Who is trying to hack my server?

[Chris Wilson]

Can you clever peeps find out who has been trying to force my admin ftp password from a numeric IP address? (they failed...) Thanks.

[Benzsupra]

if you have the IP address you can enter it on this site and it gives you the info on who it is etc... Don't really know much about hacking or anything but i found this while looking for a similar thing. Hope it helps

 

http://www.geektools.com/whois.php

[carl0s]

It's pretty normal really, I wouldn't worry about it.

[carl0s]

Actually, I'm quite surprised to see your name the whois for your IP. I take it 82.70.254.216 - 82.70.254.223 is your own subnet?

[Carl@mediaxp ~]$ whois 82.70.254.222
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag

% Information related to '82.70.254.216 - 82.70.254.223'

inetnum:        82.70.254.216 - 82.70.254.223
netname:        ZEN000029222
descr:          Mr Chris Wilson
descr:          ADSL
country:        GB
admin-c:        RT1337-RIPE
tech-c:         ZIRA1-RIPE
status:         ASSIGNED PA
mnt-by:         ZEN-MNT
mnt-lower:      ZEN-MNT
mnt-routes:     ZEN-MNT
source:         RIPE # Filtered

role:           Zen Internet RIPE Admin
address:        Zen Internet
address:        Moss Bridge Road
address:        Rochdale
address:        Lancashire
address:        OL16 5EA
address:        England
phone:          +44 845 058 9000
fax-no:         +44 845 058 9005
e-mail:         [email protected]
admin-c:        RT1337-RIPE
tech-c:         DJW5-RIPE
tech-c:         DAR33-RIPE
tech-c:         JE273-RIPE
nic-hdl:        ZIRA1-RIPE
mnt-by:         ZEN-MNT
source:         RIPE # Filtered

person:         Richard Tang
address:        Zen Internet
address:        Moss Bridge Road
address:        Rochdale
address:        Lancashire
address:        OL16 5EA
address:        England
phone:          +44 845 058 9000
fax-no:         +44 845 058 9005
e-mail:         [email protected]
nic-hdl:        RT1337-RIPE
mnt-by:         ZEN-MNT
source:         RIPE # Filtered

% Information related to '82.68.0.0/14AS13037'

route:        82.68.0.0/14
descr:        Zen Internet Ltd
origin:       AS13037
mnt-by:       ZEN-MNT
source:       RIPE # Filtered

[carl0s]

That's cool. I always thought it'd just give the ISPs details, but I just checked another of my customers who has a routed subnet with Demon, and it gives their name, adsl username (!), address, phone etc.

 

Doesn't do that for single IP customers though, only routed subnets. I have a block of IPs too but it's not routed, it's bridged to the ISPs network so doesn't give anything for me.

 

[Carl@mediaxp ~]$ whois 83.104.15.21
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag

% Information related to '83.104.15.16 - 83.104.15.23'

inetnum:      83.104.15.16 - 83.104.15.23
netname:      porcshe-adsl
descr:        AMT CONTRACT HIRING AND LEASING
descr:        Leeds LS115WB
country:      GB
admin-c:      DM2460-RIPE
tech-c:       DM2460-RIPE
status:       Assigned PA
mnt-by:       AS2529-MNT
mnt-lower:    AS2529-MNT
source:       RIPE # Filtered

person:       Daniel Myers
address:      AMT CONTRACT HIRING AND LEASING
address:      Leeds, LS115WB
e-mail:       danielksaedhiuasdhng.co.uk
phone:        +44777987987999
nic-hdl:      DM2460-RIPE
remarks:
mnt-by:       AS2529-MNT
source:       RIPE # Filtered

% Information related to '83.104.0.0/14AS2529'

route:        83.104.0.0/14
descr:        DEMON-NET
origin:       AS2529
remarks:      *********************************************************
remarks:      * ABUSE CONTACT: [email protected] IN CASE OF INTRUSIONS, *
remarks:      * ILLEGAL ACTIVITY, ATTACKS, SCANS, PROBES, SPAM, ETC.  *
remarks:      *********************************************************
mnt-by:       AS2529-MNT
source:       RIPE # Filtered

[Chris Wilson]

I am totally at a loss as to what you are saying, it's all double Dutch to me The "hacker" seems to be from a Spanish ISP, it just resolves to a group of addresses, not any individual. 85.48.195.52 was the address.

[SilverSoop]

i am totally at a loss as to what you are saying, it's all double dutch to me the "hacker" seems to be from a spanish isp, it just resolves to a group of addresses, not any individual. 85.48.195.52 was the address.

 

[SatSport]

http://www.utrace.de/ip-adresse/85.48.195.52

[carl0s]

I am totally at a loss as to what you are saying, it's all double Dutch to me The "hacker" seems to be from a Spanish ISP, it just resolves to a group of addresses, not any individual. 85.48.195.52 was the address.

 

Well, what you should do is email relevant parts of your logs to the abuse contact from the whois info for that network:

remarks: spam, abuse reports....mailto:[email protected]

abuse-mailbox: [email protected]

 

But really, you should check your web server logs.. you'll see thousands of attempts to break in all the time. Virus infected computer are the usual culprit, but I suppose it's good to contact the abuse team anyway. Whether or not they'll actually do anything is another matter.

 

Lots of ISPs have a policy of not revealing any information in response to abuse reports, so there's not much you can do after you've emailed them.

[carl0s]

On Linux you can easily setup a kind of tarpitting with iptables. Maybe Serv-U FTP has a similar option?

 

See here: http://en.wikipedia.org/wiki/Tarpit_(networking)

 

The idea is that connections are delayed, making brute force attacks awkward and slow. With Linux you can for example only allow three repeated connection attempts every five minutes from the same IP.

[The Raven]

I think you will find it was

 

 

 

 

MATTH!

[Thorin]

On Linux you can easily setup a kind of tarpitting with iptables. Maybe Serv-U FTP has a similar option?

 

See here: http://en.wikipedia.org/wiki/Tarpit_(networking)

 

The idea is that connections are delayed, making brute force attacks awkward and slow. With Linux you can for example only allow three repeated connection attempts every five minutes from the same IP.

 

Port Knocking is another good idea http://en.wikipedia.org/wiki/Port_knocking

 

The idea is that if you try and connect straight to the normal FTP port you'll get no response. You have to first attempt a connection to a different port number which will then be logged by the host and then allow your IP to connect via FTP.

 

You could also just change the default port that the FTP server listens on, people could still do a port scan of your box and find out what port it's running on, but it might reduce some of the opportunistic attacks.

[carl0s]

Port Knocking is another good idea http://en.wikipedia.org/wiki/Port_knocking

 

The idea is that if you try and connect straight to the normal FTP port you'll get no response. You have to first attempt a connection to a different port number which will then be logged by the host and then allow your IP to connect via FTP.

 

You could also just change the default port that the FTP server listens on, people could still do a port scan of your box and find out what port it's running on, but it might reduce some of the opportunistic attacks.

 

That sounds like a good idea. I think the thing that I had in mind wasn't actually tarpitting. It's something I did on an ssh server regarding the maximum connection attempts per minute. That wasn't actually tarpitting, but it's another Linux iptables feature that could be used alongside tarpitting, and what you've suggested.

[Matt H]

I think you will find it was

 

 

 

 

MATTH!

 

 

You'll find my knowlegde of the internet is worse than my knowlegde of trustworthy traders!

[Chris Wilson]

On Linux you can easily setup a kind of tarpitting with iptables. Maybe Serv-U FTP has a similar option?

 

See here: http://en.wikipedia.org/wiki/Tarpit_(networking)

 

The idea is that connections are delayed, making brute force attacks awkward and slow. With Linux you can for example only allow three repeated connection attempts every five minutes from the same IP.

 

Found the settings and turned this option on, cheers Carlos

[carl0s]

Oh yeah, that's lucky

http://www.rhinosoft.com/knowledgebase/kbimages/kb1685-2.jpg

 

Maybe you should set it to 3 attempts within 999 seconds = block for 999 minutes or something !

 

I'm sure the defaults will do though.. it'll slow them down a lot.