Brute Password Hack
 

... guess that's how is looks like ?

213.67.45.221 - [18/Feb/2004:02:45:19 +0000] "GET XXX.XXX.XXX.XXX/nothing.txt" 200 200 http://XXX.XXX.XXX.XXX/cgi-bin/pennywize/pennyw.cgi [Mozilla/4.0%20(compatible;%20MSIE%206.0;%20Windows%20NT%20 5.1)]
213.67.45.221 - [18/Feb/2004:02:45:19 +0000] "GET XXX.XXX.XXX.XXX/nothing.txt" 200 200 http://XXX.XXX.XXX.XXX/cgi-bin/r_manage.cgi [Mozilla/4.0%20(compatible;%20MSIE%206.0;%20Windows%20NT%20 5.1)]
213.67.45.221 - [18/Feb/2004:02:45:19 +0000] "GET XXX.XXX.XXX.XXX/nothing.txt" 200 200 http://XXX.XXX.XXX.XXX/cgi/add-passwd.cgi [Mozilla/4.0%20(compatible;%20MSIE%206.0;%20Windows%20NT%20 5.1)]
213.67.45.221 - [18/Feb/2004:02:45:19 +0000] "GET XXX.XXX.XXX.XXX/nothing.txt" 200 200 http://XXX.XXX.XXX.XXX/cgibin//add-passwd.cgi [Mozilla/4.0%20(compatible;%20MSIE%206.0;%20Windows%20NT%20 5.1)]
213.67.45.221 - [18/Feb/2004:02:45:19 +0000] "GET XXX.XXX.XXX.XXX/nothing.txt" 200 200 http://XXX.XXX.XXX.XXX/cgibin/recon.cgi [Mozilla/4.0%20(compatible;%20MSIE%206.0;%20Windows%20NT%20 5.1)]
213.67.45.221 - [18/Feb/2004:02:45:19 +0000] "GET XXX.XXX.XXX.XXX/nothing.txt" 200 200 http://XXX.XXX.XXX.XXX/epoch/add-passwd.cgi [Mozilla/4.0%20(compatible;%20MSIE%206.0;%20Windows%20NT%20 5.1)]
213.67.45.221 - [18/Feb/2004:02:45:19 +0000] "GET XXX.XXX.XXX.XXX/template.html" 200 3986 http://XXX.XXX.XXX.XXX/data/verotellog.txt [Mozilla/4.0%20(compatible;%20MSIE%206.0;%20Windows%20NT%20 5.1)]
213.67.45.221 - [18/Feb/2004:02:45:19 +0000] "GET XXX.XXX.XXX.XXX/template.html" 200 3819 http://XXX.XXX.XXX.XXX/epwd/.passwd [Mozilla/4.0%20(compatible;%20MSIE%206.0;%20Windows%20NT%20 5.1)]
213.67.45.221 - [18/Feb/2004:02:45:19 +0000] "GET XXX.XXX.XXX.XXX/template.html" 200 3407 http://XXX.XXX.XXX.XXX/ibill/.passwd [Mozilla/4.0%20(compatible;%20MSIE%206.0;%20Windows%20NT%20 5.1)]
213.67.45.221 - [18/Feb/2004:02:45:19 +0000] "GET XXX.XXX.XXX.XXX/nothing.txt" 200 200 http://XXX.XXX.XXX.XXX/nbmember.cgi [Mozilla/4.0%20(compatible;%20MSIE%206.0;%20Windows%20NT%20 5.1)]
213.67.45.221 - [18/Feb/2004:02:45:20 +0000] "GET XXX.XXX.XXX.XXX/nothing.txt" 200 200 http://XXX.XXX.XXX.XXX/cgi-bin/glocation.cgi [Mozilla/4.0%20(compatible;%20MSIE%206.0;%20Windows%20NT%20 5.1)]
213.67.45.221 - [18/Feb/2004:02:45:20 +0000] "GET XXX.XXX.XXX.XXX/template.html" 200 3570 http://XXX.XXX.XXX.XXX//.passwd [Mozilla/4.0%20(compatible;%20MSIE%206.0;%20Windows%20NT%20 5.1)]
213.67.45.221 - [18/Feb/2004:02:45:20 +0000] "GET XXX.XXX.XXX.XXX/nothing.txt" 200 200 http://XXX.XXX.XXX.XXX/cgi-bin/pennywize/penny.pl.bak [Mozilla/4.0%20(compatible;%20MSIE%206.0;%20Windows%20NT%20 5.1)]
213.67.45.221 - [18/Feb/2004:02:45:20 +0000] "GET XXX.XXX.XXX.XXX/template.html" 200 3644 http://XXX.XXX.XXX.XXX/passwd/.htpasswd [Mozilla/4.0%20(compatible;%20MSIE%206.0;%20Windows%20NT%20 5.1)]


... and that's what it stops:

/sbin/route add -host 213.67.45.221 127.0.0.1


... and that's who it is:

TeliaSonera AB (TELIA2-DOM)
Marbackegatan 11
Farsta, - s-123 86
SE

Domain Name: TELIA.COM

Administrative Contact:
TeliaSonera AB (LOLVXQTUPO) [email protected]
Box 10066
Stockholm, - s-121 27
SE
+46 8 456 81 28 fax: +46 8 456 89 85

Technical Contact:
TeliaSonera AB (VOACPYJEEO) [email protected]
Box 10707
Stockholm, - s-121 29
SE
+46 8 456 89 30 fax: +46 8 456 89 35

Record expires on 18-Aug-2011.
Record created on 19-Aug-1995.
Database last updated on 18-Feb-2004 06:48:16 EST.

Domain servers in listed order:

DNS1.TELIA.COM 194.22.190.10
DNS2.TELIA.COM 194.22.194.14
NS.TELIA.SE 131.115.15.7
NS2.CW.NET 204.70.57.242

Anon proxy ?
I doubt anybody from such a corp hacks.

Telia is the biggest phonecompany in Sweden and I don´t think they hack your sites!

Take that ip and plug it into your browser under http proxy.... try using it as ports 80 8080 3128 65506 6588 28998 and hitting google or something...

There are more ports that people use.. but those are the common ones.

If google comes up, its an open proxy.


Heh.. don't leave your box running like that though.. any site you hit the infromation you submit will now go through that proxy first.

... man, TELIA is registered to that IP, I didn't not mean they were trying to hack the site. my bad ...

... do yourself a favour and block it from accessing your sites, that's why I posted it here.

Telia provides dialup service, don't they?
So it could very well be a Telia customer attacking.
The attacker was ttrying to find your password add
script from your processor so they could add their
own usernames and passwords.
Had it been a brute force attack, Strongbox would have
emailed you and told you all about it.
What's that, you don't have Strongbox?
Well then I guess you wouldn't have known about it
unless you just happened to look at your logs :winkwink:

That's not a brute force attack, that's just a hack attempt. Either to add username/passwords as the guy above said, or possibly to try and gain root access thru an exploit. Some of those older programs had gaping security holes.

I get scans like that about a hundred times a day, usually quite short as they swing round loadsa different servers. They are no big deal, just make sure your running uptodate software of everything and your usually safe. They only become a danger if the guy really wants to spend time to break your box, in which case all the 'strongboxs' in the world won't help you. Only a security admin will, and even then there's a risk. Backup servers rule :)

Incidentally, I would report the attempt to whoever owns the IP. I did it once to someone attempting from a telewest router. Must have been an engineer I guess. Sent them the logs, times and that the guy was trying to hack an 'adult entertainment site'. They investigated and told me indirectly that the guy had been terminated. Well worth doing. It's one time when being an adult webmaster is a good thing, I'm sure it was just that he was trying to access porn on the job that got them going :)