Wednesday, November 02, 2005

Blacklist for November 2

3 attempts by 163.27.207.193
27 attempts by 211.33.145.252
27 attempts by 211.33.145.252
345 attempts by 211.5.239.194
345 attempts by 211.5.239.194
48 attempts by 211.60.75.199
18 attempts by 219.239.226.24
18 attempts by 62.225.129.178
2 attempts by 84.243.73.25
14 attempts by ali.2kads.cz
81 attempts by buzton-gw.sarkor.uz
81 attempts by buzton-gw.sarkor.uz
17 attempts by c66.110.175-222.clta.globetrotter.net
529 attempts by cache.synergy-vs.cz
96 attempts by cse-wang11.unl.edu
96 attempts by cse-wang11.unl.edu
1079 attempts by enshu.phys.s.u-tokyo.ac.jp
1079 attempts by enshu.phys.s.u-tokyo.ac.jp
2 attempts by lan.dragon.bgwan.com
28 attempts by mail.uladech.edu.pe
9 attempts by pro-177.im.cju.edu.tw
9 attempts by pro-177.im.cju.edu.tw
1045 attempts by serv-2-4-163.lycos-vds.com
1045 attempts by serv-2-4-163.lycos-vds.com
171 attempts by server217-174-252-192.live-servers.net
171 attempts by server217-174-252-192.live-servers.net

posted by Frank @ 8:32 AM   0 comments

Tuesday, November 01, 2005

Sick and tired of hackers and incompetent server administrators

Incompetent server administrators are sometimes the last people to know that their server has been hacked. If you are a server administrator, please take charge.

I will be providing a blacklist of all IPs involved in ssh attack. Please feel free to ban them as if they have tried to hack my machine, yours could be next.


Here is the list for November 01 2005:

163.27.207.193
165.132.128.148
193.255.88.154
193.230.183.201
200.168.191.130
200.20.120.135
200.21.137.165
200.54.146.115
200.71.204.186
201.9.128.136
202.129.33.99
203.239.5.174
203.88.192.130
209.12.167.58
210.51.11.18
210.51.189.186
210.51.26.211
210.66.72.29
211.115.123.62
211.144.42.144
211.157.2.252
216.58.160.208
218.153.147.92
218.51.248.94
218.69.8.78
218.75.14.200
219.148.157.220
219.232.118.7
220.225.130.245
221.12.158.45
222.126.92.146
222.126.92.146
58.12.107.34
61.129.117.112
61.129.254.202
61.197.239.10
61.220.69.137
61.236.145.19
61.30.136.5
62.43.4.26
64.146.134.84
65.105.193.47
80.96.109.196
81.195.79.226
82.109.142.49
82.79.2.181
82.79.2.182
82.79.2.183
84.243.73.25
84.36.81.50
140.126.3.21
69.150.219.2
64.182.50.244
193.255.88.154
193.65.251.122
213.149.246.5
83.144.78.188
194.54.128.151
132.248.7.57
61.247.252.224
208.179.166.228
165.132.128.148
200.124.233.82
213.131.76.194
69.53.30.177
216.120.255.15
202.60.235.102
67.93.229.222
67.93.229.229
80.55.157.2
61.56.192.142
213.221.25.83
81.219.64.7
140.123.174.8
69.93.169.250
200.167.23.110
24.73.100.98
84.244.4.36
200.118.2.66
200.118.110.84
157.181.177.131
217.160.254.136
203.187.192.6
202.96.103.158


Please, add your comments and contribute to the list.

To see which asshole hackers are trying to break into your box:

date >> /security/iptables/ssh-intruders.log ; cat /var/log/messages* | grep -i "sshd.*authentication failure" | sort | awk '{FS="rhost="; print $2}' | awk '{FS="user="; print $1}' | grep ".*\..*\." | grep -v "ev1servers" | grep -v "alltel.net" | sort | uniq | while read i; do counter=`grep -i "$i" /var/log/messages* | wc -l` ; echo "$counter attempts by $i"; done >> /security/iptables/ssh-intruders.log; cat /security/iptables/ssh-intruders.log




85 attempts by 10.10.10.35
17 attempts by 163.27.207.193
17 attempts by 163.27.207.193
1 attempts by 165.132.128.148
7 attempts by 193.255.88.154
17 attempts by 19.ew.ro
17 attempts by 19.ew.ro
9 attempts by 200-168-191-130.customer.tdatabrasil.net.br
9 attempts by 200-168-191-130.customer.tdatabrasil.net.br
7 attempts by 200.20.120.135
6 attempts by 200.21.137.165
2 attempts by 200.54.146.115
6 attempts by 200.71.204.186
15 attempts by 201009128136.user.veloxzone.com.br
15 attempts by 201009128136.user.veloxzone.com.br
7 attempts by 202.129.33.99
5 attempts by 203.239.5.174
12 attempts by 203.88.192.130
8 attempts by 209.12.167.58
8 attempts by 209.12.167.58
4 attempts by 210.51.11.18
1 attempts by 210.51.189.186
4 attempts by 210.51.26.211
9 attempts by 210.66.72.29
14 attempts by 211.115.123.62
196 attempts by 211.144.42.144
196 attempts by 211.144.42.144
26 attempts by 211.157.2.252
135 attempts by 216.58.160.208
135 attempts by 216.58.160.208
73 attempts by 218.153.147.92
73 attempts by 218.153.147.92
164 attempts by 218.51.248.94
7 attempts by 218.69.8.78
14 attempts by 218.75.14.200
14 attempts by 218.75.14.200
12 attempts by 219.148.157.220
7 attempts by 219.232.118.7
15 attempts by 220.225.130.245
15 attempts by 220.225.130.245
19 attempts by 221.12.158.45
19 attempts by 221.12.158.45
29 attempts by 222.126.92.146
29 attempts by 222.126.92.146
19 attempts by 29.246.153.194.in-addr.arpa
286 attempts by 58x12x107x34.ap58.ftth.ucom.ne.jp
8 attempts by 61.129.117.112
169 attempts by 61.129.254.202
84 attempts by 61.197.239.10
84 attempts by 61.197.239.10
61 attempts by 61-220-69-137.hinet-ip.hinet.net
3 attempts by 61.236.145.19
3 attempts by 61.236.145.19
8 attempts by 61-30-136-5.static.tfn.net.tw
8 attempts by 62-43-4-26.user.ono.com
8 attempts by 62-43-4-26.user.ono.com
28 attempts by 64.146.134.84
28 attempts by 64.146.134.84
36 attempts by 65.105.193.47.ptr.us.xo.net
36 attempts by 65.105.193.47.ptr.us.xo.net
52 attempts by 80.96.109.196
52 attempts by 80.96.109.196
13 attempts by 81.195.79.226
13 attempts by 81.195.79.226
2 attempts by 82.109.142.49
2 attempts by 82.109.142.49
2 attempts by 82.79.2.181
4 attempts by 82.79.2.182
4 attempts by 82.79.2.182
1 attempts by 82.79.2.183
2 attempts by 84.243.73.25
11 attempts by 84.36.81.50
54 attempts by a132-16.bio.chu.edu.tw
54 attempts by a132-16.bio.chu.edu.tw
9 attempts by adsl-69-150-219-2.dsl.okcyok.swbell.net
9 attempts by adsl-69-150-219-2.dsl.okcyok.swbell.net
66 attempts by aironetworks.propagation.net
66 attempts by aironetworks.propagation.net
10 attempts by astro.erciyes.edu.tr.88.255.193.in-addr.arpa
5 attempts by boston.mindworks.fi
2 attempts by bulma.islaweb.com
20 attempts by chello083144078188.chello.pl
7 attempts by coldea.teleson.ro
19 attempts by complejos.fisica.unam.mx
4 attempts by dsl-chn-static-224.252.247.61.touchtelindia.net
4 attempts by dsl-chn-static-224.252.247.61.touchtelindia.net
100 attempts by edigate.3disystems.com
24 attempts by geeks.yonsei.ac.kr
17 attempts by host-200-124-233-82.ecutel.net
17 attempts by host-200-124-233-82.ecutel.net
1 attempts by host-213-131-76-194.link.com.eg
11 attempts by host30-177.dissent.birch.net
91 attempts by host.getwebhosting.net
91 attempts by host.getwebhosting.net
30 attempts by ip-202-60-235-102.cyberec.com
30 attempts by ip-202-60-235-102.cyberec.com
53 attempts by ip67-93-229-222.z229-93-67.customer.algx.net
12 attempts by linux.tedsoft.pl
29 attempts by ll-61-56-192-142.ll.sparqnet.net
29 attempts by ll-61-56-192-142.ll.sparqnet.net
5 attempts by mail.3-plan.ru
6 attempts by ntwklan-81-219-64-7.devs.futuro.pl
378 attempts by oracle.mis.ccu.edu.tw
378 attempts by oracle.mis.ccu.edu.tw
16 attempts by plesk.rocketpc.com
9 attempts by prov-s9-0-41-acc04.bhe.embratel.net.br
10 attempts by rrcs-24-73-100-98.se.biz.rr.com
903 attempts by serv-2-4-36.lycos-vds.com
903 attempts by serv-2-4-36.lycos-vds.com
61 attempts by static-ip-cr20011811084.cable.net.co
8 attempts by susu.elte.hu
19 attempts by u15158389.onlinehome-server.com
138 attempts by unassigned-66-92-109-203.iqara.net
138 attempts by unassigned-66-92-109-203.iqara.net
28 attempts by wjb.hz.zj.cn
28 attempts by wjb.hz.zj.cn


To block these hackers, use something like: (replace $ip with hacker's IP)

/sbin/iptables -A INPUT -p tcp -s $ip/24 -j LOG
/sbin/iptables -A INPUT -p tcp -s $ip/24 -j REJECT

posted by Frank @ 6:15 AM   1 comments