Just a heads up to the 44 Group who run 44 addressed mail servers.
Over the last few days I've had someone trying to break into my mail server.
After installing more detection software, I came up with IP Address 178.33.151.117.
Just a heads up he's probably scanning the network looking for others, so heads up everyone.
Bill / KG6BAJ
==========================================
AUTOMATED NOTIFICATION !
The IP 178.33.151.117 has just been banned after several attempts against dovecot.
Here are more information about 178.33.151.117:
% This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered. % To receive output for a database update, use the "-B" flag.
% Information related to '178.33.151.112 - 178.33.151.127'
% Abuse contact for '178.33.151.112 - 178.33.151.127' is 'abuse@ovh.net'
inetnum: 178.33.151.112 - 178.33.151.127 netname: DVC-ITA descr: DoveConviene.it Italian Network country: IT org: ORG-OS43-RIPE admin-c: OTC5-RIPE tech-c: OTC5-RIPE status: ASSIGNED PA mnt-by: OVH-MNT source: RIPE # Filtered
organisation: ORG-OS43-RIPE org-name: OVH Srl org-type: OTHER address: Via trieste 25 address: 20097 San Donato Milanese address: Italia abuse-mailbox: abuse@ovh.net mnt-ref: OVH-MNT mnt-by: OVH-MNT source: RIPE # Filtered
role: OVH IT Technical Contact address: OVH Srl address: Via trieste 25 address: 20097 San Donato Milanese address: Italia admin-c: OK217-RIPE tech-c: GM84-RIPE nic-hdl: OTC5-RIPE abuse-mailbox: abuse@ovh.net mnt-by: OVH-MNT source: RIPE # Filtered
% Information related to '178.32.0.0/15AS16276'
route: 178.32.0.0/15 descr: OVH ISP descr: Paris, France origin: AS16276 mnt-by: OVH-MNT source: RIPE # Filtered
% This query was served by the RIPE Database Query Service version 1.71 (WHOIS1)
Lines containing IP:178.33.151.117 in /var/log/mail.log
Feb 5 04:15:37 linux1 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=test@ampr.org, method=PLAIN, rip=178.33.151.117, lip=44.2.14.2 Feb 5 04:17:23 linux1 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=test@ampr.org, method=PLAIN, rip=178.33.151.117, lip=44.2.14.2 Feb 5 04:17:41 linux1 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=test@ampr.org, method=PLAIN, rip=178.33.151.117, lip=44.2.14.2 ...... <snip>
looks like someones box has been hacked it is a shopping site in Italy.
Lin
On Wed, Feb 5, 2014 at 12:54 PM, William Lewis kg6baj@n1oes.org wrote:
(Please trim inclusions from previous messages) _______________________________________________ Just a heads up to the 44 Group who run 44 addressed mail servers.
Over the last few days I've had someone trying to break into my mail server.
After installing more detection software, I came up with IP Address 178.33.151.117.
Just a heads up he's probably scanning the network looking for others, so heads up everyone.
Bill / KG6BAJ
==========================================
AUTOMATED NOTIFICATION !
The IP 178.33.151.117 has just been banned after several attempts against dovecot.
Here are more information about 178.33.151.117:
% This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered. % To receive output for a database update, use the "-B" flag.
% Information related to '178.33.151.112 - 178.33.151.127'
% Abuse contact for '178.33.151.112 - 178.33.151.127' is 'abuse@ovh.net'
inetnum: 178.33.151.112 - 178.33.151.127 netname: DVC-ITA descr: DoveConviene.it Italian Network country: IT org: ORG-OS43-RIPE admin-c: OTC5-RIPE tech-c: OTC5-RIPE status: ASSIGNED PA mnt-by: OVH-MNT source: RIPE # Filtered
organisation: ORG-OS43-RIPE org-name: OVH Srl org-type: OTHER address: Via trieste 25 address: 20097 San Donato Milanese address: Italia abuse-mailbox: abuse@ovh.net mnt-ref: OVH-MNT mnt-by: OVH-MNT source: RIPE # Filtered
role: OVH IT Technical Contact address: OVH Srl address: Via trieste 25 address: 20097 San Donato Milanese address: Italia admin-c: OK217-RIPE tech-c: GM84-RIPE nic-hdl: OTC5-RIPE abuse-mailbox: abuse@ovh.net mnt-by: OVH-MNT source: RIPE # Filtered
% Information related to '178.32.0.0/15AS16276'
route: 178.32.0.0/15 descr: OVH ISP descr: Paris, France origin: AS16276 mnt-by: OVH-MNT source: RIPE # Filtered
% This query was served by the RIPE Database Query Service version 1.71 (WHOIS1)
Lines containing IP:178.33.151.117 in /var/log/mail.log
Feb 5 04:15:37 linux1 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=test@ampr.org, method=PLAIN, rip=178.33.151.117, lip=44.2.14.2 Feb 5 04:17:23 linux1 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=test@ampr.org, method=PLAIN, rip=178.33.151.117, lip=44.2.14.2 Feb 5 04:17:41 linux1 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=test@ampr.org, method=PLAIN, rip=178.33.151.117, lip=44.2.14.2 ...... <snip>
Użytkownik William Lewis napisał:
Just a heads up to the 44 Group who run 44 addressed mail servers. Over the last few days I've had someone trying to break into my mail server. After installing more detection software, I came up with IP Address 178.33.151.117. Just a heads up he's probably scanning the network looking for others, so heads up everyone. Bill / KG6BAJ ========================================== AUTOMATED NOTIFICATION ! The IP 178.33.151.117 has just been banned after several attempts against dovecot.
NotonlyIPbutalsowatchtheseon me,alsoattackedthoseIP ==============================================================
-A INPUT -s 178.33.116.0/24 -j DROP # .102 attack 24.01.2014 access_log "POST /downloads/submissions/statrA4.php" -A INPUT -s 178.33.166.0/24 -j DROP # .88 attack 23.01.2014 access_log "POST /downloads/submissions/statrA4.php" -A INPUT -s 178.33.227.0/24 -j DROP # .142 attack 25.01.2014 access_log "POST /downloads/submissions/statrA4.php"
-
Janusz Przybylski SP1LOP -
Lin Holcomb -
William Lewis