PDA

View Full Version : Mass hacking attempts from Hawaii


SoftDux-Rudi
06-07-2012, 10:22 AM
Hi,

I just thought I'd let you know that someone from Hawaii has tried to hack into every single server we have visible on the internet. Although the firewalls have blocked their hacking attempts, I thought I'd just warn others who may not have any, or any decent firewalling in place.

I don't speak Polynesian / Hawaiin and can't figure out how to contact, on a network level, in Hawaii to take care of this.

Our logs are filled with entries like this:






Jul 6 09:53:37 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<linette>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.183
Jul 6 09:53:39 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<liberty>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.184
Jul 6 09:53:39 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<lilac>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.185
Jul 6 09:53:39 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<libba>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.172
Jul 6 09:53:40 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<linh>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.183
Jul 6 09:53:42 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<libby>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.172
Jul 6 09:53:42 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<lida>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.184
Jul 6 09:53:42 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<lilah>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.185
Jul 6 09:53:43 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<linnea>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.183
Jul 6 09:53:45 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<lilia>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.185
Jul 6 09:53:45 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<liberty>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.172
Jul 6 09:53:45 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<lidia>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.184
Jul 6 09:53:46 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<linsey>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.183
Jul 6 09:53:48 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<lilith>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.185
Jul 6 09:53:48 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<lien>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.184

He changes the username, and IP on the server everytime, and as soon as he's blocked, he moves on to another server and try another set of usernames.


P.S. If anyone knows who to contact in Hawaii to report this, please let me know.
praetor360
06-07-2012, 10:34 AM
IP: 66.135.244.207
Host: hawaiioption.com

went there and it was in gibberese.... at bottom of page they said ownership is in jtb hawaii travel.

hopefully you can get them to forward a mail to their ISP or place you in contact with them on this emial adress

information@jtb-hawaii.com

hope it helps!!
SoftDux-Rudi
06-07-2012, 10:51 AM
IP: 66.135.244.207
Host: hawaiioption.com

went there and it was in gibberese.... at bottom of page they said ownership is in jtb hawaii travel.

hopefully you can get them to forward a mail to their ISP or place you in contact with them on this emial adress

information@jtb-hawaii.com

hope it helps!!

I send them an email already but got no response. So either this person is the hacker, or they don't know english. Or something....
Azgard
06-07-2012, 11:00 AM
I would think it's very unlikely to be from Hawaii, they're probably just using a server there as a relay.

Good luck though :)
SoftDux-Rudi
06-07-2012, 11:07 AM
I would think it's very unlikely to be from Hawaii, they're probably just using a server there as a relay.

Good luck though :)
Yes, I think that might be the case as well but simply don't (yet) know who to contact, who can actually do something about it.
The_Librarian
06-07-2012, 11:17 AM
Added that IP to smoothwall.

Should keep him out :twisted:
ghoti
06-07-2012, 11:18 AM
NetRange: 66.135.224.0 - 66.135.255.255
CIDR: 66.135.224.0/19
OriginAS:
NetName: SYSMETRICS-BLK-1
NetHandle: NET-66-135-224-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-07-13
Updated: 2012-03-02
Ref: http://whois.arin.net/rest/net/NET-66-135-224-0-1


OrgAbuseHandle: EF228-ARIN
OrgAbuseName: Ford, Earl
OrgAbusePhone: +1-808-791-7000
OrgAbuseEmail: systems@systemmetrics.com
OrgAbuseRef: http://whois.arin.net/rest/poc/EF228-ARIN
Wyzak
06-07-2012, 12:03 PM
We've also been seeing a high amount of hacking attempts recently. Our server just bans them after 5 attempts, but at least 2 - 5 IPs per day.
RSkeens
06-07-2012, 02:00 PM
This kind of automated password guessing attempts are normal for web servers and it happens every day. As ghoti said, if you need to report it then just use the WHOIS data available for the IP Address involved.