Menu
▾
▴
sshguard-users
|
From: <li...@la...> - 2016-07-22 06:32:29
|
I decided to dig into this block given the odd name of the domain. Now if I am reading this correctly, the getaddrinfo is part of sshd, not sshguard. The IP 188.166.242.102 comes back to Digital Ocean, a VPS company. Where did poke.diarbag.us come from? Jul 21 14:07:16 theranch sshd[73068]: Did not receive identification string from 188.166.242.102 Jul 21 14:13:07 theranch sshd[73095]: reverse mapping checking getaddrinfo for poke.diarbag.us [188.166.242.102] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 21 14:13:07 theranch sshd[73095]: Invalid user vagrant from 188.166.242.102 Jul 21 14:13:07 theranch sshd[73095]: input_userauth_request: invalid user vagrant [preauth] Jul 21 14:13:08 theranch sshd[73095]: Received disconnect from 188.166.242.102: 11: Bye Bye [preauth] Jul 21 14:13:08 theranch sshguard[809]: blacklist: added 188.166.242.102 |
|
From: <li...@la...> - 2016-07-22 07:07:34
|
On Fri, 22 Jul 2016 08:51:03 +0200 Willem Jan Withagen <wj...@di...> wrote: > On 22-7-2016 08:32, li...@la... wrote: > > I decided to dig into this block given the odd name of the domain. > > Now if I am reading this correctly, the getaddrinfo is part of > > sshd, not sshguard. The IP 188.166.242.102 comes back to Digital > > Ocean, a VPS company. Where did poke.diarbag.us come from? > > > > Jul 21 14:07:16 theranch sshd[73068]: Did not receive > > identification string from 188.166.242.102 Jul 21 14:13:07 theranch > > sshd[73095]: reverse mapping checking getaddrinfo for > > poke.diarbag.us [188.166.242.102] failed - POSSIBLE BREAK-IN > > ATTEMPT! Jul 21 14:13:07 theranch sshd[73095]: Invalid user vagrant > > from 188.166.242.102 Jul 21 14:13:07 theranch sshd[73095]: > > input_userauth_request: invalid user vagrant [preauth] Jul 21 > > 14:13:08 theranch sshd[73095]: Received disconnect from > > 188.166.242.102: 11: Bye Bye [preauth] Jul 21 14:13:08 theranch > > sshguard[809]: blacklist: added 188.166.242.102 > > How about: > # host 188.166.242.102 > 102.242.166.188.in-addr.arpa domain name pointer poke.diarbag.us. > > --WjW > I see, but http://www.ip2location.com/188.166.242.102 leads to Digital Ocean. So on cloudflare, where diarbag.us has its DNS, they set up poke.diarbag.us to go to Digital Ocean? Does ip2location have some secret sauce? Does it pierce the reverse proxy of Cloudflare? Doing a whois, the owners name is Diar Bagus, so the domain name is, well, clever. I don't think anyone knocks on port 22 using their real name, so maybe the server is hacked. |
|
From: Willem J. W. <wj...@di...> - 2016-07-22 07:39:19
|
On 22-7-2016 09:07, li...@la... wrote: > On Fri, 22 Jul 2016 08:51:03 +0200 > Willem Jan Withagen <wj...@di...> wrote: > >> On 22-7-2016 08:32, li...@la... wrote: >>> I decided to dig into this block given the odd name of the domain. >>> Now if I am reading this correctly, the getaddrinfo is part of >>> sshd, not sshguard. The IP 188.166.242.102 comes back to Digital >>> Ocean, a VPS company. Where did poke.diarbag.us come from? >>> >>> Jul 21 14:07:16 theranch sshd[73068]: Did not receive >>> identification string from 188.166.242.102 Jul 21 14:13:07 theranch >>> sshd[73095]: reverse mapping checking getaddrinfo for >>> poke.diarbag.us [188.166.242.102] failed - POSSIBLE BREAK-IN >>> ATTEMPT! Jul 21 14:13:07 theranch sshd[73095]: Invalid user vagrant >>> from 188.166.242.102 Jul 21 14:13:07 theranch sshd[73095]: >>> input_userauth_request: invalid user vagrant [preauth] Jul 21 >>> 14:13:08 theranch sshd[73095]: Received disconnect from >>> 188.166.242.102: 11: Bye Bye [preauth] Jul 21 14:13:08 theranch >>> sshguard[809]: blacklist: added 188.166.242.102 >> >> How about: >> # host 188.166.242.102 >> 102.242.166.188.in-addr.arpa domain name pointer poke.diarbag.us. >> >> --WjW >> > > I see, but > http://www.ip2location.com/188.166.242.102 > leads to Digital Ocean. > > So on cloudflare, where diarbag.us has its DNS, they set up > poke.diarbag.us to go to Digital Ocean? Does ip2location have some > secret sauce? Does it pierce the reverse proxy of Cloudflare? > > Doing a whois, the owners name is Diar Bagus, so the domain name is, > well, clever. I don't think anyone knocks on port 22 using their > real name, so maybe the server is hacked. Different questions, Different tools, different answers :) Host gives you DNS whois gives you the owner of the IP-number Which can be different as you found out. --WjW # whois 188.166.242.102 % IANA WHOIS server % for more information on IANA, visit http://www.iana.org % This query returned 1 object refer: whois.ripe.net inetnum: 188.0.0.0 - 188.255.255.255 organisation: Administered by RIPE NCC status: LEGACY whois: whois.ripe.net changed: 1993-05 source: IANA % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '188.166.0.0 - 188.166.255.255' % Abuse contact for '188.166.0.0 - 188.166.255.255' is 'ab...@di...' inetnum: 188.166.0.0 - 188.166.255.255 netname: EU-DIGITALOCEAN-20090605 country: NL org: ORG-DOI2-RIPE admin-c: PT7353-RIPE tech-c: PT7353-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: digitalocean mnt-routes: digitalocean mnt-domains: digitalocean created: 2014-11-17T16:36:42Z last-modified: 2016-04-14T09:45:15Z source: RIPE # Filtered organisation: ORG-DOI2-RIPE org-name: Digital Ocean, Inc. org-type: LIR address: 101 Ave of the Americas 10th Floor address: New York address: 10013 address: UNITED STATES phone: +1 888 890 6714 mnt-ref: digitalocean mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT abuse-mailbox: ab...@di... abuse-c: AD10778-RIPE created: 2012-11-29T14:59:01Z last-modified: 2015-11-19T16:11:55Z source: RIPE # Filtered person: Network Operations address: 101 Ave of the Americas, 10th Floor, New York, NY 10013 phone: +13478756044 nic-hdl: PT7353-RIPE mnt-by: digitalocean created: 2015-03-11T16:37:07Z last-modified: 2015-11-19T15:57:21Z source: RIPE # Filtered org: ORG-DOI2-RIPE % This query was served by the RIPE Database Query Service version 1.87.4 (DB-1) |
|
From: Georg L. <jor...@ma...> - 2016-07-22 14:22:21
|
On 22/07/16 00:32, li...@la... wrote: > I decided to dig into this block given the odd name of the domain. Now > if I am reading this correctly, the getaddrinfo is part of sshd, not > sshguard. The IP 188.166.242.102 comes back to Digital Ocean, a VPS > company. Where did poke.diarbag.us come from? > > Jul 21 14:07:16 theranch sshd[73068]: Did not receive identification string from 188.166.242.102 > Jul 21 14:13:07 theranch sshd[73095]: reverse mapping checking getaddrinfo for poke.diarbag.us [188.166.242.102] failed - POSSIBLE BREAK-IN ATTEMPT! > Jul 21 14:13:07 theranch sshd[73095]: Invalid user vagrant from 188.166.242.102 > Jul 21 14:13:07 theranch sshd[73095]: input_userauth_request: invalid user vagrant [preauth] > Jul 21 14:13:08 theranch sshd[73095]: Received disconnect from 188.166.242.102: 11: Bye Bye [preauth] > Jul 21 14:13:08 theranch sshguard[809]: blacklist: added 188.166.242.102 > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > patterns at an interface-level. Reveals which users, apps, and protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity planning > reports.http://sdm.link/zohodev2dev > _______________________________________________ > sshguard-users mailing list > ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > Hi: reverse mapping does the following: 1. Get the DNS hostname of the IP address which is connecting to you. 2. From the DNS hostname get - via DNS again - the IP address. 3. Compare if it is the same, if not: POSSIBLE BREAK-IN ATTEMPT! You can emulate this on the commandline, I'll show it with nslookup, which is available on Linux (unix) and Windows systems: - - - jorge@pwx:~$ nslookup > 188.166.242.102 Server: 192.168.173.1 Address: 192.168.173.1#53 Non-authoritative answer: 102.242.166.188.in-addr.arpa name = poke.diarbag.us. Authoritative answers can be found from: 242.166.188.in-addr.arpa nameserver = ns2.digitalocean.com. 242.166.188.in-addr.arpa nameserver = ns3.digitalocean.com. 242.166.188.in-addr.arpa nameserver = ns1.digitalocean.com. ns2.digitalocean.com internet address = 173.245.59.41 ns2.digitalocean.com has AAAA address 2400:cb00:2049:1::adf5:3b29 ns3.digitalocean.com internet address = 198.41.222.173 ns3.digitalocean.com has AAAA address 2400:cb00:2049:1::c629:dead ns1.digitalocean.com internet address = 173.245.58.51 ns1.digitalocean.com has AAAA address 2400:cb00:2049:1::adf5:3a33 > poke.diarbag.us Server: 192.168.173.1 Address: 192.168.173.1#53 Non-authoritative answer: *** Can't find poke.diarbag.us: No answer > - - - Result is, that there doesn't even exist a DNS entry for poke.diarbag.us. The owner of the attackers IP address has not set up correctly his/her DNS records. The attack still could come from a different host on the Internet, spoofing to be 188.166.242.102. Poor Diar Bagus most probably has nothing to do with the attack. Complaints should go to digitalocean, they should know to whom they lend the attackers IP address. Best Regards, Georg Lehner |
Thanks for helping keep SourceForge clean.
X