSSIBLE BREAK-IN ATTEMPT! : 240 time(s)
reverse mapping checking getaddrinfo for 56h29.xjtu.edu.cn [202.117.56.29] failed - POSSIBLE BREAK-IN ATTEMPT! : 54 time(s)
reverse mapping checking getaddrinfo for 202.53.76.24.nettlinx.com [202.53.76.24] failed - POSSIBLE BREAK-IN ATTEMPT! : 45 time(s)
Address 218.28.103.202 maps to pc0.zz.ha.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! : 373 time(s)
Address 72.9.228.73 maps to marisil.org, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! : 6 time(s)
Address 72.9.228.73 maps to marisil.org, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! : 6 time(s)
reverse mapping checking getaddrinfo for 74.126.30.110.static.a2webhosting.com [74.126.30.110] failed - POSSIBLE BREAK-IN ATTEMPT! : 15 time(s)
reverse mapping checking getaddrinfo for 74.126.30.110.static.a2webhosting.com [74.126.30.110] failed - POSSIBLE BREAK-IN ATTEMPT! : 15 time(s)

]]> http://blog.rayfoo.info/2009/10/ssh-brute-force-connection-attempts-fail/feed 0 Finexis’ new tactic: Social Engineering http://blog.rayfoo.info/2009/09/finexis-new-tactic-social-engineering http://blog.rayfoo.info/2009/09/finexis-new-tactic-social-engineering#comments Mon, 07 Sep 2009 08:58:27 +0000 ray http://blog.rayfoo.info/?p=56 Just got a call from Finexis, trying to get/trick me into going down to talk to their financial consultants. They are now trying to do so by saying that there's been some changes to their(implied: your) policies, and want you do go down for a session with them.

Problem is, I don't have any policies with them :D Well, one more number (6341 5315) in my blacklist.

Do be warned.

For the curious, our conversation went like this:

Her: Hi, may I speak to Ray?
(note that she already has my name, so I continue to talk to her, for now)

Me: Yeah, what's up?

Her: I'm calling from Finexis. There's been a change with some of our policies...

Me: Huh? But do I have any plans with Finexis?
(I know I don't)

Her: Errr...no.. But we'd like to invite you down to have a talk with one of our financial consultants on this.

Me: (laughs) No thanks :D *hangs up*

]]> http://blog.rayfoo.info/2009/09/finexis-new-tactic-social-engineering/feed 6