1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Guess Microsoft is desperate?

Discussion in 'Off Topic' started by Tracy Perry, Jul 24, 2013.

  1. Tracy Perry

    Tracy Perry Well-Known Member

    Got a kick out of this in my auth.log on one of my servers
    Has anybody else noticed anything like this recently?

    Code:
    Jul 23 07:34:18 draco sshd[28030]: Did not receive identification string from 137.116.113.75
    Jul 23 07:34:19 draco sshd[28031]: Invalid user admin from 137.116.113.75
    Jul 23 07:34:19 draco sshd[28031]: input_userauth_request: invalid user admin [preauth]
    Jul 23 07:34:19 draco sshd[28031]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
    Jul 23 07:34:20 draco sshd[28033]: Invalid user admin from 137.116.113.75
    Jul 23 07:34:20 draco sshd[28033]: input_userauth_request: invalid user admin [preauth]
    Jul 23 07:34:20 draco sshd[28033]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
    Jul 23 07:34:20 draco sshd[28035]: Invalid user admin from 137.116.113.75
    Jul 23 07:34:20 draco sshd[28035]: input_userauth_request: invalid user admin [preauth]
    Jul 23 07:34:20 draco sshd[28035]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
    Jul 23 07:34:58 draco sshd[28037]: Invalid user admin from 137.116.113.75
    Jul 23 07:34:58 draco sshd[28037]: input_userauth_request: invalid user admin [preauth]
    Jul 23 07:34:58 draco sshd[28037]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
    Jul 23 07:35:04 draco sshd[28348]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
    Jul 23 07:35:31 draco sshd[28911]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
    Jul 23 07:35:35 draco sshd[28913]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
    Jul 23 07:35:48 draco sshd[28915]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
    Jul 23 07:36:42 draco sshd[28917]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
    Jul 23 07:36:45 draco sshd[28919]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
    Jul 23 07:38:06 draco sshd[28921]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
    Jul 23 07:39:02 draco sshd[28923]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
    Jul 23 07:39:50 draco sshd[28941]: Invalid user guest from 137.116.113.75
    Jul 23 07:39:50 draco sshd[28941]: input_userauth_request: invalid user guest [preauth]
    Jul 23 07:39:50 draco sshd[28941]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
    Jul 23 07:40:02 draco sshd[29120]: Invalid user guest from 137.116.113.75
    Jul 23 07:40:02 draco sshd[29120]: input_userauth_request: invalid user guest [preauth]
    Jul 23 07:40:02 draco sshd[29120]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
    Funny thing... that IP is registered to
    NetRange: 137.116.0.0 - 137.116.255.255
    CIDR: 137.116.0.0/16
    OriginAS:
    NetName: NTINET-NASH
    NetHandle: NET-137-116-0-0-1
    Parent: NET-137-0-0-0-0
    NetType: Direct Assignment
    RegDate: 2011-08-02
    Updated: 2012-10-16
    Ref: http://whois.arin.net/rest/net/NET-137-116-0-0-1
    OrgName: Microsoft Corp
    OrgId: MSFT-Z
    Address: One Microsoft Way
    City: Redmond
    StateProv: WA
    PostalCode: 98052
    Country: US
    RegDate: 2011-06-22
    Updated: 2013-04-12
    Ref: http://whois.arin.net/rest/org/MSFT-Z
     
  2. nehir

    nehir Member

    Install CSF!
     
  3. Tracy Perry

    Tracy Perry Well-Known Member

    Got fail2ban installed, and it works fine.
    2013-07-23 07:40:03,933 fail2ban.actions: WARNING [ssh] Ban 137.116.113.75
    2013-07-23 08:10:04,086 fail2ban.actions: WARNING [ssh] Unban 137.116.113.75
     
  4. Tracy Perry

    Tracy Perry Well-Known Member

    It gets even weirder. Just checked all 3 auth.logs on my separate servers - and they all reflect similar traffic at approximately the same time. Have shot off an email to abuse@hotmail.com to see what they say.
     
  5. DRE

    DRE Well-Known Member

    In layman's terms please?
     
    0xym0r0n likes this.
  6. SneakyDave

    SneakyDave Well-Known Member

    Bill Gates or Steve Ballmer is trying to hack into Tracy's server!
     
  7. Biker

    Biker Well-Known Member

    Looks to me someone's been surfing to places they shouldn't be and got a workstation infected with something.
     
  8. EQnoble

    EQnoble Well-Known Member

    Not for nothing...maybe about a year back I was getting some crazy traffic from redmond myself, mostly trying to login as system, admin or root.

    If I can figure out what I did with the logs I will post them up for comparisons sake, I didn't do anything before because of a separate issue I had with MS which in my opinion was handled horribly and I figured reporting that would do nothing either way if it went anything like my phone calls with corporate and legal did.
     
  9. Tracy Perry

    Tracy Perry Well-Known Member

    That's pretty much what I was thinking. Like I said, it hit every domain on twowheeldemon.com that is in the DNS, but never touched the one on my VPS (which is a different domain totally - my 3 main servers are kept in one domain, even though they actually serve different forum domains out.
     
  10. erich37

    erich37 Well-Known Member

    looks more like Keith Alexander is trying to hack into Tracy's server....

    :D
     
  11. digitalpoint

    digitalpoint Well-Known Member

  12. Tracy Perry

    Tracy Perry Well-Known Member

    Could be... was not aware that MickeySoft had gotten into the cloud club... don't pay much attention to them. :p
    In any case, there is a permanent DROP in iptables for that IP.
     
  13. Biker

    Biker Well-Known Member

    Yep. That, too.

    Why stop at the IP. Start tossing CIDRs in there. :D
     
  14. Tracy Perry

    Tracy Perry Well-Known Member

    I"m still working on the Amazon stuff right now. :whistle:
     
  15. EQnoble

    EQnoble Well-Known Member

    All current amazon ranges
    Code:
    72.44.32.0/19 (72.44.32.0 - 72.44.63.255)
    67.202.0.0/18 (67.202.0.0 - 67.202.63.255)
    75.101.128.0/17 (75.101.128.0 - 75.101.255.255)
    174.129.0.0/16 (174.129.0.0 - 174.129.255.255)
    204.236.192.0/18 (204.236.192.0 - 204.236.255.255)
    184.73.0.0/16 (184.73.0.0 – 184.73.255.255)
    184.72.128.0/17 (184.72.128.0 - 184.72.255.255)
    184.72.64.0/18 (184.72.64.0 - 184.72.127.255)
    50.16.0.0/15 (50.16.0.0 - 50.17.255.255)
    50.19.0.0/16 (50.19.0.0 - 50.19.255.255)
    107.20.0.0/14 (107.20.0.0 - 107.23.255.255)
    23.20.0.0/14 (23.20.0.0 – 23.23.255.255)
    54.242.0.0/15 (54.242.0.0 – 54.243.255.255)
    54.234.0.0/15 (54.234.0.0 – 54.235.255.255)
    54.236.0.0/15 (54.236.0.0 – 54.237.255.255)
    54.224.0.0/15 (54.224.0.0 - 54.225.255.255)
    54.226.0.0/15 (54.226.0.0 - 54.227.255.255)
    54.208.0.0/15 (54.208.0.0 - 54.209.255.255)
    54.210.0.0/15 (54.210.0.0 - 54.211.255.255)
    54.221.0.0/16 (54.221.0.0 - 54.221.255.255)
    50.112.0.0/16 (50.112.0.0 - 50.112.255.255)
    54.245.0.0/16 (54.245.0.0 – 54.245.255.255)
    54.244.0.0/16 (54.244.0.0 - 54.244.255.255)
    54.214.0.0/16 (54.214.0.0 - 54.214.255.255)
    54.212.0.0/15 (54.212.0.0 - 54.213.255.255)
    54.218.0.0/16 (54.218.0.0 - 54.218.255.255)
    204.236.128.0/18 (204.236.128.0 - 204.236.191.255)
    184.72.0.0/18 (184.72.0.0 – 184.72.63.255)
    50.18.0.0/16 (50.18.0.0 - 50.18.255.255)
    184.169.128.0/17 (184.169.128.0 - 184.169.255.255)
    54.241.0.0/16 (54.241.0.0 – 54.241.255.255)
    54.215.0.0/16 (54.215.0.0 – 54.215.255.255)
    54.219.0.0/16 (54.219.0.0 - 54.219.255.255)
    79.125.0.0/17 (79.125.0.0 - 79.125.127.255)
    46.51.128.0/18 (46.51.128.0 - 46.51.191.255)
    46.51.192.0/20 (46.51.192.0 - 46.51.207.255)
    46.137.0.0/17 (46.137.0.0 - 46.137.127.255)
    46.137.128.0/18 (46.137.128.0 - 46.137.191.255)
    176.34.128.0/17 (176.34.128.0 - 176.34.255.255)
    176.34.64.0/18 (176.34.64.0 – 176.34.127.255)
    54.247.0.0/16 (54.247.0.0 – 54.247.255.255)
    54.246.0.0/16 (54.246.0.0 – 54.246.255.255)
    54.228.0.0/16 (54.228.0.0 - 54.228.255.255)
    54.216.0.0/15 (54.216.0.0 - 54.217.255.255)
    54.229.0.0/16 (54.229.0.0 - 54.229.255.255)
    54.220.0.0/16 (54.220.0.0 - 54.220.255.255)
    175.41.128.0/18 (175.41.128.0 - 175.41.191.255)
    122.248.192.0/18 (122.248.192.0 - 122.248.255.255)
    46.137.192.0/18 (46.137.192.0 - 46.137.255.255)
    46.51.216.0/21 (46.51.216.0 - 46.51.223.255)
    54.251.0.0/16 (54.251.0.0 – 54.251.255.255)
    54.254.0.0/16 (54.254.0.0 – 54.254.255.255)
    54.255.0.0/16 (54.255.0.0 – 54.255.255.255)
    54.252.0.0/16 (54.252.0.0 – 54.252.255.255)
    54.253.0.0/16 (54.253.0.0 – 54.253.255.255)
    175.41.192.0/18 (175.41.192.0 - 175.41.255.255)
    46.51.224.0/19 (46.51.224.0 - 46.51.255.255)
    176.32.64.0/19 (176.32.64.0 - 176.32.95.255)
    103.4.8.0/21 (103.4.8.0 - 103.4.15.255)
    176.34.0.0/18 (176.34.0.0 - 176.34.63.255)
    54.248.0.0/15 (54.248.0.0 - 54.249.255.255)
    54.250.0.0/16 (54.250.0.0 - 54.250.255.255)
    54.238.0.0/16 (54.238.0.0 - 54.238.255.255)
    177.71.128.0/17 (177.71.128.0 - 177.71.255.255)
    54.232.0.0/16 (54.232.0.0 – 54.232.255.255)
    54.233.0.0/18 (54.233.0.0 – 54.233.63.255)
    96.127.0.0/18 (96.127.0.0 - 96.127.63.255)
     
    Tracy Perry likes this.
  16. EQnoble

    EQnoble Well-Known Member

    All current Windows Azure ranges
    Code:
    65.52.128.0/19
    213.199.128.0/20
    168.63.0.0/19
    168.63.96.0/19
    137.116.192.0/149
    137.117.128.0/17
    168.61.56.0/21
    65.52.64.0/20
    65.52.224.0/19
    168.63.92.0/22
    168.63.32.0/19
    94.245.88.0/21
    94.245.104.0/21
    168.63.64.0/20
    168.63.80.0/20
    168.61.96.0/19
    137.116.224.0/20
    168.62.32.0/19
    157.56.176.0/21
    168.62.160.0/19
    168.61.32.0/20
    168.61.48.0/21
    137.117.64.0/18
    137.135.64.0/18
    138.91.96.0/19
    137.116.112.0/20
    168.62.192.0/20
    168.62.208.0/21
    168.61.0.0/20
    168.61.64.0/20
    137.117.0.0/19
    137.135.0.0/18
    137.116.184.0/21
    138.91.64.0/19
    65.52.112.0/20
    168.63.89.0/24
    157.56.160.0/21
    168.62.0.0/19
    65.52.0.0/19
    65.52.0.0/20
    65.52.16.0/20
    65.52.192.0/19
    65.52.48.0/20
    157.55.24.0/21
    157.55.64.0/20
    157.55.160.0/20
    157.55.136.0/21
    157.55.208.0/20
    157.56.8.0/21
    157.55.252.0/22
    168.62.96.0/19
    157.55.248.0/22
    168.62.224.0/19
    157.55.176.10/22
    157.55.183.223/27
    157.55.184.10/22
    157.55.191.223/27
    157.55.192.10/24
    157.55.193.223/27
    157.55.194.10/24
    157.55.195.223/27
    157.55.196.10/23
    157.55.200.10/23
    157.55.80.10/23
    157.55.83.223/27
    157.55.84.10/23
    157.55.87.223/27
    65.52.32.10/22
    65.52.39.224/28
    70.37.160.10/22
    70.37.167.224/28
    70.37.118.0/24
    70.37.119.138/28
    70.37.119.170/28
    70.37.48.10/22
    70.37.55.224/28
    70.37.56.10/22
    70.37.63.224/28
    70.37.116.0/24
    111.221.96.0/20
    168.63.160.0/19
    111.221.80.0/20
    168.63.224.0/19
    137.116.128.0/19
    65.52.160.0/19
    111.221.78.0/23
    168.63.128.0/19
    168.63.192.0/19
    137.116.160.0/20
     
    Tracy Perry likes this.

Share This Page