Topic: phishing - and not even knowing where to look to help myself

[dilligaf]

Hi,
I own a domain, and use sme 5.6 all updates, I know I should update to 6.X but that will not make what is happening not happen again.
I over the last week get a phone call from my ISP saying they are recieving complaint that my server is hosting a phishing scam.
I have nothing to hide and have no problem asking for help, as I have no idea what else to look for.
I was told to reformat my server, but I said no I would not do that until I could identify the problem.
Why format the server and restore the initial problem from tape?
This is the deal, my domain is www.willcraft.com , it resolves to 142.179.200.56.
The scam thing is to do with some bank hsbc.
The first time I was called was they said hsbc-validation.info goes to my site, I looked and it did, only it was not my page that was displayed it was a log in page to this bank.
So I moved all my html etc off the server.
The next time he called he said the same was happening with hsbc-verifier.info.
Last night I put all my html back and as at today it is starting again. I have scanned the files / server, no rootkits anything.
check it out, go to sampspade and do a lookup for hsbc-validation.info and it shows my IP, yet it dishes my page.
Any assistance greatly appreciated.
Dan

[RonM]

Hi Dan - probably need some more info - right now this doesn't look like it has anything to do with your server.

Here's the result of DiGs on the URLs listed. It looks like 216.99.193.2 (ns3.aracnet.com) returns the same IP address for two different URLs, but gets hsbc-val from SECURESERVER.NET and willcraft from easydns.com. hsbc-verifier does not resolve.

This info by itself ought to be enough to get your ISP off your back. I'd say your IP is being spoofed.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

; <<>> DiG 9.2.1 <<>> hsbc-validation.info
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35453
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;hsbc-validation.info.      IN   A

;; ANSWER SECTION:
hsbc-validation.info.   3600   IN   A   142.179.200.56

;; AUTHORITY SECTION:
hsbc-validation.info.   3600   IN   NS   PARK17.SECURESERVER.NET.
hsbc-validation.info.   3600   IN   NS   PARK18.SECURESERVER.NET.

;; ADDITIONAL SECTION:
PARK17.SECURESERVER.NET. 115846   IN   A   64.202.165.120
PARK18.SECURESERVER.NET. 115846   IN   A   64.202.167.158

;; Query time: 100 msec
;; SERVER: 216.99.193.2#53(216.99.193.2)
;; WHEN: Mon Nov 22 17:46:21 2004
;; MSG SIZE  rcvd: 144

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

; <<>> DiG 9.2.2-P3 <<>> hsbc-verifier.info
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 65332
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;hsbc-verifier.info.      IN   A

;; AUTHORITY SECTION:
info.         7200   IN   SOA   tld1.ultradns.net. domadmin.ultradns.net. 2004225973 3600 1800 604800 3600

;; Query time: 37 msec
;; SERVER: 216.99.193.2#53(216.99.193.2)
;; WHEN: Mon Nov 22 17:50:51 2004
;; MSG SIZE  rcvd: 98

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

; <<>> DiG 9.2.1 <<>> www.willcraft.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41126
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;www.willcraft.com.      IN   A

;; ANSWER SECTION:
www.willcraft.com.   10800   IN   A   142.179.200.56

;; AUTHORITY SECTION:
willcraft.com.      10800   IN   NS   ns1.easydns.com.
willcraft.com.      10800   IN   NS   ns2.easydns.com.
willcraft.com.      10800   IN   NS   remote1.easydns.com.
willcraft.com.      10800   IN   NS   remote2.easydns.com.

;; ADDITIONAL SECTION:
ns1.easydns.com.   65643   IN   A   216.220.40.243
ns2.easydns.com.   46919   IN   A   205.210.42.20
remote1.easydns.com.   53232   IN   A   64.39.29.212
remote2.easydns.com.   32321   IN   A   212.100.224.80

;; Query time: 268 msec
;; SERVER: 216.99.193.2#53(216.99.193.2)
;; WHEN: Mon Nov 22 17:49:13 2004
;; MSG SIZE  rcvd: 203

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

[dilligaf]

Thank you Ron,
I really appreciate the help.
I talked to the ISP again.
This is what he said:
If you are so sure your server is not the problem power it off, and we will see if we can get to that page.
I said no I will just down eth1, which I did, and he could not get to that page, it timed out.
I upped eth1 and he could get to it right away.
He said over an over several times, these guys are good.
I guarantee I will be getting another phone call from the ISP again tommorrow with another complaint.
He did threaten that because I had been informed about it, and am not fixing it legal action could be taken. How in the heck do you fix what you can't find.
I know Iwill not be the first or the last to have thishappen but when I find the answer rest assured I will go outof my way to help the next guy.
Dan

[RonM]

Hi Dan - get to what page? Your site's home page? (nice clean design, BTW) How is any name that resolves to your IP going to work if the cable is unplugged?

I'm assuming that at some point the name hsbc-validation.info resolved to 142.179.200.56 an yet called up an apparently fake bank log in page? This has never happened when I tried it. All three names call up your site's home page (traceroute give me the third name - s142-179-200-56.ab.hsia.telus.net - likely the name your ISP gave your domain)

You can see what sites SME's Apache server thinks it's showing by looking at the contents of /etc/httpd/conf/httpd.conf and /etc/httpd/admin-conf/httpd.conf. Anything funny in there? It's possible someone put another web server on your box, but SME's Apache is already listening at port 80. (unless "these guys are [so] good" they're spoofing your web site as well as the banks You can do a scan from the web to see what other ports are open on your machine at https://www.grc.com/x/ne.dll?bh0bkyd2. You can also do a search at the command line or in midnight commander for the strings "hsbc-validation.info" or ".info" Any hits?

None of this answers the question of why these names resolve to your IP. It's true, your server could be publishing it, but to who? Your ISP? Have they receive any new records to publish in the last few days? Would they make both SECURESERVER.NET and easydns.com authoritative for your domain? One for one name one for the other? Seems unlikely.

Pls try the above and see if anything untoward comes back. One more thing:

WHOIS information for secureserver.net
IP Addresses:   63.241.136.41
IP Country:   UNITED STATES  UNITED STATES
Reverse IP Lookup:   IP hosts 1 domains

Hosting Company Name:   
ICANN Registrar:   WILD WEST DOMAINS, INC.
Creation Date:   Mar 30 1998
Expiry Date:   Mar 29 2012
 
Web Server:   N/A
Website Status:   N/A

Registrant:
   Special Domain Services, Inc.
   14455 N Hayden Rd
   Scottsdale, Arizona 85260
   United States

   Registered through: WWDomains.com
   Domain Name: SECURESERVER.NET
      Created on: 30-Mar-98
      Expires on: 29-Mar-12
      Last Updated on: 12-Oct-04

   Administrative Contact:
      Domain Services, Inc., Special  
      14455 N Hayden Rd
      Scottsdale, Arizona 85260
      United States
      480-624-2500      Fax --
   Technical Contact:
      Domain Services, Inc., Special  
      14455 N Hayden Rd
      Scottsdale, Arizona 85260
      United States
      480-624-2500      Fax --

   Domain servers in listed order:
      CNS1.SECURESERVER.NET
      CNS2.SECURESERVER.NET

(note the DNS server names don't quite match) If secureserver.net is not involved with this they might be interested.

[RonM]

oops, another question: how about any machines behind your server? All clean? All off at some point when the bad page came up?

[dilligaf]

Hi Ron,
2 other machines, windows xp pro pc's.
Norton antivirus reports them as clean.
I believe they are clean (limited / managed use)
These two machines are on right now, and were at that time as well.
I did the scan at Gibson, 25, 80, 113, 443, 465, and 995.
Did the search for the files in mc (locate filename)
Nothing found.
Dan

[RonM]

All those domain names still resolve to your site. As far as I can tell, all we've got right now is an extra URL that points to your web server. Perhaps you might contact secureserver about that.

If, tomorrow, your ISP contacts you about another one, and someone outside can actually see another webpage at your site, maybe a search will work. You can try disconnecting your other machines, see if the site still resolves.

Pls let us know what happens next!

[dilligaf]

Just to let you know, I have still cahnged nothing on my end, and have not heard anything from ISP yet.
Dan

All those domain names still resolve to your site. As far as I can tell, all we've got right now is an extra URL that points to your web server. Perhaps you might contact secureserver about that.

If, tomorrow, your ISP contacts you about another one, and someone outside can actually see another webpage at your site, maybe a search will work. You can try disconnecting your other machines, see if the site still resolves.

Pls let us know what happens next!

[dilligaf]

Just noticed a quick change here, the http://www.hsbc-validator.info/ was working in what looked to me to be normal today.
Just checked again, and it is suspended!
"Account for domain hsbc-validator.info has been suspended"
Dan

[RonM]

Hi Dan - how's it going? Has this thing disappeared back into the ether? If you ever hear an explanation of what happened, I'd be curious

Ron

[Caa]

Dear Sirs:

My SME Server and gateway was compromised with Phishing Washington Mutual Scam.-
My ISP phoned indicating that if you put in your browser http://200.xxx.xxx.xxx/wamu.com you reached the FALSE Web Page that was indicated in the eMail.-

In /home/e-smith/files/primary/html we found a HIDEN directory /wamu.com.-
Say HIDEN because it doesn't show with ls -l, nor ls -a but we could see it with mc.-

Furthermore, it cannot be modified nor deleted:
  rm: cannot unlink: Permission denied.-

Now, as a URGENT solution, we have formated and re-Installed, but would like to know how could our Server be compromised and how this directory could have been deleted.-

Awaiting your comments
Best Regards
Charlie

[dhardy]

Check your messages log - filter on password.

Here's an extract from mine for the past few days:

Jan  2 23:04:11 fleable sshd[5630]: Failed password for invalid user test from 202.30.44.14 port 51702 ssh2
Jan  2 23:04:14 fleable sshd[5632]: Failed password for invalid user guest from 202.30.44.14 port 51736 ssh2
Jan  2 23:04:18 fleable sshd[5634]: Failed password for admin from 202.30.44.14 port 51785 ssh2
Jan  2 23:04:21 fleable sshd[5640]: Failed password for admin from 202.30.44.14 port 51848 ssh2
Jan  2 23:04:23 fleable sshd[5642]: Failed password for invalid user user from 202.30.44.14 port 51952 ssh2
Jan  2 23:04:26 fleable sshd[5644]: Failed password for root from 202.30.44.14 port 52021 ssh2
Jan  2 23:04:33 fleable sshd[5650]: Failed password for root from 202.30.44.14 port 52096 ssh2
Jan  2 23:04:35 fleable sshd[5652]: Failed password for root from 202.30.44.14 port 52292 ssh2
Jan  2 23:04:39 fleable sshd[5658]: Failed password for invalid user test from 202.30.44.14 port 52383 ssh2
Jan  2 23:04:42 fleable sshd[5660]: Failed password for invalid user test from 202.30.44.14 port 52453 ssh2
Jan  2 23:04:44 fleable sshd[5662]: Failed password for invalid user test from 202.30.44.14 port 52531 ssh2
Jan  2 23:04:47 fleable sshd[5664]: Failed password for invalid user test from 202.30.44.14 port 52614 ssh2
Jan  2 23:04:50 fleable sshd[5670]: Failed password for root from 202.30.44.14 port 52700 ssh2
Jan  2 23:04:53 fleable sshd[5672]: Failed password for root from 202.30.44.14 port 52782 ssh2
Jan  2 23:04:55 fleable sshd[5674]: Failed password for root from 202.30.44.14 port 52858 ssh2
Jan  2 23:04:58 fleable sshd[5676]: Failed password for root from 202.30.44.14 port 52947 ssh2
Jan  2 23:05:01 fleable sshd[5682]: Failed password for root from 202.30.44.14 port 53033 ssh2
Jan  2 23:05:04 fleable sshd[5684]: Failed password for root from 202.30.44.14 port 53113 ssh2
Jan  2 23:05:07 fleable sshd[5686]: Failed password for root from 202.30.44.14 port 53212 ssh2
Jan  2 23:05:10 fleable sshd[5692]: Failed password for root from 202.30.44.14 port 53291 ssh2
Jan  2 23:05:12 fleable sshd[5694]: Failed password for root from 202.30.44.14 port 53361 ssh2
Jan  2 23:05:15 fleable sshd[5696]: Failed password for root from 202.30.44.14 port 53434 ssh2
Jan  2 23:05:19 fleable sshd[5698]: Failed password for root from 202.30.44.14 port 53513 ssh2
Jan  2 23:05:21 fleable sshd[5704]: Failed password for root from 202.30.44.14 port 53628 ssh2
Jan  3 09:27:44 fleable sshd[30478]: Failed password for nobody from 210.100.255.3 port 48196 ssh2
Jan  3 09:27:47 fleable sshd[30484]: Failed password for invalid user patrick from 210.100.255.3 port 49045 ssh2
Jan  3 09:27:49 fleable sshd[30486]: Failed password for invalid user patrick from 210.100.255.3 port 49087 ssh2
Jan  3 09:27:52 fleable sshd[30488]: Failed password for root from 210.100.255.3 port 49930 ssh2
Jan  3 09:27:56 fleable sshd[30490]: Failed password for root from 210.100.255.3 port 50381 ssh2
Jan  3 09:27:59 fleable sshd[30496]: Failed password for root from 210.100.255.3 port 50841 ssh2
Jan  3 09:28:01 fleable sshd[30498]: Failed password for root from 210.100.255.3 port 51287 ssh2
Jan  3 09:28:05 fleable sshd[30500]: Failed password for root from 210.100.255.3 port 51734 ssh2
Jan  3 09:28:08 fleable sshd[30506]: Failed password for invalid user rolo from 210.100.255.3 port 52594 ssh2
Jan  3 09:28:11 fleable sshd[30508]: Failed password for invalid user iceuser from 210.100.255.3 port 53043 ssh2
Jan  3 09:28:15 fleable sshd[30510]: Failed password for invalid user horde from 210.100.255.3 port 53503 ssh2
Jan  3 09:28:18 fleable sshd[30516]: Failed password for invalid user cyrus from 210.100.255.3 port 54362 ssh2
Jan  3 09:28:21 fleable sshd[30518]: Failed password for www from 210.100.255.3 port 54805 ssh2
Jan  3 09:28:23 fleable sshd[30520]: Failed password for invalid user wwwrun from 210.100.255.3 port 55246 ssh2
Jan  3 09:28:26 fleable sshd[30526]: Failed password for invalid user matt from 210.100.255.3 port 55690 ssh2
Jan  3 09:28:29 fleable sshd[30528]: Failed password for invalid user test from 210.100.255.3 port 56138 ssh2
Jan  3 09:28:32 fleable sshd[30530]: Failed password for invalid user test from 210.100.255.3 port 56984 ssh2
Jan  3 09:28:36 fleable sshd[30532]: Failed password for invalid user test from 210.100.255.3 port 57434 ssh2
Jan  3 09:28:38 fleable sshd[30538]: Failed password for invalid user test from 210.100.255.3 port 57900 ssh2
Jan  3 09:28:41 fleable sshd[30540]: Failed password for invalid user www-data from 210.100.255.3 port 58343 ssh2
Jan  3 09:28:44 fleable sshd[30542]: Failed password for mysql from 210.100.255.3 port 58795 ssh2
Jan  3 09:28:47 fleable sshd[30548]: Failed password for operator from 210.100.255.3 port 59638 ssh2
Jan  3 09:28:49 fleable sshd[30550]: Failed password for adm from 210.100.255.3 port 59972 ssh2
Jan  3 09:28:52 fleable sshd[30552]: Failed password for invalid user apache from 210.100.255.3 port 60533 ssh2
Jan  3 09:28:55 fleable sshd[30558]: Failed password for invalid user irc from 210.100.255.3 port 60980 ssh2
Jan  3 09:28:58 fleable sshd[30560]: Failed password for invalid user irc from 210.100.255.3 port 33196 ssh2
Jan  3 09:29:00 fleable sshd[30562]: Failed password for adm from 210.100.255.3 port 33648 ssh2
Jan  3 09:29:03 fleable sshd[30564]: Failed password for root from 210.100.255.3 port 34097 ssh2
Jan  3 09:29:06 fleable sshd[30570]: Failed password for root from 210.100.255.3 port 34547 ssh2
Jan  3 09:29:09 fleable sshd[30572]: Failed password for root from 210.100.255.3 port 34993 ssh2
Jan  3 09:29:11 fleable sshd[30574]: Failed password for jane from 210.100.255.3 port 35457 ssh2
Jan  3 09:29:15 fleable sshd[30576]: Failed password for invalid user pamela from 210.100.255.3 port 35890 ssh2
Jan  3 09:29:18 fleable sshd[30582]: Failed password for root from 210.100.255.3 port 36754 ssh2
Jan  3 09:29:20 fleable sshd[30584]: Failed password for root from 210.100.255.3 port 37208 ssh2
Jan  3 09:29:23 fleable sshd[30586]: Failed password for root from 210.100.255.3 port 37655 ssh2
Jan  3 09:29:26 fleable sshd[30592]: Failed password for root from 210.100.255.3 port 38104 ssh2
Jan  3 09:29:29 fleable sshd[30594]: Failed password for root from 210.100.255.3 port 38554 ssh2
Jan  3 09:29:31 fleable sshd[30596]: Failed password for invalid user cosmin from 210.100.255.3 port 39403 ssh2
Jan  3 09:29:35 fleable sshd[30598]: Failed password for root from 210.100.255.3 port 39454 ssh2
Jan  3 09:29:38 fleable sshd[30604]: Failed password for root from 210.100.255.3 port 40314 ssh2
Jan  3 09:29:41 fleable sshd[30606]: Failed password for root from 210.100.255.3 port 40761 ssh2
Jan  3 09:29:43 fleable sshd[30608]: Failed password for root from 210.100.255.3 port 41212 ssh2
Jan  3 09:29:46 fleable sshd[30614]: Failed password for root from 210.100.255.3 port 41661 ssh2
Jan  3 09:29:49 fleable sshd[30616]: Failed password for root from 210.100.255.3 port 42109 ssh2
Jan  3 09:29:52 fleable sshd[30618]: Failed password for root from 210.100.255.3 port 42958 ssh2
Jan  3 09:29:54 fleable sshd[30620]: Failed password for root from 210.100.255.3 port 43009 ssh2
Jan  3 09:29:57 fleable sshd[30626]: Failed password for root from 210.100.255.3 port 43847 ssh2
Jan  3 09:30:00 fleable sshd[30628]: Failed password for root from 210.100.255.3 port 44301 ssh2
Jan  3 09:30:02 fleable sshd[30630]: Failed password for root from 210.100.255.3 port 44737 ssh2
Jan  3 09:30:06 fleable sshd[30636]: Failed password for root from 210.100.255.3 port 45187 ssh2
Jan  3 09:30:08 fleable sshd[30638]: Failed password for root from 210.100.255.3 port 45634 ssh2
Jan  3 09:30:11 fleable sshd[30640]: Failed password for root from 210.100.255.3 port 46084 ssh2
Jan  3 09:30:14 fleable sshd[30642]: Failed password for root from 210.100.255.3 port 46526 ssh2
Jan  3 09:30:17 fleable sshd[30648]: Failed password for root from 210.100.255.3 port 47374 ssh2
Jan  3 09:30:19 fleable sshd[30650]: Failed password for root from 210.100.255.3 port 47416 ssh2
Jan  3 09:30:22 fleable sshd[30652]: Failed password for root from 210.100.255.3 port 48266 ssh2
Jan  3 09:30:26 fleable sshd[30654]: Failed password for root from 210.100.255.3 port 48707 ssh2
Jan  3 09:30:29 fleable sshd[30660]: Failed password for root from 210.100.255.3 port 49170 ssh2
Jan  3 09:30:31 fleable sshd[30662]: Failed password for root from 210.100.255.3 port 49617 ssh2
Jan  3 09:30:34 fleable sshd[30664]: Failed password for root from 210.100.255.3 port 50056 ssh2
Jan  3 09:30:37 fleable sshd[30670]: Failed password for root from 210.100.255.3 port 50903 ssh2
Jan  3 09:30:40 fleable sshd[30672]: Failed password for root from 210.100.255.3 port 51345 ssh2
Jan  3 09:30:42 fleable sshd[30674]: Failed password for root from 210.100.255.3 port 51795 ssh2
Jan  3 09:30:46 fleable sshd[30680]: Failed password for root from 210.100.255.3 port 52236 ssh2
Jan  3 09:30:49 fleable sshd[30682]: Failed password for root from 210.100.255.3 port 52697 ssh2
Jan  3 09:30:51 fleable sshd[30685]: Failed password for root from 210.100.255.3 port 53543 ssh2
Jan  3 09:30:54 fleable sshd[30687]: Failed password for root from 210.100.255.3 port 53587 ssh2
Jan  3 09:30:57 fleable sshd[30693]: Failed password for root from 210.100.255.3 port 54435 ssh2
Jan  3 09:31:00 fleable sshd[30695]: Failed password for root from 210.100.255.3 port 54875 ssh2
Jan  3 09:31:02 fleable sshd[30697]: Failed password for root from 210.100.255.3 port 55325 ssh2
Jan  3 09:31:06 fleable sshd[30703]: Failed password for root from 210.100.255.3 port 55764 ssh2
Jan  3 09:31:09 fleable sshd[30705]: Failed password for root from 210.100.255.3 port 56231 ssh2
Jan  3 09:31:12 fleable sshd[30707]: Failed password for root from 210.100.255.3 port 57077 ssh2
Jan  3 09:31:15 fleable sshd[30709]: Failed password for root from 210.100.255.3 port 57519 ssh2
Jan  3 09:31:18 fleable sshd[30715]: Failed password for invalid user cip52 from 210.100.255.3 port 57983 ssh2
Jan  3 09:31:21 fleable sshd[30717]: Failed password for invalid user cip51 from 210.100.255.3 port 58428 ssh2
Jan  3 09:31:24 fleable sshd[30719]: Failed password for root from 210.100.255.3 port 58876 ssh2
Jan  3 09:31:26 fleable sshd[30725]: Failed password for invalid user noc from 210.100.255.3 port 59716 ssh2
Jan  3 09:31:29 fleable sshd[30727]: Failed password for root from 210.100.255.3 port 59766 ssh2
Jan  3 09:31:32 fleable sshd[30729]: Failed password for root from 210.100.255.3 port 60609 ssh2
Jan  3 09:31:35 fleable sshd[30731]: Failed password for root from 210.100.255.3 port 32822 ssh2
Jan  3 09:31:38 fleable sshd[30737]: Failed password for root from 210.100.255.3 port 33270 ssh2
Jan  3 09:31:40 fleable sshd[30739]: Failed password for invalid user webmaster from 210.100.255.3 port 33713 ssh2
Jan  3 09:31:43 fleable sshd[30741]: Failed password for invalid user data from 210.100.255.3 port 34156 ssh2
Jan  3 09:31:47 fleable sshd[30747]: Failed password for invalid user user from 210.100.255.3 port 35008 ssh2
Jan  3 09:31:49 fleable sshd[30749]: Failed password for invalid user user from 210.100.255.3 port 35054 ssh2
Jan  3 09:31:52 fleable sshd[30751]: Failed password for invalid user user from 210.100.255.3 port 35897 ssh2
Jan  3 09:31:55 fleable sshd[30757]: Failed password for invalid user web from 210.100.255.3 port 36342 ssh2
Jan  3 09:31:58 fleable sshd[30762]: Failed password for invalid user web from 210.100.255.3 port 36785 ssh2
Jan  3 09:32:00 fleable sshd[30765]: Failed password for invalid user oracle from 210.100.255.3 port 37231 ssh2
Jan  3 09:32:03 fleable sshd[30767]: Failed password for invalid user sybase from 210.100.255.3 port 37677 ssh2
Jan  3 09:32:06 fleable sshd[30773]: Failed password for invalid user master from 210.100.255.3 port 38121 ssh2
Jan  3 09:32:09 fleable sshd[30775]: Failed password for invalid user account from 210.100.255.3 port 38567 ssh2
Jan  3 09:32:11 fleable sshd[30777]: Failed password for invalid user backup from 210.100.255.3 port 39012 ssh2
Jan  3 09:32:15 fleable sshd[30779]: Failed password for invalid user server from 210.100.255.3 port 39461 ssh2
Jan  3 09:32:18 fleable sshd[30785]: Failed password for invalid user adam from 210.100.255.3 port 40316 ssh2
Jan  3 09:32:20 fleable sshd[30787]: Failed password for invalid user alan from 210.100.255.3 port 40762 ssh2
Jan  3 09:32:23 fleable sshd[30789]: Failed password for invalid user frank from 210.100.255.3 port 41207 ssh2
Jan  3 09:32:26 fleable sshd[30795]: Failed password for invalid user george from 210.100.255.3 port 41649 ssh2
Jan  3 09:32:29 fleable sshd[30797]: Failed password for invalid user henry from 210.100.255.3 port 42093 ssh2
Jan  3 09:32:31 fleable sshd[30799]: Failed password for invalid user john from 210.100.255.3 port 42532 ssh2
Jan  3 09:32:35 fleable sshd[30801]: Failed password for root from 210.100.255.3 port 42979 ssh2
Jan  3 09:32:38 fleable sshd[30807]: Failed password for root from 210.100.255.3 port 43830 ssh2
Jan  3 09:32:41 fleable sshd[30809]: Failed password for root from 210.100.255.3 port 44274 ssh2
Jan  3 09:32:43 fleable sshd[30811]: Failed password for root from 210.100.255.3 port 44713 ssh2
Jan  3 09:32:46 fleable sshd[30817]: Failed password for root from 210.100.255.3 port 45159 ssh2
Jan  3 09:32:49 fleable sshd[30819]: Failed password for invalid user test from 210.100.255.3 port 45602 ssh2
Jan  3 20:54:21 fleable sshd[15795]: Failed password for nobody from 212.160.130.58 port 4805 ssh2
Jan  3 20:54:22 fleable sshd[15797]: Failed password for invalid user patrick from 212.160.130.58 port 4855 ssh2
Jan  3 20:54:26 fleable sshd[15799]: Failed password for invalid user patrick from 212.160.130.58 port 4868 ssh2
Jan  3 20:54:27 fleable sshd[15801]: Failed password for root from 212.160.130.58 port 4961 ssh2
Jan  3 20:54:28 fleable sshd[15803]: Failed password for root from 212.160.130.58 port 4982 ssh2
Jan  3 20:54:29 fleable sshd[15805]: Failed password for root from 212.160.130.58 port 1026 ssh2
Jan  3 20:54:35 fleable sshd[15812]: Failed password for root from 212.160.130.58 port 1056 ssh2
Jan  3 20:54:36 fleable sshd[15814]: Failed password for root from 212.160.130.58 port 1186 ssh2
Jan  3 20:54:37 fleable sshd[15816]: Failed password for invalid user rolo from 212.160.130.58 port 1211 ssh2
Jan  3 20:54:38 fleable sshd[15819]: Failed password for invalid user iceuser from 212.160.130.58 port 1236 ssh2
Jan  3 20:54:42 fleable sshd[15828]: Failed password for invalid user horde from 212.160.130.58 port 1257 ssh2
Jan  3 20:54:43 fleable sshd[15830]: Failed password for invalid user cyrus from 212.160.130.58 port 1342 ssh2
Jan  3 20:54:44 fleable sshd[15832]: Failed password for www from 212.160.130.58 port 1368 ssh2
Jan  3 20:54:45 fleable sshd[15834]: Failed password for invalid user wwwrun from 212.160.130.58 port 1398 ssh2
Jan  3 20:54:46 fleable sshd[15836]: Failed password for invalid user matt from 212.160.130.58 port 1430 ssh2
Jan  3 20:54:48 fleable sshd[15838]: Failed password for invalid user test from 212.160.130.58 port 1454 ssh2
Jan  3 20:54:50 fleable sshd[15840]: Failed password for invalid user test from 212.160.130.58 port 1496 ssh2
Jan  3 20:54:51 fleable sshd[15852]: Failed password for invalid user test from 212.160.130.58 port 1541 ssh2
Jan  3 20:54:53 fleable sshd[15854]: Failed password for invalid user test from 212.160.130.58 port 1575 ssh2
Jan  3 20:54:54 fleable sshd[15856]: Failed password for invalid user www-data from 212.160.130.58 port 1617 ssh2
Jan  3 20:54:56 fleable sshd[15858]: Failed password for mysql from 212.160.130.58 port 1647 ssh2
Jan  3 20:55:00 fleable sshd[15864]: Failed password for operator from 212.160.130.58 port 1683 ssh2
Jan  3 20:55:02 fleable sshd[15866]: Failed password for adm from 212.160.130.58 port 1794 ssh2
Jan  3 20:55:03 fleable sshd[15868]: Failed password for invalid user apache from 212.160.130.58 port 1830 ssh2
Jan  3 20:55:05 fleable sshd[15870]: Failed password for invalid user irc from 212.160.130.58 port 1855 ssh2
Jan  3 20:55:09 fleable sshd[15872]: Failed password for invalid user irc from 212.160.130.58 port 1901 ssh2
Jan  3 20:55:12 fleable sshd[15878]: Failed password for adm from 212.160.130.58 port 1996 ssh2
Jan  3 20:55:17 fleable sshd[15880]: Failed password for root from 212.160.130.58 port 2061 ssh2
Jan  3 20:55:21 fleable sshd[15882]: Failed password for root from 212.160.130.58 port 2190 ssh2
Jan  3 20:55:22 fleable sshd[15888]: Failed password for root from 212.160.130.58 port 2275 ssh2
Jan  3 20:55:23 fleable sshd[15890]: Failed password for jane from 212.160.130.58 port 2308 ssh2
Jan  3 20:55:24 fleable sshd[15892]: Failed password for invalid user pamela from 212.160.130.58 port 2330 ssh2
Jan  3 20:55:26 fleable sshd[15894]: Failed password for root from 212.160.130.58 port 2356 ssh2
Jan  3 20:55:27 fleable sshd[15896]: Failed password for root from 212.160.130.58 port 2391 ssh2
Jan  3 20:55:28 fleable sshd[15898]: Failed password for root from 212.160.130.58 port 2413 ssh2
Jan  3 20:55:32 fleable sshd[15905]: Failed password for root from 212.160.130.58 port 2435 ssh2
Jan  3 20:55:33 fleable sshd[15907]: Failed password for root from 212.160.130.58 port 2534 ssh2
Jan  3 20:55:35 fleable sshd[15909]: Failed password for invalid user cosmin from 212.160.130.58 port 2564 ssh2
Jan  3 20:55:36 fleable sshd[15911]: Failed password for root from 212.160.130.58 port 2604 ssh2
Jan  3 20:55:38 fleable sshd[15913]: Failed password for root from 212.160.130.58 port 2629 ssh2
Jan  3 20:55:39 fleable sshd[15915]: Failed password for root from 212.160.130.58 port 2673 ssh2
Jan  3 20:55:41 fleable sshd[15917]: Failed password for root from 212.160.130.58 port 2692 ssh2
Jan  3 20:55:42 fleable sshd[15923]: Failed password for root from 212.160.130.58 port 2741 ssh2
Jan  3 20:55:43 fleable sshd[15925]: Failed password for root from 212.160.130.58 port 2770 ssh2
Jan  3 20:55:46 fleable sshd[15927]: Failed password for root from 212.160.130.58 port 2801 ssh2
Jan  3 20:55:47 fleable sshd[15929]: Failed password for root from 212.160.130.58 port 2860 ssh2
Jan  3 20:55:48 fleable sshd[15931]: Failed password for root from 212.160.130.58 port 2888 ssh2
Jan  3 20:55:50 fleable sshd[15933]: Failed password for root from 212.160.130.58 port 2920 ssh2
Jan  3 20:55:52 fleable sshd[15939]: Failed password for root from 212.160.130.58 port 2968 ssh2
Jan  3 20:55:53 fleable sshd[15941]: Failed password for root from 212.160.130.58 port 2994 ssh2
Jan  3 20:55:53 fleable sshd[15943]: Failed password for root from 212.160.130.58 port 3014 ssh2
Jan  3 20:55:54 fleable sshd[15945]: Failed password for root from 212.160.130.58 port 3034 ssh2
Jan  3 20:55:56 fleable sshd[15947]: Failed password for root from 212.160.130.58 port 3060 ssh2
Jan  3 20:55:57 fleable sshd[15949]: Failed password for root from 212.160.130.58 port 3082 ssh2
Jan  3 20:55:58 fleable sshd[15951]: Failed password for root from 212.160.130.58 port 3116 ssh2
Jan  3 20:56:03 fleable sshd[15957]: Failed password for root from 212.160.130.58 port 3148 ssh2
Jan  3 20:56:05 fleable sshd[15959]: Failed password for root from 212.160.130.58 port 3266 ssh2
Jan  3 20:56:06 fleable sshd[15961]: Failed password for root from 212.160.130.58 port 3298 ssh2
Jan  3 20:56:07 fleable sshd[15963]: Failed password for root from 212.160.130.58 port 3332 ssh2
Jan  3 20:56:08 fleable sshd[15965]: Failed password for root from 212.160.130.58 port 3361 ssh2
Jan  3 20:56:10 fleable sshd[15967]: Failed password for root from 212.160.130.58 port 3386 ssh2
Jan  3 20:56:11 fleable sshd[15973]: Failed password for root from 212.160.130.58 port 3428 ssh2
Jan  3 20:56:13 fleable sshd[15975]: Failed password for root from 212.160.130.58 port 3461 ssh2
Jan  3 20:56:14 fleable sshd[15977]: Failed password for root from 212.160.130.58 port 3502 ssh2
Jan  3 20:56:18 fleable sshd[15979]: Failed password for root from 212.160.130.58 port 3528 ssh2
Jan  3 20:56:19 fleable sshd[15981]: Failed password for root from 212.160.130.58 port 3612 ssh2
Jan  3 20:56:20 fleable sshd[15983]: Failed password for root from 212.160.130.58 port 3634 ssh2
Jan  3 20:56:21 fleable sshd[15989]: Failed password for root from 212.160.130.58 port 3659 ssh2
Jan  3 20:56:22 fleable sshd[15991]: Failed password for root from 212.160.130.58 port 3693 ssh2
Jan  3 20:56:23 fleable sshd[15993]: Failed password for root from 212.160.130.58 port 3720 ssh2
Jan  3 20:56:24 fleable sshd[15995]: Failed password for root from 212.160.130.58 port 3736 ssh2
Jan  3 20:56:25 fleable sshd[15997]: Failed password for root from 212.160.130.58 port 3763 ssh2
Jan  3 20:56:27 fleable sshd[15999]: Failed password for root from 212.160.130.58 port 3786 ssh2
Jan  3 20:56:28 fleable sshd[16001]: Failed password for root from 212.160.130.58 port 3818 ssh2
Jan  3 20:56:29 fleable sshd[16003]: Failed password for invalid user cip52 from 212.160.130.58 port 3841 ssh2
Jan  3 20:56:30 fleable sshd[16005]: Failed password for invalid user cip51 from 212.160.130.58 port 3860 ssh2
Jan  3 20:56:32 fleable sshd[16011]: Failed password for root from 212.160.130.58 port 3901 ssh2
Jan  3 20:56:33 fleable sshd[16013]: Failed password for invalid user noc from 212.160.130.58 port 3937 ssh2
Jan  3 20:56:34 fleable sshd[16015]: Failed password for root from 212.160.130.58 port 3965 ssh2
Jan  3 20:56:35 fleable sshd[16017]: Failed password for root from 212.160.130.58 port 3993 ssh2
Jan  3 20:56:37 fleable sshd[16019]: Failed password for root from 212.160.130.58 port 4023 ssh2
Jan  3 20:56:41 fleable sshd[16025]: Failed password for root from 212.160.130.58 port 4052 ssh2
Jan  3 20:56:42 fleable sshd[16027]: Failed password for invalid user webmaster from 212.160.130.58 port 4151 ssh2
Jan  3 20:56:47 fleable sshd[16029]: Failed password for invalid user data from 212.160.130.58 port 4184 ssh2
Jan  3 20:56:48 fleable sshd[16031]: Failed password for invalid user user from 212.160.130.58 port 4293 ssh2
Jan  3 20:56:49 fleable sshd[16034]: Failed password for invalid user user from 212.160.130.58 port 4318 ssh2
Jan  3 20:56:51 fleable sshd[16040]: Failed password for invalid user user from 212.160.130.58 port 4352 ssh2
Jan  3 20:56:52 fleable sshd[16042]: Failed password for invalid user web from 212.160.130.58 port 4394 ssh2
Jan  3 20:56:53 fleable sshd[16044]: Failed password for invalid user web from 212.160.130.58 port 4417 ssh2
Jan  3 20:56:54 fleable sshd[16046]: Failed password for invalid user oracle from 212.160.130.58 port 4441 ssh2
Jan  3 20:56:55 fleable sshd[16048]: Failed password for invalid user sybase from 212.160.130.58 port 4467 ssh2
Jan  3 20:56:57 fleable sshd[16050]: Failed password for invalid user master from 212.160.130.58 port 4493 ssh2
Jan  3 20:56:58 fleable sshd[16052]: Failed password for invalid user account from 212.160.130.58 port 4524 ssh2
Jan  3 20:57:00 fleable sshd[16054]: Failed password for invalid user backup from 212.160.130.58 port 4554 ssh2
Jan  3 20:57:01 fleable sshd[16060]: Failed password for invalid user server from 212.160.130.58 port 4593 ssh2
Jan  3 20:57:01 fleable sshd[16062]: Failed password for invalid user adam from 212.160.130.58 port 4611 ssh2
Jan  3 20:57:02 fleable sshd[16064]: Failed password for invalid user alan from 212.160.130.58 port 4626 ssh2
Jan  3 20:57:03 fleable sshd[16066]: Failed password for invalid user frank from 212.160.130.58 port 4648 ssh2
Jan  3 20:57:08 fleable sshd[16068]: Failed password for invalid user george from 212.160.130.58 port 4677 ssh2
Jan  3 20:57:09 fleable sshd[16070]: Failed password for invalid user henry from 212.160.130.58 port 4785 ssh2
Jan  3 20:57:10 fleable sshd[16076]: Failed password for invalid user john from 212.160.130.58 port 4804 ssh2
Jan  3 20:57:11 fleable sshd[16078]: Failed password for root from 212.160.130.58 port 4826 ssh2
Jan  3 20:57:13 fleable sshd[16080]: Failed password for root from 212.160.130.58 port 4848 ssh2
Jan  3 20:57:14 fleable sshd[16082]: Failed password for root from 212.160.130.58 port 4880 ssh2
Jan  3 20:57:18 fleable sshd[16084]: Failed password for root from 212.160.130.58 port 4898 ssh2
Jan  3 20:57:19 fleable sshd[16086]: Failed password for root from 212.160.130.58 port 4996 ssh2
Jan  3 20:57:21 fleable sshd[16088]: Failed password for invalid user test from 212.160.130.58 port 1041 ssh2
Jan  6 16:44:16 fleable sshd[4193]: Failed password for invalid user test from 210.118.170.33 port 41942 ssh2
Jan  6 16:44:20 fleable sshd[4195]: Failed password for invalid user guest from 210.118.170.33 port 42055 ssh2
Jan  6 16:44:23 fleable sshd[4198]: Failed password for admin from 210.118.170.33 port 42160 ssh2
Jan  6 16:44:27 fleable sshd[4200]: Failed password for admin from 210.118.170.33 port 42221 ssh2
Jan  6 16:44:30 fleable sshd[4202]: Failed password for invalid user user from 210.118.170.33 port 42330 ssh2


All you can do is have long secure passwords and restrict what your idiot users can do. The non idiot users need to understand why they should have good passwords and that good passwords are long and use letters and numbers and not usernames!

I regularly show users the logs and discuss with them the consequences of having a stupid password and they fully expect to feel the heat of my wrath if its their fault we get compromised - in the same way that they would if we got burgled via a window they left open.

At a minimum you should insist on 8 character passwords. sunnydee is not as good as 5unn1d33 or 5uNn1D33 although the apha numeric versions are somewhat more secure!

Remember - your server is all thats between you and the scum of the earth, the key to your server is the  username/password combo - make it as hard as possible for them to get in and you can sleep easily at night!

HTH

David.

[Caa]

Thank you very much for your advice.-
Best Regards

[dilligaf]

Hi Dan - how's it going? Has this thing disappeared back into the ether? If you ever hear an explanation of what happened, I'd be curious

Ron

Hello,
I have not reformatted my server.
My server had "virtual domains"
So what I did rather than reformat my server was this:
I kept pupming in the url that was the scam that resolved back to my site.
When I moved this one particular virtual domain to a temp folder, the scam phishing site could not resolve.
I have not dug any further into this.
But it is a Bu$$er.
dan