less /var/log/kern.log
...
Jan 15 11:47:54 dwaves kernel: [166700.063394] UDP: bad checksum. From 116.224.66.209:53 to 78.47.157.226:14402 ulen 108

whois 116.224.66.209
inetnum:        116.224.0.0 - 116.239.255.255
netname:        CHINANET-SH
descr:          CHINANET Shanghai province network
descr:          China Telecom
descr:          No.31,jingrong street
descr:          Beijing 100032

fuck those CHINESE (!) spammers… trying to brute force hack my mail server:

/var/log# less dovecot.log
...
Dec 30 03:54:55 auth: Info: passwd-file(adolfo,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 03:55:20 auth: Info: passwd-file(bertha,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 03:55:45 auth: Info: passwd-file(control,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 03:56:10 auth: Info: passwd-file(ftp,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 03:56:35 auth: Info: passwd-file(admin,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 03:57:00 auth: Info: passwd-file(vanessa,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 03:57:25 auth: Info: passwd-file(admin,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 03:57:50 auth: Info: passwd-file(sophie,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 03:58:15 auth: Info: passwd-file(agent,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 03:58:40 auth: Info: passwd-file(webmaster,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 03:59:05 auth: Info: passwd-file(cs,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 03:59:30 auth: Info: passwd-file(postgres,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 03:59:54 auth: Info: passwd-file(alexandre,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 04:00:19 auth: Info: passwd-file(webmail,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 04:00:44 auth: Info: passwd-file(admin,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 04:01:09 auth: Info: passwd-file(test,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 04:01:33 auth: Info: passwd-file(test,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 04:01:58 auth: Info: passwd-file(lee,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 04:02:23 auth: Info: passwd-file(carrington,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 04:02:48 auth: Info: passwd-file(apache,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 04:03:12 auth: Info: passwd-file(cathrin,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 04:03:37 auth: Info: passwd-file(testmail,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 04:04:02 auth: Info: passwd-file(testmail,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 04:04:27 auth: Info: passwd-file(cricket,118.123.243.13): no passwd file: /etc/exim4/domains//passwd
Dec 30 04:04:51 auth: Info: passwd-file(install,118.123.243.13): no passwd file: /etc/exim4/domains//passwd

whois 118.123.243.13

# CHINA AGAIN.
role:           CHINANET SICHUAN
address:        No.72,Wen Miao Qian Str Chengdu SiChuan PR China
country:        CN
phone:          +86-28-86190657
fax-no:         +86-25-86190641
e-mail:         scipadmin2013@189.cn
remarks:        send anti-spam reports to scipadmin2013@189.cn

this time from italy with love: ssh brute force attacks:


/var/log# less auth.log
...
Jan  4 06:26:51 dwaves sshd[27945]: reverse mapping checking getaddrinfo for joker.wwsi [212.141.54.155] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan  4 06:26:51 dwaves sshd[27945]: Invalid user oracle from 212.141.54.155
Jan  4 06:26:51 dwaves sshd[27945]: input_userauth_request: invalid user oracle [preauth]
Jan  4 06:26:51 dwaves sshd[27945]: Received disconnect from 212.141.54.155: 11: Bye Bye [preauth]
Jan  4 06:26:51 dwaves sshd[27947]: reverse mapping checking getaddrinfo for joker.wwsi [212.141.54.155] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan  4 06:26:51 dwaves sshd[27947]: Invalid user pi from 212.141.54.155

whois 212.141.54.155

inetnum:        212.141.54.0 - 212.141.54.255
netname:        WIND
descr:          WIND-IT-CSI2
descr:          Wind Telecomunicazioni SpA
country:        IT
admin-c:        GT1655-RIPE
tech-c:         GT1655-RIPE
status:         ASSIGNED PA
mnt-by:         WIND-MNT
source:         RIPE # Filtered

person:         Gaspare Tripi
address:        Wind Telecomunicazioni SpA
address:        Information Technology Dept.
address:        Via C. Veneziani 56
address:        I-00148 Roma (RM)
address:        Italy
phone:          +39 06 83115252
fax-no:         +39 06 83115252
nic-hdl:        GT1655-RIPE
source:         RIPE # Filtered

liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!
admin