Re(2): LOL Bruteforce von Microsoft Netz

MG — Sat, 14 Nov 2015 13:31:33 GMT

Eher ein Virus auf einem System in der Cloud.
Trotzdem cool. Ein Bruteforce Angrif von Microsoft.

Re: LOL Bruteforce von Microsoft Netz

Fly — Sat, 14 Nov 2015 13:07:43 GMT

Jo mei, wird sihc wer bei MS vertippt haben beim Anlegen eines Zugangs. Wenn's Dir wichtig ist, schick's halt dem MS-CERT, Adresse steht eh da.

LOL Bruteforce von Microsoft Netz

MG — Sat, 14 Nov 2015 13:05:26 GMT

Hi,

The IP 137.116.87.13 has just been banned by Fail2Ban after
6 attempts against ssh.

Here are more information about 137.116.87.13:

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=137.116.87.13?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       137.116.0.0 - 137.116.255.255
CIDR:           137.116.0.0/16
NetName:        MICROSOFT
NetHandle:      NET-137-116-0-0-1
Parent:         NET137 (NET-137-0-0-0-0)
NetType:        Direct Assignment
OriginAS:
Organization:   Microsoft Corp (MSFT-Z)
RegDate:        2011-08-02
Updated:        2013-08-20
Ref:            http://whois.arin.net/rest/net/NET-137-116-0-0-1

OrgName:        Microsoft Corp
OrgId:          MSFT-Z
Address:        One Microsoft Way
City:           Redmond
StateProv:      WA
PostalCode:     98052
Country:        US
RegDate:        2011-06-22
Updated:        2015-10-28
Comment:        To report suspected security issues specific to
Comment:        traffic emanating from Microsoft online services,
Comment:        including the distribution of malicious content
Comment:        or other illicit or illegal material through a
Comment:        Microsoft online service, please submit reports
Comment:        to:
Comment:        * https://cert.microsoft.com .
Comment:
Comment:        For SPAM and other abuse issues, such as Microsoft
Comment:        Accounts, please contact:
Comment:        * abuse@microsoft.com.
Comment:
Comment:        To report security vulnerabilities in Microsoft
Comment:        products and services, please contact:
Comment:        * secure@microsoft.com.
Comment:
Comment:        For legal and law enforcement-related requests,
Comment:        please contact:
Comment:        * msndcc@microsoft.com
Comment:
Comment:        For routing, peering or DNS issues, please
Comment:        contact:
Comment:        * IOC@microsoft.com
Ref:            http://whois.arin.net/rest/org/MSFT-Z

OrgAbuseHandle: MAC74-ARIN
OrgAbuseName:   Microsoft Abuse Contact
OrgAbusePhone:  +1-425-882-8080
OrgAbuseEmail:  abuse@microsoft.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/MAC74-ARIN

OrgTechHandle: MRPD-ARIN
OrgTechName:   Microsoft Routing, Peering, and DNS
OrgTechPhone:  +1-425-882-8080
OrgTechEmail:  IOC@microsoft.com
OrgTechRef:    http://whois.arin.net/rest/poc/MRPD-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#

Lines containing IP:137.116.87.13 in /var/log/auth.log

Nov 14 12:51:57 d018 sshd[47081]: Did not receive identification string from 137.116.87.13
Nov 14 12:52:03 d018 sshd[47082]: Invalid user buchhaltung from 137.116.87.13
Nov 14 12:52:03 d018 sshd[47082]: Connection closed by 137.116.87.13 [preauth]
Nov 14 12:52:09 d018 sshd[47084]: Invalid user empfang from 137.116.87.13
Nov 14 12:52:09 d018 sshd[47084]: Connection closed by 137.116.87.13 [preauth]
Nov 14 12:52:15 d018 sshd[47086]: Invalid user dr from 137.116.87.13
Nov 14 12:52:15 d018 sshd[47086]: Connection closed by 137.116.87.13 [preauth]
Nov 14 12:52:20 d018 sshd[47088]: Invalid user pascal from 137.116.87.13
Nov 14 12:52:20 d018 sshd[47088]: Connection closed by 137.116.87.13 [preauth]
Nov 14 12:52:26 d018 sshd[47090]: Invalid user pflege from 137.116.87.13
Nov 14 12:52:26 d018 sshd[47090]: Connection closed by 137.116.87.13 [preauth]
Nov 14 12:52:32 d018 sshd[47092]: Invalid user scan from 137.116.87.13
Nov 14 12:52:32 d018 sshd[47092]: Connection closed by 137.116.87.13 [preauth]

Regards,

Fail2Ban