My server (it’s not the one this site is stored on by the way!) has been very, very busy this week being attacked by bots and crazed hackers from all over the world. One of the most persistent was from a Thailand IP address, the address was allocated from a Thai ISP and the reverse DNS is node-or5.pool-1-10.dynamic.totbb.net. The ISP responsible for this naughty Thai attacker is TOT Public Company Limited who are based in Bangkok.
It’s target was the EXIM service which is a message transfer agent, so our friend was looking for ways for relaying his Spam messages I would guess. I have the latest version of Exim which I think is 4.85, there were some security problems with earlier versions so make sure you’re up to date. At the very least make sure you’re running version 4.
The attack was automated and pretty dumb – consistently attacking the same service with the same username. Obviously this triggered an automatic IP address ban and it’s been added to CPhulk brute force protection. This is a service (available and configurable through WHM) which is designed to block Brute force attacks from troublesome IP addresses. This basically maintains two lists regarding logins to the server – a black list and a whitelist. When you add an IP address to the blacklist it won’t be able to ever logon to that server at all. This covers every service so it’s useful to automated penetration or hacking tools which try to brute force every service in turn. You have to be careful using it though as it’s perfectly possible to blacklist your own address, which I nearly did when I had a British IP address enabled through a VON which I didn;t recognise.
Quiet day today for hackers throughout the net who are desperate to get onto to my poor little web server. Nothing as interesting as Laos unfortunately but I’ve been having repeated attacks today from a single IP address in South Korea – 188.8.131.52, who have been targeting me today.
The IP address is registered with Korea Telecom who’s headquarters I think are in Seoul.
Incidentally, if you’re interested in North Korea and the lives people lead there, I can thoroughly recommend this book by Blaine Harden, a Newspaper reporter – Escape from Camp 14: One man’s remarkable odyssey from North Korea to freedom in the West. IT tells the tale of a North Korean who escaped from a prisoner camp in North Korea, it’s incredible stuff.
Anyway hopefully he hasn’t become a computer hacker based out of Seoul, but there are plenty of them there. My firewall logs are filled with these messages all directed at my server, from the South Korean IP address
This is not an actual hack attempt, but what’s called Port Scanning. Basically using tools (or by hand if you’re hard core!) you scan the target computer looking for options to attack. So the scanner will look for things like an FTP server running on port 21, or perhaps for the existent of a vulnerable server like Telnet which actually passes logon credentials in clear text. It could be thousands of other things though, some commercial scanners will look for all sorts of opportunities from an Operating System which is not patched properly or some vulnerable service.
It’s quite an amateur attempt immediately picked up by my firewall and IDS system, although to be fair he hasn’t triggered an automatic permanent block on my firewall, just temporary bans. The best scanners work very slowly, checking each port and service slowly so not to trigger defenses. Anyway doesn’t matter much to me, as I’m going to block him manually. Bye 184.108.40.206.
Posted – 24-10-14
Well it’s an interesting set of IP addresses in my logs today, so here’s the most interesting one.. Remember though, the majority of these IP addresses will be allocated automatically through ISPs and as such will change frequently, so don’t go and try and hack them back! In fact it’s just as likely that the originator of the attack could very well be in a completely different country anyway using the address as a proxy or similar.
We start off with the IP address – 220.127.116.11 which is assigned by the Lao Telecom Company – here they are –
They are based in the country of Laos, which a country in South East Asia officially known as Lao People’s Democratic Republic. It is a land locked country right next to Burma, Thailand and China. Appears to be very poor place, with a third of the people there living under the International poverty line.
What were they trying to do, to my poor besieged web server? Well they were trying to brute force their way into my mail server, which suggests that they were spammers wanting to flood their emails through my system.
The address is now blocked from my system, but I learnt a little about a country I wasn’t too familiar with!! They’re looks like there are some stunning temples and ruins there, definitely worth a visit.
This page is getting a lot of visits from people looking for information on Laos, so I thought I add a link to the Laos Tourism Information Site. Really want to go there now, perhaps I can go and catch my hacker! I should add that the same attacker targeted several of my servers, but seemed to have distinct preference for US based ones, I’m guess he’s read some tutorial about how to get an American IP address, perhaps in order to get a HBO or Hulu account.