Nov 25 07:00:30 pan sshd[70876]: error: PAM: authentication error for illegal user cal from mvx-200-196-50-26.mundivox.com Nov 25 07:00:30 pan sshd[70875]: error: PAM: authentication error for illegal user cal from mvx-200-196-50-26.mundivox.com Nov 25 07:00:32 pan sshd[70881]: error: PAM: authentication error for illegal user cal from mvx-200-196-50-26.mundivox.com Nov 25 07:02:03 pan sshd[70885]: error: PAM: authentication error for illegal user cal from 190.34.164.139 Nov 25 07:02:06 pan sshd[70888]: error: PAM: authentication error for illegal user cal from 190.34.164.139 Nov 25 07:02:06 pan sshd[70889]: error: PAM: authentication error for illegal user cal from 190.34.164.139 Nov 25 07:03:35 pan sshd[70895]: error: PAM: authentication error for illegal user cal from 190.34.148.178 Nov 25 07:03:35 pan sshd[70896]: error: PAM: authentication error for illegal user cal from 190.34.148.178 Nov 25 07:03:35 pan sshd[70899]: error: PAM: authentication error for illegal user cal from 190.34.148.178 Nov 25 07:05:09 pan sshd[70904]: error: PAM: authentication error for illegal user cala from 200.62.142.212 Nov 25 07:05:09 pan sshd[70905]: error: PAM: authentication error for illegal user cala from 200.62.142.212 Nov 25 07:05:09 pan sshd[70906]: error: PAM: authentication error for illegal user cala from 200.62.142.212 Nov 25 07:06:50 pan sshd[70918]: error: PAM: authentication error for illegal user cala from adsl-75-24-138-85.dsl.chcgil.sbcglobal.net Nov 25 07:08:21 pan sshd[70921]: error: PAM: authentication error for illegal user cala from 83.228.92.228 Nov 25 07:08:21 pan sshd[70923]: error: PAM: authentication error for illegal user cala from 83.228.92.228 Nov 25 07:08:22 pan sshd[70922]: error: PAM: authentication error for illegal user cala from 83.228.92.228 Nov 25 07:09:50 pan sshd[70932]: error: PAM: authentication error for illegal user calais from 64.149.146.242 Nov 25 07:09:50 pan sshd[70931]: error: PAM: authentication error for illegal user calais from 64.149.146.242 Nov 25 07:09:51 pan sshd[70930]: error: PAM: authentication error for illegal user calais from 64.149.146.242 Nov 25 07:11:24 pan sshd[70944]: error: PAM: authentication error for illegal user calais from 75.145.16.83 Nov 25 07:11:24 pan sshd[70945]: error: PAM: authentication error for illegal user calais from 75.145.16.83 Nov 25 07:11:24 pan sshd[70948]: error: PAM: authentication error for illegal user calais from 75.145.16.83
It looks like a distributed break in attempt from a lot of hacked machines, using a simple pattern, that is immediately visible from the above log extract.
For the pleasure of those interested I have filtered out the hosts involved, using cut and sort. They are:
1-1-4-27a.vhe.sth.bostream.se 10.230.102-84.rev.gaoland.net 116.228.7.233 116.39.30.124 118.218-119-85.cust.rackboost.net 118.32.4.141 120.red-80-59-254.staticip.rima-tde.net 121.138.216.194 121.200.64.152 121.33.199.37 121.33.199.39 121.33.199.40 122.224.128.222 123.14.10.64 123.222.broadband5.iol.cz 124.30.148.222 124.42.124.87 125.63.77.3 125.77.106.246 130.red-80-37-213.staticip.rima-tde.net 132.208.130.23 135.196.243.201 148.243.156.138 151.58.47.77 154.red-80-35-196.staticip.rima-tde.net 161.red-217-126-90.staticip.rima-tde.net 162.red-80-59-249.staticip.rima-tde.net 167.230.102-84.rev.gaoland.net 169.red-80-32-193.staticip.rima-tde.net 170.56.255.20 173-175-96-87.cust.blixtvik.se 179.26-246-81.adsl-static.isp.belgacom.be 188-120-207-85.vychcechy.adsl-llu.static.bluetone.cz 189-19-76-194.dsl.telesp.net.br 189-47-199-6.dsl.telesp.net.br 189-54-102-228-nd.cpe.vivax.com.br 189.134.1.254 189.134.6.148 189.16.248.251 189.17.209.130 189.17.23.210 189.43.21.244 189.43.224.130 189.56.92.42 189.red-80-39-105.staticip.rima-tde.net 19.crcr15.xdsl.nauticom.net 190.144.61.58 190.210.29.149 190.24.210.198 190.244.49.236 190.25.230.146 190.34.148.178 190.34.164.139 193.109.252.58 193.146.155.5 193.224.241.4 193.224.93.3 193.41.235.225 193.86.111.6 194.108.136.72 194.224.118.61 194.228.118.57 195.218.214.30 195.234.169.138 195.47.0.28.adsl.nextra.cz 196.211.154.74 196.211.242.178 196.211.46.50 196.211.53.74 196.212.63.10 196.25.224.126 196.47.178.77 198-110-207-82.ip.ukrtel.net 200-161-0-47.dsl.telesp.net.br 200-161-196-160.dsl.telesp.net.br 200-168-14-216.dsl.telesp.net.br 200-170-141-134.static.ctbctelecom.com.br 200-207-83-40.dsl.telesp.net.br 200-232-181-40.dsl.telesp.net.br 200.118.119.48 200.119.7.142 200.123.174.145 200.126.108.82 200.127.112.176 200.129.244.41 200.14.206.12 200.153.48.18 200.157.176.13 200.162.9.91 200.181.121.26 200.193.32.145 200.20.187.222 200.209.6.130 200.21.104.66 200.21.174.74 200.21.190.84 200.21.193.154 200.248.82.130 200.253.157.34 200.254.105.2 200.26.138.122 200.29.135.50 200.29.137.117 200.38.155.8 200.40.169.190 200.53.121.213 200.58.171.134 200.58.202.45 200.6.220.46 200.62.142.212 200.69.219.189 200.75.54.74 200.76.161.170 200.80.158.131.static.telmex.net.ar 200.81.233.18 200.87.234.170 200.93.147.114 200141223099.user.veloxzone.com.br 200141223106.user.veloxzone.com.br 201-016-168-017.xf-static.ctbcnetsuper.com.br 201-251-61-108.static.speedy.com.ar 201-26-169-3.dial-up.telesp.net.br 201-26-172-213.dial-up.telesp.net.br 201-34-104-246.paemt701.e.brasiltelecom.net.br 201-34-125-250.sance300.ipd.brasiltelecom.net.br 201.12.50.2 201.161.28.9 201.21.216.198 201.21.236.254 201.216.160.186 201.218.231.142 201.224.199.201 201.228.26.130 201.234.204.98 201.249.112.138 201.253.105.21 201.28.119.60 201.34.162.190 201.66.248.66 201.82.2.39 201.82.63.207 202.105.131.14 202.106.60.230 202.155.213.149 203.70.179.113 203.92.62.162 203.98.175.182 207-208-126-200.fibertel.com.ar 207-250-220-196.escient.com 207-47-162-126.prna.static.sasknet.sk.ca 208.87.4.7 209.203.56.150 210.187.18.199 210.187.78.195 210.187.78.200 210.193.36.178 211.154.128.158 211.154.254.120 211.154.254.89 211.189.213.48 211.35.142.37 212.1.235.25 212.116.138.26 212.160.157.41 212.165.184.179 212.24.177.170 212.46.24.146 212.9.253.218.iptelecom.net.ua 212.91.188.165 213-140-17-96.ip.fastwebnet.it 213-140-22-64.fastres.net 213-163-19-158.pool.invitel.hu 213-94-148-116-dynamic.b-ras1.lmk.limerick.eircom.net 213.136.105.130 213.150.184.130 213.150.184.70 213.8.59.133 213.94.214.50 216-164-162-138.pa.subnet.cable.rcn.com 217.133.88.24 217.220.122.58 217.70.67.131 217.76.34.230 217.96.70.66 218.108.238.140 218.201.201.6 218.248.69.185 218.248.79.251 218.28.143.246 218.80.215.198 219.93.187.38 22.26.50.84.sta.estpak.ee 220-135-28-233.hinet-ip.hinet.net 220.194.201.208 220.199.6.2 220.227.126.40 221.132.77.244 221.158.48.69 221.4.104.101 221.6.71.42 221.8.255.134 222.233.broadband9.iol.cz 23.red-80-24-4.staticip.rima-tde.net 239.253-136-217.adsl-static.isp.belgacom.be 24-181-23-242.static.gwnt.ga.charter.com 3e70de58.adsl.enternet.hu 3e70defd.adsl.enternet.hu 3w.upcc.com.tw 41.207.199.135 48-dom-14.acn.waw.pl 49.red-213-98-2.staticip.rima-tde.net 53.red-80-38-150.staticip.rima-tde.net 58.172.65.98 58.196.4.2 58.196.4.98 58.223.242.246 58.246.149.46 58.26.48.162 58.39.145.213 58.77.117.97 59-124-224-95.hinet-ip.hinet.net 59-125-226-213.hinet-ip.hinet.net 59.37.75.23 59.6.185.34 59.6.185.35 59.6.185.36 59.6.185.37 59.6.185.38 59.6.185.39 59.90.32.14 60.191.111.234 61.135.234.7 61.152.107.62 61.155.105.62 61.172.200.198 61.183.16.96 61.4.210.33 61.47.31.130 62-167-4-140.static.adslpremium.ch 62.141.38.151 62.167.16.53 62.221.52.4 62.225.15.82 62.28.36.136 62.61.141.93.generic-hostname.arrownet.dk 62.85.65.147 62.97.62.155 62.red-80-59-126.staticip.rima-tde.net 63.224.195.36 63.241.71.58 64.149.146.242 64.207.232.154 64.213.54.106 64.27.16.245 65.106.11.222.ptr.us.xo.net 65.113.227.26 65.203.231.41 65.79.201.56 67.179.190.90.sta.estpak.ee 67.40.86.204 68-112-227-2.static.oxfr.ma.charter.com 68.112.227.30 69.15.172.21 69.222-119-85.cust.rackboost.net 69.60.124.68 70-46-140-187.orl.fdn.com 70.107.248.126 70.19.245.63.alfanumeric.com.ni 70.91.173.153 74.95.165.97 75-49-251-71.lightspeed.snjsca.sbcglobal.net 75.145.16.83 75.147.27.85 75.22.172.193 75.24.138.85 77-97-36-16.cable.ubr01.dumb.blueyonder.co.uk 77.46.215.48 77.91.152.118 78-62-74-188.static.zebra.lt 79.120.226.174 80.118.132.88 80.191.108.130 80.240.214.74 80.51.31.84 81-208-90-63.ip.fastwebnet.it 81-208-92-170.ip.fastwebnet.it 81-7-76-88.static.zebra.lt 81.196.122.2 81.241.231.149 81.92.155.48 82.207.103.151 82.207.104.34 82.76.233.143 82.77.56.131 83-103-70-170.ip.fastwebnet.it 83-103-88-27.ip.fastwebnet.it 83.222.222.201 83.228.92.228 84.123.175.87.dyn.user.ono.com 84.232.150.18 84.234.110.86 85-18-102-76.ip.fastwebnet.it 85.198.121.54 85.21.182.2 86-41-193-68-dynamic.b-ras1.lmk.limerick.eircom.net 86-41-215-36-dynamic.b-ras1.lmk.limerick.eircom.net 87.241.208.253 87.255.246.1 88-196-206-58-dsl.hps.estpak.ee 88-196-54-98-dsl.trt.estpak.ee 88-199-28-3.tktelekom.pl 88.253.42.1 88.red-80-34-55.staticip.rima-tde.net 89-24-102-228.i4g.tmcz.cz 89-24-82-38.i4g.tmcz.cz 89-96-172-100.ip13.fastwebnet.it 89-97-62-16.ip16.fastwebnet.it 89.105.237.103 90.190.110.51 90.190.96.46 91-64-130-61-dynip.superkabel.de 91.135.200.86 92.50.243.18 93-152-36-122.bear.managedbroadband.co.uk 93.152.158.157 96-228-207-85.zapcechy.adsl-llu.static.bluetone.cz abu66.internetdsl.tpnet.pl acj114.internetdsl.tpnet.pl adsl-068-157-239-147.sip.mem.bellsouth.net adsl-068-213-208-164.sip.bct.bellsouth.net adsl-070-154-244-035.sip.pfn.bellsouth.net adsl-074-229-022-018.sip.mia.bellsouth.net adsl-074-238-205-245.sip.mem.bellsouth.net adsl-168-98.globonet.hu adsl-68-89-45-103.dsl.hstntx.swbell.net adsl-75-14-225-218.dsl.sfldmi.sbcglobal.net adsl-75-22-172-193.dsl.sndg02.sbcglobal.net adsl-75-24-138-85.dsl.chcgil.sbcglobal.net adsl-75-38-40-51.dsl.klmzmi.sbcglobal.net adsl-99-154-50-177.dsl.pltn13.sbcglobal.net adsl-99-2-226-151.dsl.pltn13.sbcglobal.net adsl-static-82-202-34-32.hk.tiscali.cz amontsouris-156-1-62-246.w90-24.abo.wanadoo.fr apothekix.diekreisapotheke.at as5300-s47-050.cnt.entelchile.net astro.kursastro.net at1.ftc.agilent.com bb-89-166-32-18.dsl.phnet.fi bno-84-242-66-10.karneval.cz bxn69.internetdsl.tpnet.pl c-24-61-83-215.hsd1.ma.comcast.net c-71-63-229-140.hsd1.mn.comcast.net c-98-216-36-125.hsd1.ma.comcast.net c90678d3.static.spo.virtua.com.br chello080108099253.4.11.vie.surfer.at chello084114015179.14.vie.surfer.at chello087206101219.chello.pl cm211030.red.mundo-r.com coloc82-044.singnet.com.sg correo.rufinocoop.com.ar cpe-121-223-228-249.static.vic.bigpond.net.au cpe-144-131-52-81.static.vic.bigpond.net.au cpe001217e403b3-cm000f9fa6157c.cpe.net.cable.rogers.com customer-200-79-25-39.uninet.net.mx d51530a95.access.telenet.be dan75-2-82-67-148-100.fbx.proxad.net dialbs-213-023-175-198.static.arcor-ip.net dsl-200-67-198-254.prod-empresarial.com.mx dsl-217-155-184-54.zen.co.uk dum11.internetdsl.tpnet.pl dzu194.internetdsl.tpnet.pl e-wolff-reporting.de e210255180014.ec-userreverse.dion.ne.jp eges.esstel.ru eli18.internetdsl.tpnet.pl em.asiban.ro ex216126.uac63.hknet.com fenyiro.hu foghorn.delifarm.hu foyer18rt.net1.nerim.net fps.cherepovets.ru gay130.internetdsl.tpnet.pl gfx146.internetdsl.tpnet.pl gve82.internetdsl.tpnet.pl gw.hondatrading-romania.ro h69-128-70-86.wyngmi.dedicated.static.tds.net hld182.internetdsl.tpnet.pl hoh234.internetdsl.tpnet.pl horizonte.tcbsupermercados.com.br host-200-76-176-37.block.alestra.net.mx host-202-22-140-206.static.lagoon.nc host.190.15.193.42.static.itcsa.net host115-85-static.46-88-b.business.telecomitalia.it host137-221-static.23-87-b.business.telecomitalia.it host141-134-static.5-79-b.business.telecomitalia.it host186-20-static.5-79-b.business.telecomitalia.it host19-5-static.28-79-b.business.telecomitalia.it host211-90-static.62-88-b.business.telecomitalia.it host218-157-static.90-82-b.business.telecomitalia.it host225-253-static.44-88-b.business.telecomitalia.it host226-252-static.39-85-b.business.telecomitalia.it host240-197-static.63-88-b.business.telecomitalia.it host242-75-static.63-88-b.business.telecomitalia.it host247-98-static.191-82-b.business.telecomitalia.it host250.190-139-100.telecom.net.ar host40-248-dynamic.53-82-r.retail.telecomitalia.it host42-188-static.186-82-b.business.telecomitalia.it host51-124-static.75-81-b.business.telecomitalia.it host76-13-static.28-87-b.business.telecomitalia.it host81-149-101-27.in-addr.btopenworld.com host87-163-static.30-87-b.business.telecomitalia.it host9-122-static.72-81-b.business.telecomitalia.it hpclab.cs.tsinghua.edu.cn hqm83.internetdsl.tpnet.pl hte50.internetdsl.tpnet.pl hydros.ibwpan.szczecin.pl ibt130.internetdsl.tpnet.pl ify218.internetdsl.tpnet.pl iih70.internetdsl.tpnet.pl ip-195-098-028-061.static.nextra.sk ip4da21987.direct-adsl.nl ipb50.internetdsl.tpnet.pl kgs.interstrada.net laubervilliers-151-13-107-27.w217-128.abo.wanadoo.fr laubervilliers-153-51-28-191.w193-253.abo.wanadoo.fr lnxweb002.globalweb.com.br lputeaux-151-41-5-4.w217-128.abo.wanadoo.fr lputeaux-151-43-2-155.w217-128.abo.wanadoo.fr mail.at.com.pe mail.clinandes.cl mail.complaser.com.br mail.cooperativalehmann.com.ar mail.ecocoast.co.za mail.egerfem.hu mail.hierrobeco.com mail.isinthe.us mail.jandpgroup.com.na mail.jocomvd.com.uy mail.la-arch.com mail.mavvagon.hu mail.pddsl.de mail.plasser.co.za mail.pmasonengltd.co.uk mail.remzestar.ru mail.solgest.cl mailgate.mirrorimageuk.co.uk metis.we.po.opole.pl mhp.continuum-books.com mvx-200-196-50-26.mundivox.com mx.mobilecod.com.br n219076222027.netvigator.com napali.ecm.ub.es net135-235.4web.pl ns.realtrade.lv nskczn.siberia.net p50997de0.dip0.t-ipconnect.de p50997fe2.dip0.t-ipconnect.de p578b0ad6.dip0.t-ipconnect.de p578b352f.dip0.t-ipconnect.de p578b4f0b.dip0.t-ipconnect.de p578b6102.dip0.t-ipconnect.de pd907ee1e.dip0.t-ipconnect.de pd907fd08.dip0.t-ipconnect.de pd956acba.dip0.t-ipconnect.de pd95b609c.dip0.t-ipconnect.de pd95b71b6.dip0.t-ipconnect.de pd95b79ed.dip0.t-ipconnect.de pns.mumbg.com poczta.dls.pl port-212-202-242-170.static.qsc.de port-87-193-189-114.static.qsc.de ppp-69-217-30-214.dsl.applwi.ameritech.net ppp-88-217-28-58.dynamic.mnet-online.de robert71.lnk.telstra.net rrcs-64-183-133-194.west.biz.rr.com rrcs-97-76-164-202.se.biz.rr.com sd-1125.dedibox.fr startowa.gda.pl static-217-133-71-222.clienti.tiscali.it static-70-107-248-126.ny325.east.verizon.net static-71-117-126-102.snloca.dsl-w.verizon.net static-71-119-17-26.lsanca.dsl-w.verizon.net static-71-166-159-177.washdc.east.verizon.net static-71-242-245-111.phlapa.east.verizon.net static-72-66-191-175.ronkva.east.verizon.net static-98-119-110-139.lsanca.dsl-w.verizon.net static-adsl200-75-68-8.epm.net.co static-adsl200-75-83-104.epm.net.co static062038151143.dsl.hol.gr static062038242231.dsl.hol.gr tm.84.52.138.103.dc.cust.static.telemach.net tombs.force9.co.uk trismareperu.com twe220.vtc.net velosis.coprocenva.com.co worleyassociates.com www.cfse.gov.pr www.francisadepoju.ie www.worleyassociates.com yankees.system-liberty.com
PLEASE, NOTE, ALL THE ABOVE SYSTEMS ARE (OR WERE RECENTLY) COMPROMISED
As you can see, it is from all over the world. ISPs who find their name, or one of their IPs in the above list, might consider taking action. And I do not mean sending me nasty emails. If I find time I will complete the list once more in the coming days. The attackers have now nearly reached P. I guess they will continue until they reach the end of the list of names, which they may very well have found on Yahoo (scroll down a bit to see it).
The above list of hosts contains all those attacking my machine until December 1. Since then very few new hosts can be added to the list. These are:
> 100.170.broadband2.iol.cz > 12.182.37.155 > 189-19-85-237.dsl.telesp.net.br > 200.187.4.4 > 200.93.142.166 > 203.70.246.146 > 234gis175.gulftel.com > 36.249.97-84.rev.gaoland.net > 58.140.141.200 > 62.72.110.203 > adsl-70-246-90-53.dsl.austtx.swbell.net > cpe-60-230-184-143.static.vic.bigpond.net.au > host-135-196-33-39.lines.viateldsl.com > p50997bb3.dip0.t-ipconnect.de > p5099bddf.dip0.t-ipconnect.de > ppp-70-226-82-138.dsl.klmzmi.ameritech.net > static-217-133-88-24.clienti.tiscali.it
294 hosts in the long list above have ceased operation. Not necessarily alltogether, though I cannot exclude that the people behind this cracking scheme, deleted the contents of 294 harddisks or ignated 294 CPUs. In any case, these 294 hosts are no longer in my logs. I guess they have been taken out of the scheme in some way or other. Perhaps thanks to a virus/malware scanner?
In the mean time I have (or I should say: I had) proof that I am not the only poor soul who is under attack. I got an email some weeks back from someone who had the same stuff in his logs. But I lost the email. Really.
Last updated December, 22, 2008.
©2008: Marc Schneiders.