Saturday, September 20, 2008

Weird IP address on Bad-Guy probe into Foundations server

I noticed this morning that a customer's Foundations server is being probed by the bad guys and Foundations is duly reporting the event in the log.

02:01:33 PM Authentication Server Error Authentication failed for Administrator@210.154. 16.12 (ftp)
02:01:41 PM Authentication Connection Warning Command 'auth' failed (user='Administrator').
02:01:44 PM Authentication Server Error Authentication failed for Administrator@210.154. 16.12 (ftp)
02:01:52 PM Authentication Connection Warning Command 'auth' failed (user='Administrator').

DNSStuff.com told me the address was owned by TOCKA-COM which is a Russian language website with some (ahem) interesting pictures on its front page.

Nothing newsworthy in that. I'm sure that everyones server gets pinged on a daily basis by Bad Guys looking for a place to load some naughty code. What I did find interesting was the formatting of the IP address. Note the space before the 16 in 210.154. 16.12

I'm not into hacker stuff generally but I was intrigued by this one. Does anyone know how you get an IP address to include a space character?
.

3 comments:

Michael said...

Hmmm ... Funny you mention this because I started getting the same thing on my LFS starting yesterday. Looking up the IP, it's coming from China and they are trying to get in via ftp. Same thing with the space as well, but I think that is actually a LFS bug.

Joe Nitix said...

FTP tends to be the thing that gets brute forced the most. Its generally the easiest to attempt authentications against as many servers have FTP enabled, and not all will have telnet, ssh, rsync, etc.

You should probably shut the external FTP off just as a general security practice, and turn it on when you need it. If you want to leave it on, just make sure everyone with FTP access has a strong password.

Michael said...

Joe - once I saw the continuing attempts I did shut it off as a precaution. One thing I find interesting is LFS turns on ssh by default. My guess is this shoud probably be shut off from the outside until needed as well.