• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Guess Microsoft is desperate?

Tracy Perry

Well-known member
#1
Got a kick out of this in my auth.log on one of my servers
Has anybody else noticed anything like this recently?

Code:
Jul 23 07:34:18 draco sshd[28030]: Did not receive identification string from 137.116.113.75
Jul 23 07:34:19 draco sshd[28031]: Invalid user admin from 137.116.113.75
Jul 23 07:34:19 draco sshd[28031]: input_userauth_request: invalid user admin [preauth]
Jul 23 07:34:19 draco sshd[28031]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:34:20 draco sshd[28033]: Invalid user admin from 137.116.113.75
Jul 23 07:34:20 draco sshd[28033]: input_userauth_request: invalid user admin [preauth]
Jul 23 07:34:20 draco sshd[28033]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:34:20 draco sshd[28035]: Invalid user admin from 137.116.113.75
Jul 23 07:34:20 draco sshd[28035]: input_userauth_request: invalid user admin [preauth]
Jul 23 07:34:20 draco sshd[28035]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:34:58 draco sshd[28037]: Invalid user admin from 137.116.113.75
Jul 23 07:34:58 draco sshd[28037]: input_userauth_request: invalid user admin [preauth]
Jul 23 07:34:58 draco sshd[28037]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:35:04 draco sshd[28348]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:35:31 draco sshd[28911]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:35:35 draco sshd[28913]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:35:48 draco sshd[28915]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:36:42 draco sshd[28917]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:36:45 draco sshd[28919]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:38:06 draco sshd[28921]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:39:02 draco sshd[28923]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:39:50 draco sshd[28941]: Invalid user guest from 137.116.113.75
Jul 23 07:39:50 draco sshd[28941]: input_userauth_request: invalid user guest [preauth]
Jul 23 07:39:50 draco sshd[28941]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Jul 23 07:40:02 draco sshd[29120]: Invalid user guest from 137.116.113.75
Jul 23 07:40:02 draco sshd[29120]: input_userauth_request: invalid user guest [preauth]
Jul 23 07:40:02 draco sshd[29120]: Received disconnect from 137.116.113.75: 11: No supported authentication methods available [preauth]
Funny thing... that IP is registered to
NetRange: 137.116.0.0 - 137.116.255.255
CIDR: 137.116.0.0/16
OriginAS:
NetName: NTINET-NASH
NetHandle: NET-137-116-0-0-1
Parent: NET-137-0-0-0-0
NetType: Direct Assignment
RegDate: 2011-08-02
Updated: 2012-10-16
Ref: http://whois.arin.net/rest/net/NET-137-116-0-0-1
OrgName: Microsoft Corp
OrgId: MSFT-Z
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US
RegDate: 2011-06-22
Updated: 2013-04-12
Ref: http://whois.arin.net/rest/org/MSFT-Z
 

EQnoble

Well-known member
#8
Not for nothing...maybe about a year back I was getting some crazy traffic from redmond myself, mostly trying to login as system, admin or root.

If I can figure out what I did with the logs I will post them up for comparisons sake, I didn't do anything before because of a separate issue I had with MS which in my opinion was handled horribly and I figured reporting that would do nothing either way if it went anything like my phone calls with corporate and legal did.
 

Tracy Perry

Well-known member
#9
Looks to me someone's been surfing to places they shouldn't be and got a workstation infected with something.
That's pretty much what I was thinking. Like I said, it hit every domain on twowheeldemon.com that is in the DNS, but never touched the one on my VPS (which is a different domain totally - my 3 main servers are kept in one domain, even though they actually serve different forum domains out.
 

EQnoble

Well-known member
#15
I"m still working on the Amazon stuff right now. :whistle:
All current amazon ranges
Code:
72.44.32.0/19 (72.44.32.0 - 72.44.63.255)
67.202.0.0/18 (67.202.0.0 - 67.202.63.255)
75.101.128.0/17 (75.101.128.0 - 75.101.255.255)
174.129.0.0/16 (174.129.0.0 - 174.129.255.255)
204.236.192.0/18 (204.236.192.0 - 204.236.255.255)
184.73.0.0/16 (184.73.0.0 – 184.73.255.255)
184.72.128.0/17 (184.72.128.0 - 184.72.255.255)
184.72.64.0/18 (184.72.64.0 - 184.72.127.255)
50.16.0.0/15 (50.16.0.0 - 50.17.255.255)
50.19.0.0/16 (50.19.0.0 - 50.19.255.255)
107.20.0.0/14 (107.20.0.0 - 107.23.255.255)
23.20.0.0/14 (23.20.0.0 – 23.23.255.255)
54.242.0.0/15 (54.242.0.0 – 54.243.255.255)
54.234.0.0/15 (54.234.0.0 – 54.235.255.255)
54.236.0.0/15 (54.236.0.0 – 54.237.255.255)
54.224.0.0/15 (54.224.0.0 - 54.225.255.255)
54.226.0.0/15 (54.226.0.0 - 54.227.255.255)
54.208.0.0/15 (54.208.0.0 - 54.209.255.255)
54.210.0.0/15 (54.210.0.0 - 54.211.255.255)
54.221.0.0/16 (54.221.0.0 - 54.221.255.255)
50.112.0.0/16 (50.112.0.0 - 50.112.255.255)
54.245.0.0/16 (54.245.0.0 – 54.245.255.255)
54.244.0.0/16 (54.244.0.0 - 54.244.255.255)
54.214.0.0/16 (54.214.0.0 - 54.214.255.255)
54.212.0.0/15 (54.212.0.0 - 54.213.255.255)
54.218.0.0/16 (54.218.0.0 - 54.218.255.255)
204.236.128.0/18 (204.236.128.0 - 204.236.191.255)
184.72.0.0/18 (184.72.0.0 – 184.72.63.255)
50.18.0.0/16 (50.18.0.0 - 50.18.255.255)
184.169.128.0/17 (184.169.128.0 - 184.169.255.255)
54.241.0.0/16 (54.241.0.0 – 54.241.255.255)
54.215.0.0/16 (54.215.0.0 – 54.215.255.255)
54.219.0.0/16 (54.219.0.0 - 54.219.255.255)
79.125.0.0/17 (79.125.0.0 - 79.125.127.255)
46.51.128.0/18 (46.51.128.0 - 46.51.191.255)
46.51.192.0/20 (46.51.192.0 - 46.51.207.255)
46.137.0.0/17 (46.137.0.0 - 46.137.127.255)
46.137.128.0/18 (46.137.128.0 - 46.137.191.255)
176.34.128.0/17 (176.34.128.0 - 176.34.255.255)
176.34.64.0/18 (176.34.64.0 – 176.34.127.255)
54.247.0.0/16 (54.247.0.0 – 54.247.255.255)
54.246.0.0/16 (54.246.0.0 – 54.246.255.255)
54.228.0.0/16 (54.228.0.0 - 54.228.255.255)
54.216.0.0/15 (54.216.0.0 - 54.217.255.255)
54.229.0.0/16 (54.229.0.0 - 54.229.255.255)
54.220.0.0/16 (54.220.0.0 - 54.220.255.255)
175.41.128.0/18 (175.41.128.0 - 175.41.191.255)
122.248.192.0/18 (122.248.192.0 - 122.248.255.255)
46.137.192.0/18 (46.137.192.0 - 46.137.255.255)
46.51.216.0/21 (46.51.216.0 - 46.51.223.255)
54.251.0.0/16 (54.251.0.0 – 54.251.255.255)
54.254.0.0/16 (54.254.0.0 – 54.254.255.255)
54.255.0.0/16 (54.255.0.0 – 54.255.255.255)
54.252.0.0/16 (54.252.0.0 – 54.252.255.255)
54.253.0.0/16 (54.253.0.0 – 54.253.255.255)
175.41.192.0/18 (175.41.192.0 - 175.41.255.255)
46.51.224.0/19 (46.51.224.0 - 46.51.255.255)
176.32.64.0/19 (176.32.64.0 - 176.32.95.255)
103.4.8.0/21 (103.4.8.0 - 103.4.15.255)
176.34.0.0/18 (176.34.0.0 - 176.34.63.255)
54.248.0.0/15 (54.248.0.0 - 54.249.255.255)
54.250.0.0/16 (54.250.0.0 - 54.250.255.255)
54.238.0.0/16 (54.238.0.0 - 54.238.255.255)
177.71.128.0/17 (177.71.128.0 - 177.71.255.255)
54.232.0.0/16 (54.232.0.0 – 54.232.255.255)
54.233.0.0/18 (54.233.0.0 – 54.233.63.255)
96.127.0.0/18 (96.127.0.0 - 96.127.63.255)
 

EQnoble

Well-known member
#16
Could be... was not aware that MickeySoft had gotten into the cloud club... don't pay much attention to them. :p
In any case, there is a permanent DROP in iptables for that IP.
Yep. That, too.

Why stop at the IP. Start tossing CIDRs in there. :D
All current Windows Azure ranges
Code:
65.52.128.0/19
213.199.128.0/20
168.63.0.0/19
168.63.96.0/19
137.116.192.0/149
137.117.128.0/17
168.61.56.0/21
65.52.64.0/20
65.52.224.0/19
168.63.92.0/22
168.63.32.0/19
94.245.88.0/21
94.245.104.0/21
168.63.64.0/20
168.63.80.0/20
168.61.96.0/19
137.116.224.0/20
168.62.32.0/19
157.56.176.0/21
168.62.160.0/19
168.61.32.0/20
168.61.48.0/21
137.117.64.0/18
137.135.64.0/18
138.91.96.0/19
137.116.112.0/20
168.62.192.0/20
168.62.208.0/21
168.61.0.0/20
168.61.64.0/20
137.117.0.0/19
137.135.0.0/18
137.116.184.0/21
138.91.64.0/19
65.52.112.0/20
168.63.89.0/24
157.56.160.0/21
168.62.0.0/19
65.52.0.0/19
65.52.0.0/20
65.52.16.0/20
65.52.192.0/19
65.52.48.0/20
157.55.24.0/21
157.55.64.0/20
157.55.160.0/20
157.55.136.0/21
157.55.208.0/20
157.56.8.0/21
157.55.252.0/22
168.62.96.0/19
157.55.248.0/22
168.62.224.0/19
157.55.176.10/22
157.55.183.223/27
157.55.184.10/22
157.55.191.223/27
157.55.192.10/24
157.55.193.223/27
157.55.194.10/24
157.55.195.223/27
157.55.196.10/23
157.55.200.10/23
157.55.80.10/23
157.55.83.223/27
157.55.84.10/23
157.55.87.223/27
65.52.32.10/22
65.52.39.224/28
70.37.160.10/22
70.37.167.224/28
70.37.118.0/24
70.37.119.138/28
70.37.119.170/28
70.37.48.10/22
70.37.55.224/28
70.37.56.10/22
70.37.63.224/28
70.37.116.0/24
111.221.96.0/20
168.63.160.0/19
111.221.80.0/20
168.63.224.0/19
137.116.128.0/19
65.52.160.0/19
111.221.78.0/23
168.63.128.0/19
168.63.192.0/19
137.116.160.0/20