Attempted Break-ins Resumed

Marc

Hunkered Down for the Duration
Staff member
Admin
#1
Yesterday came another round of break-in attempts (all from the same person). Reported to the FBI:

elsmar.com login failures:
Sep 15 17:04:38 elsmar proftpd[24255]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:04:49 elsmar proftpd[24311]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:05:04 elsmar proftpd[24419]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:05:10 elsmar proftpd[24716]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:05:25 elsmar proftpd[24791]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:05:37 elsmar proftpd[24936]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:05:40 elsmar proftpd[24954]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:05:52 elsmar proftpd[25067]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:06:24 elsmar proftpd[25324]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:06:29 elsmar proftpd[25346]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:06:42 elsmar proftpd[25404]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:06:51 elsmar proftpd[25521]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:06:53 elsmar proftpd[25545]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:03 elsmar proftpd[25605]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:07 elsmar proftpd[25668]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:18 elsmar proftpd[25711]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:22 elsmar proftpd[25762]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:27 elsmar proftpd[25836]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:33 elsmar proftpd[25868]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:38 elsmar proftpd[25909]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:55 elsmar proftpd[26003]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:08:01 elsmar proftpd[26147]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.

-- End of security output --

Identified as:

domain: qsc.de
descr: QSC AG
descr: Mathias-Brueggen-Str. 55
descr: D-50829 Koeln
descr: Germany
nserver: ns01.qsc.de 213.148.129.11
nserver: ns02.qsc.de 213.148.130.11
status: connect
changed: 20030210 165502
source: DENIC

[admin-c]
Type: PERSON
Name: Christian Ebert
Address: QSC AG
Address: Mathias-Brueggen-Str. 55
City: Koeln
Pcode: 50829
Country: DE
Changed: 20020228 093428
Source: DENIC

[tech-c][zone-c]
Type: ROLE
Name: QSC Hostmaster
Address: QSC AG
Address: Mathias-Brueggen-Str. 55
City: Koeln
Pcode: 50829
Country: DE
Phone: +49 221 66 98 000
Fax: +49 221 66 98 009
Email: [email protected]
Changed: 20020228 094104
Source: DENIC
 

Attachments

Elsmar Forum Sponsor

Marc

Hunkered Down for the Duration
Staff member
Admin
#3
Trying to get root access to the server is NOT someone trying to log into the forums who forgot their password. Those attempts are logged separately.

Nope - the above is typical of someone attempting to get root access. It is an attempt to access the server as ROOT via telnet - not http.
 

Marc

Hunkered Down for the Duration
Staff member
Admin
#5
If it was ftp failures, I *think* (I'm still learning) it would read sftp-server rather than proftpd. As I understand it, this log (it's a daily log) only records failures of telnet login attempts.

tcsh and sshd are user telnet (unsecure) logins which cannot gain root access.
 
E

energy

#6
Schuhmachers AG für Finanzmarketing
Investor-Relations-Partner of QSC AG QSC AG
Investor Relations
[email protected] [email protected]
Prinzregentenstraße 68 Mathias-Brüggen-Straße 55
D-81675 Munich D-50829 Cologne
Tel.: +49 (0) 89 - 48 92 72 -0 Tel.: +49 (0) 221 - 66 98 -1 12
Fax: +49 (0) 89 - 48 92 72 -12 Fax: +49 (0) 221 - 66 98 -0 09

This is the link to their website. The name in bold is the same as listed in Marc's report. Maybe they want to see how profitable the Cove is.:)
 

Marc

Hunkered Down for the Duration
Staff member
Admin
#7
Probably a script kiddy who routed him/her self through an open proxy on their network. But I don't know enough about cracking servers to spit at - I'm guessing.

Profitable - um, not. More on that later in another thread.
 
#8
Have a look at QSC AG....

I think it would be a good idea to have a look at QSC AG. Considering what they do for a living they ought to be able to take prompt action...

More info here: http://www.ripe.net/perl/whois?searchtext=QSC1-RIPE&form_type=simple . Even a request to report hacks...:

role: QSC Internet Services
address: QSC AG
address: Mathias-Brueggen-Str. 55
address: D-50829 Koeln
address: Germany
phone: +49 221 66 98 000
fax-no: +49 221 66 98 009
e-mail: [email protected]
remarks: ********************************************
remarks: QSC AG - Internet Services Department
remarks: To report SPAM/UCE/Portscans/Hacks please
remarks: contact [email protected].
remarks: For peering requests, BGP policy changes
remarks: etc. contact [email protected]. For
remarks: Routing issues [email protected]. Please
remarks: remove NOSPAM. from email address.
remarks: ********************************************
....


/Claes
 

Marc

Hunkered Down for the Duration
Staff member
Admin
#9
I e-mailed them the log file with routing info this morning advising them of the attempt, and there is an FBI link where I also reported it.

I'll check out the link you posted.
 
Thread starter Similar threads Forum Replies Date
N Can I Get a Tax Break for Buying my First Home in 2016? Coffee Break and Water Cooler Discussions 5
Marc Pipe Break At Coal Facility Contaminates West Virginia Waterway Miscellaneous Environmental Standards and EMS Related Discussions 0
AnaMariaVR2 A day to break toilet taboos Coffee Break and Water Cooler Discussions 1
J Baseball Predictions - Just past the all Star Break... Coffee Break and Water Cooler Discussions 4
T Break Press or Bending A36 Carbon Structural Steel Plate Manufacturing and Related Processes 1
T Current and upcoming events (coffee break topic) Coffee Break and Water Cooler Discussions 4
C Internal Audit Break Down Internal Auditing 5
Z RAPS RAC without Regulatory Experience - Break into the regulatory affairs industry Professional Certifications and Degrees 2
W What are your resolutions to break? (Welcoming 2010 on a clean slate) Coffee Break and Water Cooler Discussions 1
N Combining two time series graphs and putting a break line between them Using Minitab Software 5
DanteCaspian Operator Break Coverage - Custom injection mould shop Manufacturing and Related Processes 9
P United Break Guitars - Customer (Lack of) Care Coffee Break and Water Cooler Discussions 2
Ted Schmitt Prison Break Fans ?? - TV Show Coffee Break and Water Cooler Discussions 10
Stijloor Senate approves tax break for auto loan interest World News 11
R Surgical Sutures and Absorption - Break strength retention (BSR) properties ISO 13485:2016 - Medical Device Quality Management Systems 1
Scott Catron Disneyland for Spring Break Coffee Break and Water Cooler Discussions 24
Ajit Basrur Break up and Breakdown - which is the correct term to use in Financial Context? Coffee Break and Water Cooler Discussions 10
F Extra Cost for ISO/TS 16949 in Tooling Cost Break Down IATF 16949 - Automotive Quality Systems Standard 11
Wes Bucey FWIW: Interviewing - Make-or-Break Interview Mistakes Career and Occupation Discussions 20
Hershal Cutoff - Discussion regarding a reasonable break-even point for calibration General Measurement Device and Calibration Topics 3
Marc Ford recalling 123,000 vehicles - Straps that secure the fuel tank may break World News 6
D SUV, truck owners get a big tax break - Revisited Coffee Break and Water Cooler Discussions 2
C Real Coffee "Break" Talk Coffee Break and Water Cooler Discussions 40
J Coil Steel defects - Camber, coil break, crossbow, etc. - Industry standards? Various Other Specifications, Standards, and related Requirements 2
C Relationship - Break over (click type) torque wrench and short term joint relaxation General Measurement Device and Calibration Topics 4
RoxaneB Coffee Break Forum Poll - Take II Coffee Break and Water Cooler Discussions 20
RoxaneB Rules and Guidelines for Coffee Break Forum Threads and Posts Coffee Break and Water Cooler Discussions 86
E Survival of the Coffee Break Forum Coffee Break and Water Cooler Discussions 43
N Attitudes - Communication Break Down at the management level and Apathetic Employees Misc. Quality Assurance and Business Systems Related Topics 15
K Class Ins CE Mark Labeling Requirements (particularly Lot or Batch symbol and number) EU Medical Device Regulations 7
S Including Product Trade-Ins in our Quality Management System (QMS) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
M Minitab QC2 add ins Using Minitab Software 1

Similar threads

Top Bottom