2023-03-16T01:52:10.032915hitchmothpdc sshd[10208]: Invalid user test from 213.33.227.90 port 51642
...
show more2023-03-16T01:52:10.032915hitchmothpdc sshd[10208]: Invalid user test from 213.33.227.90 port 51642
2023-03-16T01:52:57.308588hitchmothpdc sshd[10210]: Invalid user admin from 213.33.227.90 port 55316
show less
2023-03-15T15:48:11.387930hitchmothpdc sshd[4275]: Invalid user zenghaiyan from 213.33.227.90 port 4 ...
show more2023-03-15T15:48:11.387930hitchmothpdc sshd[4275]: Invalid user zenghaiyan from 213.33.227.90 port 41804
2023-03-15T15:49:21.068827hitchmothpdc sshd[4285]: Invalid user ronjones from 213.33.227.90 port 39770
2023-03-15T15:49:55.864936hitchmothpdc sshd[4287]: Invalid user test from 213.33.227.90 port 58618
show less
2023-03-14T15:47:03.286985hitchmothpdc sshd[2581]: Invalid user nginx from 59.2.56.154 port 49840
20 ...
show more2023-03-14T15:47:03.286985hitchmothpdc sshd[2581]: Invalid user nginx from 59.2.56.154 port 49840
2023-03-14T15:47:08.768272hitchmothpdc sshd[2581]: error: maximum authentication attempts exceeded for invalid user nginx from 59.2.56.154 port 49840 ssh2 [preauth]
2023-03-14T15:47:08.768352hitchmothpdc sshd[2581]: Disconnecting: Too many authentication failures [preauth]
show less
03/12/2023 00:16:38 82 Security Services Attacks Port Scan Possible 00:09:5b:eb:73:1f X1 WAN 107.170 ...
show more03/12/2023 00:16:38 82 Security Services Attacks Port Scan Possible 00:09:5b:eb:73:1f X1 WAN 107.170.51.199 65198 XXX.XXX.XXX.XXX 5430 tcp TCP scanned port list, 5434, 5435, 5439, 5432, 5436 Possible port scan detected
show less
TCP scanned port list, 53687, 34225, 48228, 61081, 59400
I've had issues with AmazonWS recently.
...
show moreTCP scanned port list, 53687, 34225, 48228, 61081, 59400
I've had issues with AmazonWS recently.
There was another IP that was consistently doing port scans, and the next day, the ports would change.
A few days after, I received over 1700 attempted break-ins via ssh (a honeypot that doesn't allow logins).
The "excuse" was that it was a company doing "Internet Mapping" to keep an up-to-date list of the services available on the Internet for legitimate purposes.
I have come to believe that their "Legitimate Purposes" for probing the web and so-called "Internet Genome" projects, is to collect information that can be sold to State-Sponsored actors for the purposes of coordinated attack.
show less
2023-03-11T14:23:37.920727hitchmothpdc sshd[10713]: Invalid user xutianhao from 157.230.41.239 port ...
show more2023-03-11T14:23:37.920727hitchmothpdc sshd[10713]: Invalid user xutianhao from 157.230.41.239 port 57224
show less
2023-03-10T23:03:16.263417hitchmothpdc sshd[2134]: Invalid user Config from 179.60.147.106 port 5340 ...
show more2023-03-10T23:03:16.263417hitchmothpdc sshd[2134]: Invalid user Config from 179.60.147.106 port 53402
2023-03-10T23:20:00.793420hitchmothpdc sshd[2634]: Invalid user Root from 179.60.147.106 port 27096
show less
2023-03-10T11:04:51.577249hitchmothpdc sshd[6465]: Invalid user Config from 179.60.147.106 port 9038 ...
show more2023-03-10T11:04:51.577249hitchmothpdc sshd[6465]: Invalid user Config from 179.60.147.106 port 9038
2023-03-10T11:21:39.226543hitchmothpdc sshd[6608]: Invalid user Test from 179.60.147.106 port 21442
2023-03-10T11:38:25.927139hitchmothpdc sshd[6732]: Invalid user Unknown from 179.60.147.106 port 35114
show less
Example log entries:
03/01/2023 21:15:17 82 Security Services Attacks Port Scan Possible Standard N ...
show moreExample log entries:
03/01/2023 21:15:17 82 Security Services Attacks Port Scan Possible Standard Note String Alert 2048 84:8a:8d:33:10:22 CISCO SYSTEMS X1 WAN 00:09:5b:eb:73:1f NETGEAR X1 WAN 35.179.96.208 21345 ec2-35-179-96-208.eu-west-2.compute.amazonaws.com [my ip] 9899 tcp 46 General TCP NA TCP scanned port list, 89, 3389, 8999, 8789, 8384 Possible port scan detected
03/01/2023 21:15:17 82 Security Services Attacks Port Scan Possible Standard Note String Alert 2048 84:8a:8d:33:10:22 CISCO SYSTEMS X1 WAN 00:09:5b:eb:73:1f NETGEAR X1 WAN 35.179.96.208 21345 ec2-35-179-96-208.eu-west-2.compute.amazonaws.com [my ip] 9899 tcp 46 General TCP NA TCP scanned port list, 89, 3389, 8999, 8789, 8384 Possible port scan detected
Amazon Web services states that their client is "Nokia Deepfield" who is engaged in mapping services on the internet!
In other words, they're collecting data so they can sell it to nefarious individuals and State-Sponsored actors.
show less
Examples:
03/01/2023 20:59:34 82 Security Services Attacks Port Scan Possible Standard Note String ...
show moreExamples:
03/01/2023 20:59:34 82 Security Services Attacks Port Scan Possible Standard Note String Alert 2048 84:8a:8d:33:10:22 CISCO SYSTEMS X1 WAN 00:09:5b:eb:73:1f NETGEAR X1 WAN 18.170.63.213 21345 ec2-18-170-63-213.eu-west-2.compute.amazonaws.com XX.XX.XX.XX 35193 tcp 46 General TCP NA TCP scanned port list, 50013, 10443, 8853, 888, 37443 Possible port scan detected
03/01/2023 21:15:17 82 Security Services Attacks Port Scan Possible Standard Note String Alert 2048 84:8a:8d:33:10:22 CISCO SYSTEMS X1 WAN 00:09:5b:eb:73:1f NETGEAR X1 WAN 35.179.96.208 21345 ec2-35-179-96-208.eu-west-2.compute.amazonaws.com 71.233.9.175 9899 tcp 46 General TCP NA TCP scanned port list, 89, 3389, 8999, 8789, 8384 Possible port scan detected
Amazon reports "Nokia Deepfield" is running an "Internet Mapping" project.
The question is, to whom do they sell their list of IP addresses and active ports?
I'll bet it's not someone selling Girl-Scout cookies!
show less
345 attempts:
Examples only:
Mar 5 10:37:14 [localhost] sshd[19402]: Invalid user yujitai from ...
show more345 attempts:
Examples only:
Mar 5 10:37:14 [localhost] sshd[19402]: Invalid user yujitai from 133.242.173.204 port 54896
Mar 5 10:39:15 [localhost] sshd[19442]: Invalid user zhy from 133.242.173.204 port 46618
Mar 5 10:40:15 [localhost] sshd[19467]: Invalid user admin from 133.242.173.204 port 48520
Mar 5 10:42:13 [localhost] sshd[19510]: Invalid user yfsong from 133.242.173.204 port 46942
Mar 5 10:44:11 [localhost] sshd[19551]: Invalid user ddd from 133.242.173.204 port 41796
Mar 5 10:47:09 [localhost] sshd[19613]: Invalid user fhc from 133.242.173.204 port 40736
Mar 5 10:49:06 [localhost] sshd[19652]: Invalid user py from 133.242.173.204 port 34718
Mar 5 10:50:07 [localhost] sshd[19679]: Invalid user puser from 133.242.173.204 port 36676
Mar 5 10:52:06 [localhost] sshd[19718]: Invalid user fjl from 133.242.173.204 port 59056
Mar 5 10:53:06 [localhost] sshd[19738]: Invalid user cui from 133.242.173.204 port 44084
show less
Looks like I was wrong.
They're STILL at it...
50 minutes apart... 60 more times since last report ...
show moreLooks like I was wrong.
They're STILL at it...
50 minutes apart... 60 more times since last report.
Each event checks different ports.
One example:
TCP scanned port list, 16870, 62665, 23229, 32681, 38232
show less
Over 900 "events" spread out in intervals of 15 minutes to about an hour.
Started 12/16 @07:50 appe ...
show moreOver 900 "events" spread out in intervals of 15 minutes to about an hour.
Started 12/16 @07:50 appears to have stopped 12/27 @ 12:44
Each "event" looks like it scans a different set of ports, with some port lists reoccurring.
SMALL sample of log snippets below.
TCP scanned port list, 56623, 7988, 45524, 23743, 34950
TCP scanned port list, 62613, 19705, 21014, 279, 49808
TCP scanned port list, 14497, 52460, 56057, 12860, 60016, 60804, 14734, 11, 15127, 17760
show less
WAY more entries than this....
Jul 19 12:22:48 [localhost] sshd[23991]: Did not receive identifi ...
show moreWAY more entries than this....
Jul 19 12:22:48 [localhost] sshd[23991]: Did not receive identification string from 134.122.13.169 port 58438
Jul 19 14:11:02 [localhost] sshd[26110]: Received disconnect from 134.122.13.169 port 53666:11: Bye Bye [preauth]
Jul 19 14:11:02 [localhost] sshd[26110]: Disconnected from 134.122.13.169 port 53666 [preauth]
Jul 19 14:16:07 [localhost] sshd[26206]: Received disconnect from 134.122.13.169 port 49282:11: Bye Bye [preauth]
Jul 19 14:16:07 [localhost] sshd[26206]: Disconnected from 134.122.13.169 port 49282 [preauth]
Jul 19 14:21:15 [localhost] sshd[26306]: Received disconnect from 134.122.13.169 port 44896:11: Bye Bye [preauth]
Jul 19 14:21:15 [localhost] sshd[26306]: Disconnected from 134.122.13.169 port 44896 [preauth]
Jul 19 14:26:22 [localhost] sshd[26401]: Received disconnect from 134.122.13.169 port 40520:11: Bye Bye [preauth]
Jul 19 14:26:22 [localhost] sshd[26401]: Disconnected from 134.122.13.169 port 40520 [preauth]
show less
Partial log:
Jul 19 19:54:07 [localhost] sshd[420]: Received disconnect from 134.122.13.169 port 44 ...
show morePartial log:
Jul 19 19:54:07 [localhost] sshd[420]: Received disconnect from 134.122.13.169 port 44794:11: Bye Bye [preauth]
Jul 19 19:54:07 [localhost] sshd[420]: Disconnected from 134.122.13.169 port 44794 [preauth]
Jul 19 20:00:23 [localhost] sshd[571]: Received disconnect from 134.122.13.169 port 40418:11: Bye Bye [preauth]
Jul 19 20:00:23 [localhost] sshd[571]: Disconnected from 134.122.13.169 port 40418 [preauth]
Jul 19 20:06:40 [localhost] sshd[736]: Received disconnect from 134.122.13.169 port 36034:11: Bye Bye [preauth]
Jul 19 20:06:40 [localhost] sshd[736]: Disconnected from 134.122.13.169 port 36034 [preauth]
Jul 19 20:12:58 [localhost] sshd[858]: Received disconnect from 134.122.13.169 port 59882:11: Bye Bye [preauth]
Jul 19 20:12:58 [localhost] sshd[858]: Disconnected from 134.122.13.169 port 59882 [preauth]
show less
Two days attempting to log into my SSH server.
Culprit obviously failed, but seems VERY persiste ...
show moreTwo days attempting to log into my SSH server.
Culprit obviously failed, but seems VERY persistent!
Here's an excerpt (a SHORT one) from the log file:
Jul 9 17:03:42 [localhost] sshd[4646]: Invalid user fatimac from 212.192.246.108 port 41650
Jul 9 17:03:42 [localhost] sshd[4648]: Invalid user henjjd from 212.192.246.108 port 43674
Jul 9 17:03:45 [localhost] sshd[4650]: Invalid user zabbix from 212.192.246.108 port 45680
Jul 9 17:03:46 [localhost] sshd[4652]: Invalid user jaiman from 212.192.246.108 port 47684
Jul 9 17:03:47 [localhost] sshd[4656]: Invalid user jeffrey from 212.192.246.108 port 49680
Jul 9 17:03:49 [localhost] sshd[4658]: Invalid user user from 212.192.246.108 port 51680
Jul 9 17:03:50 [localhost] sshd[4660]: Invalid user jsguo from 212.192.246.108 port 53678
Jul 9 17:03:52 [localhost] sshd[4662]: Invalid user tomm from 212.192.246.108 port 55678
Jul 9 17:03:53 [localhost] sshd[4664]: Invalid user renyc from 212.192.246.108 port 57678
show less
Continuous.
Takes a few hours off, then a dozen or so attempts.
Tries different ports for ssh logi ...
show moreContinuous.
Takes a few hours off, then a dozen or so attempts.
Tries different ports for ssh login.
show less