Secure Shell

Persistent attacks from one IP in India

Member for

1 year 5 months
Submitted by AlReaud on Mon, 12/12/2011 - 08:10

NOTE: Updated 11/15/2016

Today's memorable entry is from Trivandrum Kerala, India, in the State of Delhi: 117.243.250.249

They are memorable because for some reason fail2ban didn't trap them. So they got to attack the shell 495 times instead on the nominal five. Zenmap indicates an unusual setup, with some open ports that are normally filtered, and things not normally seen, such as ipp, wpgs, route, and sip. An unknown port is open at 20717.

OpenVAS reports 14 low level weaknesses,  with a server running at port 631. The interpretation of that is that the hacking is intentional, because without weakness present, it somewhat eliminates unintentional bots, as with the Church last week. Most of the systems examined so far have certain weaknesses present, such as http TRACE. This IP is clean of even moderate weaknesses.

Makes one wonder why they waste their