Mass hacking attempts from Hawaii

[SilverNodashi]

Hi,

I just thought I'd let you know that someone from Hawaii has tried to hack into every single server we have visible on the internet. Although the firewalls have blocked their hacking attempts, I thought I'd just warn others who may not have any, or any decent firewalling in place.

I don't speak Polynesian / Hawaiin and can't figure out how to contact, on a network level, in Hawaii to take care of this.

Our logs are filled with entries like this:

Jul 6 09:53:37 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<linette>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.183
Jul 6 09:53:39 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<liberty>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.184
Jul 6 09:53:39 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<lilac>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.185
Jul 6 09:53:39 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<libba>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.172
Jul 6 09:53:40 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<linh>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.183
Jul 6 09:53:42 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<libby>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.172
Jul 6 09:53:42 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<lida>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.184
Jul 6 09:53:42 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<lilah>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.185
Jul 6 09:53:43 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<linnea>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.183
Jul 6 09:53:45 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<lilia>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.185
Jul 6 09:53:45 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<liberty>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.172
Jul 6 09:53:45 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<lidia>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.184
Jul 6 09:53:46 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<linsey>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.183
Jul 6 09:53:48 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<lilith>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.185
Jul 6 09:53:48 mercury dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<lien>, method=PLAIN, rip=66.135.244.207, lip=x.x.x.184

He changes the username, and IP on the server everytime, and as soon as he's blocked, he moves on to another server and try another set of usernames.


P.S. If anyone knows who to contact in Hawaii to report this, please let me know.

 

[praetor360]

IP: 66.135.244.207
Host: hawaiioption.com

went there and it was in gibberese.... at bottom of page they said ownership is in jtb hawaii travel.

hopefully you can get them to forward a mail to their ISP or place you in contact with them on this emial adress

[email protected]

hope it helps!!

 

[SilverNodashi]

IP: 66.135.244.207
Host: hawaiioption.com

went there and it was in gibberese.... at bottom of page they said ownership is in jtb hawaii travel.

hopefully you can get them to forward a mail to their ISP or place you in contact with them on this emial adress

[email protected]

hope it helps!!

I send them an email already but got no response. So either this person is the hacker, or they don't know english. Or something....

 

[Azgard]

I would think it's very unlikely to be from Hawaii, they're probably just using a server there as a relay.

Good luck though

 

[SilverNodashi]

I would think it's very unlikely to be from Hawaii, they're probably just using a server there as a relay.

Good luck though

Yes, I think that might be the case as well but simply don't (yet) know who to contact, who can actually do something about it.

 

[The_Unbeliever]

Added that IP to smoothwall.

Should keep him out :twisted:

 

[w1z4rd]

NetRange: 66.135.224.0 - 66.135.255.255
CIDR: 66.135.224.0/19
OriginAS:
NetName: SYSMETRICS-BLK-1
NetHandle: NET-66-135-224-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-07-13
Updated: 2012-03-02
Ref: http://whois.arin.net/rest/net/NET-66-135-224-0-1


OrgAbuseHandle: EF228-ARIN
OrgAbuseName: Ford, Earl
OrgAbusePhone: +1-808-791-7000
OrgAbuseEmail: [email protected]
OrgAbuseRef: http://whois.arin.net/rest/poc/EF228-ARIN

 

[Wyzak]

We've also been seeing a high amount of hacking attempts recently. Our server just bans them after 5 attempts, but at least 2 - 5 IPs per day.

 

[RSkeens]

This kind of automated password guessing attempts are normal for web servers and it happens every day. As ghoti said, if you need to report it then just use the WHOIS data available for the IP Address involved.