Guess Microsoft is desperate?

Tracy Perry

Well-known member
Got a kick out of this in my auth.log on one of my servers
Has anybody else noticed anything like this recently?

Code:
Jul 23 07:34:18 draco sshd[28030]: Did not receive identification string from 137.116.113.75
Jul 23 07:34:19 draco sshd[28031]: Invalid user admin from 137.116.113.75
Jul 23 07:34:19 draco sshd[28031]: input_userauth_request: invalid user admin [preauth]
Jul 23 07:34:19 draco sshd[28031]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:34:20 draco sshd[28033]: Invalid user admin from 137.116.113.75
Jul 23 07:34:20 draco sshd[28033]: input_userauth_request: invalid user admin [preauth]
Jul 23 07:34:20 draco sshd[28033]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:34:20 draco sshd[28035]: Invalid user admin from 137.116.113.75
Jul 23 07:34:20 draco sshd[28035]: input_userauth_request: invalid user admin [preauth]
Jul 23 07:34:20 draco sshd[28035]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:34:58 draco sshd[28037]: Invalid user admin from 137.116.113.75
Jul 23 07:34:58 draco sshd[28037]: input_userauth_request: invalid user admin [preauth]
Jul 23 07:34:58 draco sshd[28037]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:35:04 draco sshd[28348]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:35:31 draco sshd[28911]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:35:35 draco sshd[28913]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:35:48 draco sshd[28915]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:36:42 draco sshd[28917]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:36:45 draco sshd[28919]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:38:06 draco sshd[28921]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:39:02 draco sshd[28923]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:39:50 draco sshd[28941]: Invalid user guest from 137.116.113.75
Jul 23 07:39:50 draco sshd[28941]: input_userauth_request: invalid user guest [preauth]
Jul 23 07:39:50 draco sshd[28941]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:40:02 draco sshd[29120]: Invalid user guest from 137.116.113.75
Jul 23 07:40:02 draco sshd[29120]: input_userauth_request: invalid user guest [preauth]
Jul 23 07:40:02 draco sshd[29120]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Funny thing... that IP is registered to
NetRange: 137.116.0.0 - 137.116.255.255
CIDR: 137.116.0.0/16
OriginAS:
NetName: NTINET-NASH
NetHandle: NET-137-116-0-0-1
Parent: NET-137-0-0-0-0
NetType: Direct Assignment
RegDate: 2011-08-02
Updated: 2012-10-16
Ref: http://whois.arin.net/rest/net/NET-137-116-0-0-1
OrgName: Microsoft Corp
OrgId: MSFT-Z
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US
RegDate: 2011-06-22
Updated: 2013-04-12
Ref: http://whois.arin.net/rest/org/MSFT-Z
 

Tracy Perry

Well-known member
It gets even weirder. Just checked all 3 auth.logs on my separate servers - and they all reflect similar traffic at approximately the same time. Have shot off an email to abuse@hotmail.com to see what they say.
 

Biker

Well-known member
Got a kick out of this in my auth.log on one of my servers
Has anybody else noticed anything like this recently?
Looks to me someone's been surfing to places they shouldn't be and got a workstation infected with something.
 

EQnoble

Well-known member
Not for nothing...maybe about a year back I was getting some crazy traffic from redmond myself, mostly trying to login as system, admin or root.

If I can figure out what I did with the logs I will post them up for comparisons sake, I didn't do anything before because of a separate issue I had with MS which in my opinion was handled horribly and I figured reporting that would do nothing either way if it went anything like my phone calls with corporate and legal did.
 

Tracy Perry

Well-known member
Looks to me someone's been surfing to places they shouldn't be and got a workstation infected with something.
That's pretty much what I was thinking. Like I said, it hit every domain on twowheeldemon.com that is in the DNS, but never touched the one on my VPS (which is a different domain totally - my 3 main servers are kept in one domain, even though they actually serve different forum domains out.
 

EQnoble

Well-known member
I"m still working on the Amazon stuff right now. :whistle:
All current amazon ranges
Code:
72.44.32.0/19 (72.44.32.0 - 72.44.63.255)
67.202.0.0/18 (67.202.0.0 - 67.202.63.255)
75.101.128.0/17 (75.101.128.0 - 75.101.255.255)
174.129.0.0/16 (174.129.0.0 - 174.129.255.255)
204.236.192.0/18 (204.236.192.0 - 204.236.255.255)
184.73.0.0/16 (184.73.0.0 – 184.73.255.255)
184.72.128.0/17 (184.72.128.0 - 184.72.255.255)
184.72.64.0/18 (184.72.64.0 - 184.72.127.255)
50.16.0.0/15 (50.16.0.0 - 50.17.255.255)
50.19.0.0/16 (50.19.0.0 - 50.19.255.255)
107.20.0.0/14 (107.20.0.0 - 107.23.255.255)
23.20.0.0/14 (23.20.0.0 – 23.23.255.255)
54.242.0.0/15 (54.242.0.0 – 54.243.255.255)
54.234.0.0/15 (54.234.0.0 – 54.235.255.255)
54.236.0.0/15 (54.236.0.0 – 54.237.255.255)
54.224.0.0/15 (54.224.0.0 - 54.225.255.255)
54.226.0.0/15 (54.226.0.0 - 54.227.255.255)
54.208.0.0/15 (54.208.0.0 - 54.209.255.255)
54.210.0.0/15 (54.210.0.0 - 54.211.255.255)
54.221.0.0/16 (54.221.0.0 - 54.221.255.255)
50.112.0.0/16 (50.112.0.0 - 50.112.255.255)
54.245.0.0/16 (54.245.0.0 – 54.245.255.255)
54.244.0.0/16 (54.244.0.0 - 54.244.255.255)
54.214.0.0/16 (54.214.0.0 - 54.214.255.255)
54.212.0.0/15 (54.212.0.0 - 54.213.255.255)
54.218.0.0/16 (54.218.0.0 - 54.218.255.255)
204.236.128.0/18 (204.236.128.0 - 204.236.191.255)
184.72.0.0/18 (184.72.0.0 – 184.72.63.255)
50.18.0.0/16 (50.18.0.0 - 50.18.255.255)
184.169.128.0/17 (184.169.128.0 - 184.169.255.255)
54.241.0.0/16 (54.241.0.0 – 54.241.255.255)
54.215.0.0/16 (54.215.0.0 – 54.215.255.255)
54.219.0.0/16 (54.219.0.0 - 54.219.255.255)
79.125.0.0/17 (79.125.0.0 - 79.125.127.255)
46.51.128.0/18 (46.51.128.0 - 46.51.191.255)
46.51.192.0/20 (46.51.192.0 - 46.51.207.255)
46.137.0.0/17 (46.137.0.0 - 46.137.127.255)
46.137.128.0/18 (46.137.128.0 - 46.137.191.255)
176.34.128.0/17 (176.34.128.0 - 176.34.255.255)
176.34.64.0/18 (176.34.64.0 – 176.34.127.255)
54.247.0.0/16 (54.247.0.0 – 54.247.255.255)
54.246.0.0/16 (54.246.0.0 – 54.246.255.255)
54.228.0.0/16 (54.228.0.0 - 54.228.255.255)
54.216.0.0/15 (54.216.0.0 - 54.217.255.255)
54.229.0.0/16 (54.229.0.0 - 54.229.255.255)
54.220.0.0/16 (54.220.0.0 - 54.220.255.255)
175.41.128.0/18 (175.41.128.0 - 175.41.191.255)
122.248.192.0/18 (122.248.192.0 - 122.248.255.255)
46.137.192.0/18 (46.137.192.0 - 46.137.255.255)
46.51.216.0/21 (46.51.216.0 - 46.51.223.255)
54.251.0.0/16 (54.251.0.0 – 54.251.255.255)
54.254.0.0/16 (54.254.0.0 – 54.254.255.255)
54.255.0.0/16 (54.255.0.0 – 54.255.255.255)
54.252.0.0/16 (54.252.0.0 – 54.252.255.255)
54.253.0.0/16 (54.253.0.0 – 54.253.255.255)
175.41.192.0/18 (175.41.192.0 - 175.41.255.255)
46.51.224.0/19 (46.51.224.0 - 46.51.255.255)
176.32.64.0/19 (176.32.64.0 - 176.32.95.255)
103.4.8.0/21 (103.4.8.0 - 103.4.15.255)
176.34.0.0/18 (176.34.0.0 - 176.34.63.255)
54.248.0.0/15 (54.248.0.0 - 54.249.255.255)
54.250.0.0/16 (54.250.0.0 - 54.250.255.255)
54.238.0.0/16 (54.238.0.0 - 54.238.255.255)
177.71.128.0/17 (177.71.128.0 - 177.71.255.255)
54.232.0.0/16 (54.232.0.0 – 54.232.255.255)
54.233.0.0/18 (54.233.0.0 – 54.233.63.255)
96.127.0.0/18 (96.127.0.0 - 96.127.63.255)
 

EQnoble

Well-known member
Could be... was not aware that MickeySoft had gotten into the cloud club... don't pay much attention to them. :p
In any case, there is a permanent DROP in iptables for that IP.
Yep. That, too.

Why stop at the IP. Start tossing CIDRs in there. :D
All current Windows Azure ranges
Code:
65.52.128.0/19
213.199.128.0/20
168.63.0.0/19
168.63.96.0/19
137.116.192.0/149
137.117.128.0/17
168.61.56.0/21
65.52.64.0/20
65.52.224.0/19
168.63.92.0/22
168.63.32.0/19
94.245.88.0/21
94.245.104.0/21
168.63.64.0/20
168.63.80.0/20
168.61.96.0/19
137.116.224.0/20
168.62.32.0/19
157.56.176.0/21
168.62.160.0/19
168.61.32.0/20
168.61.48.0/21
137.117.64.0/18
137.135.64.0/18
138.91.96.0/19
137.116.112.0/20
168.62.192.0/20
168.62.208.0/21
168.61.0.0/20
168.61.64.0/20
137.117.0.0/19
137.135.0.0/18
137.116.184.0/21
138.91.64.0/19
65.52.112.0/20
168.63.89.0/24
157.56.160.0/21
168.62.0.0/19
65.52.0.0/19
65.52.0.0/20
65.52.16.0/20
65.52.192.0/19
65.52.48.0/20
157.55.24.0/21
157.55.64.0/20
157.55.160.0/20
157.55.136.0/21
157.55.208.0/20
157.56.8.0/21
157.55.252.0/22
168.62.96.0/19
157.55.248.0/22
168.62.224.0/19
157.55.176.10/22
157.55.183.223/27
157.55.184.10/22
157.55.191.223/27
157.55.192.10/24
157.55.193.223/27
157.55.194.10/24
157.55.195.223/27
157.55.196.10/23
157.55.200.10/23
157.55.80.10/23
157.55.83.223/27
157.55.84.10/23
157.55.87.223/27
65.52.32.10/22
65.52.39.224/28
70.37.160.10/22
70.37.167.224/28
70.37.118.0/24
70.37.119.138/28
70.37.119.170/28
70.37.48.10/22
70.37.55.224/28
70.37.56.10/22
70.37.63.224/28
70.37.116.0/24
111.221.96.0/20
168.63.160.0/19
111.221.80.0/20
168.63.224.0/19
137.116.128.0/19
65.52.160.0/19
111.221.78.0/23
168.63.128.0/19
168.63.192.0/19
137.116.160.0/20
 
Top