Today I got another hacking attempt to my webserver using an IP from China.
If you come to this blog from the searching engine, searching for this IP (113.240.67.223), then add then to your blocked lists.
Time:Â Â Â Â Wed Apr 13 18:52:10 2011 +0700
IP:Â Â Â Â Â 113.240.67.223 (CN/China/-)
Failures: 5 (smtpauth)
Interval: 300 seconds
Blocked:Â Permanent Block
Log entries:
2011-04-13 18:51:41 dovecot_login authenticator failed for (ylmf-pc) [113.240.67.223]: 535 Incorrect authentication data (set_id=info)
2011-04-13 18:51:45 dovecot_login authenticator failed for (ylmf-pc) [113.240.67.223]: 535 Incorrect authentication data (set_id=info)
2011-04-13 18:51:57 dovecot_login authenticator failed for (ylmf-pc) [113.240.67.223]: 535 Incorrect authentication data (set_id=info)
2011-04-13 18:52:01 dovecot_login authenticator failed for (ylmf-pc) [113.240.67.223]: 535 Incorrect authentication data (set_id=info)
2011-04-13 18:52:05 dovecot_login authenticator failed for (ylmf-pc) [113.240.67.223]: 535 Incorrect authentication data (set_id=info)
I got same ylmf-pc machine attack.
It used to change its IP everyday, so your block has no sense.
Have luck
Regards,
warper
The problem is a computer or person(s) trying to bruteforce the password from one of my email address listed at the whois data.
It is automatically blocked by the CSF / Firewall, and I just list it here, it’s not listed by me manually. 🙂
So, I just think that it might be useful for another people to add it to their blocked lists to prevent another hacking attempt to their server.
No. Again, the IP address changes all the time. So this is useless, you’ll only block legitimate visitors.
Hello,
Are you using Firewall?
If yes, then it will automatically block the hacker IP.
If no, then you can add the IP ranges of the suspicious access
Same here in April 2012 and July 2012 involving 2 mail addresses, every 4 seconds from a different port on [183.7.94.44]. I would have changed the name of the machine by now 🙂
For your information, YLMF is a Chinese OS which is litteraly LINUX + Windows XP Front-End (http://fr.wikipedia.org/wiki/Ylmf_OS).
So people using this OS are probably installing it by default, so they all have “YLMF-PC” as Computer Name. YLMF is probably a distribution which include bunch of stuff to launch massive group attacks.
Now the question is… Do you really care about Chinese? Do you really think that you have customers in China? Yet, i’ve not find any IP outside China with “ylmf-pc” as PC name.
If you don’t have customers from China, BAN CHINA! Your network will only get better and attacks will drop by 80%. 19% come from Russia, and east european countries, and 1% from other places.
Look at these web sites. They contain IP tables to block China, Russia, and some others (each table can be taken separately). These tables claim to be updated, but i’m not sure about this.
http://www.parkansky.com/china.htm (not complete for sure, i’ve got an attack from 183.13.245.31 which is not covered by any IP Subnet)
http://www.wizcrafts.net/chinese-iptables-blocklist.html
http://www.wizcrafts.net/russian-iptables-blocklist.html
http://www.okean.com/thegoods.html