Attempted Break-ins Resumed

[Marc]

Yesterday came another round of break-in attempts (all from the same person). Reported to the FBI:

elsmar.com login failures:
Sep 15 17:04:38 elsmar proftpd[24255]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:04:49 elsmar proftpd[24311]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:05:04 elsmar proftpd[24419]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:05:10 elsmar proftpd[24716]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:05:25 elsmar proftpd[24791]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:05:37 elsmar proftpd[24936]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:05:40 elsmar proftpd[24954]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:05:52 elsmar proftpd[25067]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:06:24 elsmar proftpd[25324]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:06:29 elsmar proftpd[25346]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:06:42 elsmar proftpd[25404]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:06:51 elsmar proftpd[25521]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:06:53 elsmar proftpd[25545]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:03 elsmar proftpd[25605]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:07 elsmar proftpd[25668]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:18 elsmar proftpd[25711]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:22 elsmar proftpd[25762]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:27 elsmar proftpd[25836]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:33 elsmar proftpd[25868]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:38 elsmar proftpd[25909]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:55 elsmar proftpd[26003]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:08:01 elsmar proftpd[26147]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.

-- End of security output --

Identified as:

domain: qsc.de
descr: QSC AG
descr: Mathias-Brueggen-Str. 55
descr: D-50829 Koeln
descr: Germany
nserver: ns01.qsc.de 213.148.129.11
nserver: ns02.qsc.de 213.148.130.11
status: connect
changed: 20030210 165502
source: DENIC

[admin-c]
Type: PERSON
Name: Christian Ebert
Address: QSC AG
Address: Mathias-Brueggen-Str. 55
City: Koeln
Pcode: 50829
Country: DE
Changed: 20020228 093428
Source: DENIC

[tech-c][zone-c]
Type: ROLE
Name: QSC Hostmaster
Address: QSC AG
Address: Mathias-Brueggen-Str. 55
City: Koeln
Pcode: 50829
Country: DE
Phone: +49 221 66 98 000
Fax: +49 221 66 98 009
Email: [email protected]
Changed: 20020228 094104
Source: DENIC

 

[Atul Khandekar]

Could this be someone who's forgotten his/her correct password and trying different variations???

 

[Marc]

Trying to get root access to the server is NOT someone trying to log into the forums who forgot their password. Those attempts are logged separately.

Nope - the above is typical of someone attempting to get root access. It is an attempt to access the server as ROOT via telnet - not http.

 

[Atul Khandekar]

Right. (I must be dreaming...) User www and it looks like FTP login attempt!

 

[Marc]

If it was ftp failures, I *think* (I'm still learning) it would read sftp-server rather than proftpd. As I understand it, this log (it's a daily log) only records failures of telnet login attempts.

tcsh and sshd are user telnet (unsecure) logins which cannot gain root access.

 

[energy]

Schuhmachers AG für Finanzmarketing
Investor-Relations-Partner of QSC AG QSC AG
Investor Relations
[email protected] [email protected]
Prinzregentenstraße 68 Mathias-Brüggen-Straße 55
D-81675 Munich D-50829 Cologne
Tel.: +49 (0) 89 - 48 92 72 -0 Tel.: +49 (0) 221 - 66 98 -1 12
Fax: +49 (0) 89 - 48 92 72 -12 Fax: +49 (0) 221 - 66 98 -0 09

This is the link to their website. The name in bold is the same as listed in Marc's report. Maybe they want to see how profitable the Cove is.

 

[Marc]

Probably a script kiddy who routed him/her self through an open proxy on their network. But I don't know enough about cracking servers to spit at - I'm guessing.

Profitable - um, not. More on that later in another thread.

 

[Claes Gefvenberg]

Have a look at QSC AG....

I think it would be a good idea to have a look at QSC AG. Considering what they do for a living they ought to be able to take prompt action...

More info here: http://www.ripe.net/perl/whois?searchtext=QSC1-RIPE&form_type=simple . Even a request to report hacks...:

role: QSC Internet Services
address: QSC AG
address: Mathias-Brueggen-Str. 55
address: D-50829 Koeln
address: Germany
phone: +49 221 66 98 000
fax-no: +49 221 66 98 009
e-mail: [email protected]
remarks: ********************************************
remarks: QSC AG - Internet Services Department
remarks: To report SPAM/UCE/Portscans/Hacks please
remarks: contact [email protected].
remarks: For peering requests, BGP policy changes
remarks: etc. contact [email protected]. For
remarks: Routing issues [email protected]. Please
remarks: remove NOSPAM. from email address.
remarks: ********************************************
....


/Claes

 

[Marc]

I e-mailed them the log file with routing info this morning advising them of the attempt, and there is an FBI link where I also reported it.

I'll check out the link you posted.