Persistent attacks from one IP in India

Member for

7 months 4 weeks
Submitted by AlReaud on Mon, 12/12/2011 - 08:10

NOTE: Updated 11/15/2016

Today's memorable entry is from Trivandrum Kerala, India, in the State of Delhi: 117.243.250.249

They are memorable because for some reason fail2ban didn't trap them. So they got to attack the shell 495 times instead on the nominal five. Zenmap indicates an unusual setup, with some open ports that are normally filtered, and things not normally seen, such as ipp, wpgs, route, and sip. An unknown port is open at 20717.

OpenVAS reports 14 low level weaknesses,  with a server running at port 631. The interpretation of that is that the hacking is intentional, because without weakness present, it somewhat eliminates unintentional bots, as with the Church last week. Most of the systems examined so far have certain weaknesses present, such as http TRACE. This IP is clean of even moderate weaknesses.

Makes one wonder why they waste their time. The password on the shell is not going to be weak enough to be hack-able from the Internet, do you think? cheeky

Three sample attacks:
Dec 12 05:47:xx HCTSERVER unix_chkpwd[6306]: password check failed for user (root)
Dec 12 05:47:xx HCTSERVER sshd[6304]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.243.250.249  user=root
Dec 12 05:47:xx HCTSERVER sshd[6304]: Failed password for root from 117.243.250.249 port 18596 ssh2
Dec 12 12:47:xx HCTSERVER sshd[6305]: Received disconnect from 117.243.250.249: 11: Bye Bye
Dec 12 05:47:xx HCTSERVER unix_chkpwd[6311]: password check failed for user (root)
Dec 12 05:47:xx HCTSERVER sshd[6309]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.243.250.249  user=root
Dec 12 05:47:xx HCTSERVER sshd[6309]: Failed password for root from 117.243.250.249 port 21460 ssh2
Dec 12 12:47:xx HCTSERVER sshd[6310]: Received disconnect from 117.243.250.249: 11: Bye Bye
Dec 12 05:47:xx HCTSERVER unix_chkpwd[6314]: password check failed for user (root)
Dec 12 05:47:xx HCTSERVER sshd[6312]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.243.250.249  user=root
Dec 12 05:47:xx HCTSERVER sshd[6312]: Failed password for root from 117.243.250.249 port 23847 ssh2
Dec 12 12:47:xx HCTSERVER sshd[6313]: Received disconnect from 117.243.250.249: 11: Bye Bye

The offending IP is owned by:
route:               117.243.240.0/20
descr:               BSNL Internet
country:            IN
origin:               AS9829
mnt-lower:       MAINT-IN-DOT
mnt-routes:      MAINT-IN-DOT
mnt-by:            MAINT-IN-AS9829
changed:          dnw_jtotech@bsnl.in 20070914

role:              NS Cell
address:        Internet Cell
address:        Bharat Sanchar Nigam Limited address: 8th Floor,148-B Statesman House
address:        Barakhamba Road, New Delhi - 110 001
country:        IN
phone:          +91-11-23734057
phone:          +91-11-23710183
fax-no:          +91-11-23734052
e-mail:           hostmaster@sancharnet.in
e-mail:           abuse@bsnl.in
admin-c:        CGMD1-AP
tech-c:           DT197-AP
nic-hdl:          NC83-AP
mnt-by:         MAINT-IN-DOT
changed:       dnwplg@sancharnet.in 20030120
changed:       hm-changed@apnic.net 20071227

 

Add new comment

The content of this field is kept private and will not be shown publicly.

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol type start> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id> <u> <s> <sup> <sub> <hr>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
Image CAPTCHA
Enter the characters shown in the image.