Discussion:
83.222.190.50 from Sopot, Bulgaria using braindead hacking software
(too old to reply)
Randolf Richardson 張文道
2024-08-29 05:46:07 UTC
Permalink
I'm seeing a lot of hacking attempts from 83.222.190.50 at
a rate of 30 to 200 per second, always using one password
repeatedly on multiple attempts of the same accounts, which
are almost always role accounts (e.g., support@ abuse@ @noc
daemon@ postmaster@ root@), with an occasional non-role
account being attempted (also with the same password).

The only password they're trying to use, and repeatedly
failing with, is: aq!@#

I'm including this above so that it can be included in any
lists of insecure passwords to prevent any accounts that
are permitted to use short passwords from getting abused
by whatever braindead hacking software is being used.

I recommend permanently blocking this IP address, which I
suspect may be running some braindead hacking software.

WHOIS output for 83.222.190.50...

% Information related to '83.222.190.0 - 83.222.191.255'

% Abuse contact for '83.222.190.0 - 83.222.191.255' is
'***@4media.bg'

inetnum: 83.222.190.0 - 83.222.191.255
netname: Net_4Media
org: ORG-AA2048-RIPE
country: BG
admin-c: PD8817-RIPE
tech-c: PD8817-RIPE
status: ASSIGNED PA
mnt-by: MNT-LIR-BG
created: 2024-07-03T10:05:33Z
last-modified: 2024-07-03T10:05:33Z
source: RIPE

organisation: ORG-AA2048-RIPE
org-name: 4Media Ltd.
country: BG
org-type: OTHER
address: 35, Ivan Vazov str, Sopot, Bulgaria
abuse-c: AA33554-RIPE
mnt-ref: TAMATYA-MNT
mnt-ref: MNT-LIR-BG
mnt-by: MNT-LIR-BG
created: 2018-05-31T08:09:29Z
last-modified: 2022-12-01T17:00:25Z
source: RIPE # Filtered

person: Petar Dimov
address: ***@4vendeta.com
address: ***@4vendeta.com
phone: +359988865442
nic-hdl: PD8817-RIPE
mnt-by: TAMATYA-MNT
created: 2016-11-06T19:36:43Z
last-modified: 2022-12-20T20:23:46Z
source: RIPE

% Information related to '83.222.190.0/24AS202325'

route: 83.222.190.0/24
origin: AS202325
mnt-by: MNT-LIR-BG
created: 2024-07-03T10:05:33Z
last-modified: 2024-07-03T10:05:33Z
source: RIPE

% Information related to '83.222.190.0/24AS204428'

route: 83.222.190.0/24
origin: AS204428
mnt-by: MNT-LIR-BG
created: 2024-07-03T10:05:33Z
last-modified: 2024-07-03T10:05:33Z
source: RIPE

% Information related to '83.222.190.0/24AS212283'

route: 83.222.190.0/24
origin: AS212283
mnt-by: MNT-LIR-BG
created: 2024-07-12T13:35:21Z
last-modified: 2024-07-12T13:35:21Z
source: RIPE

% This query was served by the RIPE Database Query Service
version 1.113.2 (ABERDEEN)
--
Randolf Richardson 張文道, CNA - ***@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Beautiful British Columbia, Canada
https://www.inter-corporate.com/
Edward McGuire
2024-08-29 18:06:54 UTC
Permalink
I'm seeing a lot of hacking attempts from 83.222.190.50 [...] I recommend
permanently blocking this IP address
My mail server autoblocked this address 45 days ago. The log has recycled since
then so I can't say exactly what rule snagged it. Generally it's something like
"SASL authentication failed".
Randolf Richardson 張文道
2024-08-30 03:47:27 UTC
Permalink
On Thu, 29 Aug 2024 18:06:54 -0000 (UTC)
Post by Edward McGuire
I'm seeing a lot of hacking attempts from 83.222.190.50 [...] I recommend
permanently blocking this IP address
My mail server autoblocked this address 45 days ago. The log has recycled since
They're probably focusing on one or a small number of target
mail servers at a time. I wonder if they have concerns about
resource limits or if they're just paranoid about attracting
too much attention.
Post by Edward McGuire
then so I can't say exactly what rule snagged it. Generally it's something like
"SASL authentication failed".
I'd say it's very likely as you suspect. That's what we saw.
--
Randolf Richardson 張文道, CNA - ***@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Beautiful British Columbia, Canada
https://www.inter-corporate.com/
Post To Usenet
2024-08-29 18:16:31 UTC
Permalink
I don't know what OS your mail server is but try something like
fail2ban if it is a Linux based OS to automatically ban these
credits.

https://github.com/fail2ban/fail2ban

https://gist.github.com/pida42/58c8254475757394a055c85c9ed0ce8a

https://en.wikipedia.org/wiki/Fail2ban


It does great at parsing logs and banning login attempts like that
and is a really good Intrusion Detection System ("IDS").

Hope this helps.
Post by Randolf Richardson 張文道
I'm seeing a lot of hacking attempts from 83.222.190.50 at
a rate of 30 to 200 per second, always using one password
repeatedly on multiple attempts of the same accounts, which
account being attempted (also with the same password).
The only password they're trying to use, and repeatedly
I'm including this above so that it can be included in any
lists of insecure passwords to prevent any accounts that
are permitted to use short passwords from getting abused
by whatever braindead hacking software is being used.
I recommend permanently blocking this IP address, which I
suspect may be running some braindead hacking software.
<SNIP>
Randolf Richardson 張文道
2024-08-30 03:44:18 UTC
Permalink
On Thu, 29 Aug 2024 12:16:31 -0600
Post by Post To Usenet
I don't know what OS your mail server is but try something like
fail2ban if it is a Linux based OS to automatically ban these
credits.
I'm running Debian Linux, and I also recommend fail2ban.
Post by Post To Usenet
https://github.com/fail2ban/fail2ban
https://gist.github.com/pida42/58c8254475757394a055c85c9ed0ce8a
https://en.wikipedia.org/wiki/Fail2ban
It does great at parsing logs and banning login attempts like that
and is a really good Intrusion Detection System ("IDS").
Hope this helps.
Thank you. Your recommendation is a good one, although I'm not
asking for advice -- I already have intrusion detection (and
other aspects of security) taken care of. My posting about
this is as was common over ~15 years ago here in NANAE, in the
hopes that this information may be helpful to others as part of
community participation (plus some other reasons that need not
be mentioned).
Post by Post To Usenet
Post by Randolf Richardson 張文道
I'm seeing a lot of hacking attempts from 83.222.190.50 at
a rate of 30 to 200 per second, always using one password
repeatedly on multiple attempts of the same accounts, which
account being attempted (also with the same password).
The only password they're trying to use, and repeatedly
I'm including this above so that it can be included in any
lists of insecure passwords to prevent any accounts that
are permitted to use short passwords from getting abused
by whatever braindead hacking software is being used.
I recommend permanently blocking this IP address, which I
suspect may be running some braindead hacking software.
<SNIP>
--
Randolf Richardson 張文道, CNA - ***@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Beautiful British Columbia, Canada
https://www.inter-corporate.com/
Loading...