Today’s hacking attempt from Japan

Today, I got a notification email from my web server of failed login attempt from Japan.

It’s trying to bruteforcing my web server at the user dovecot/Pop3 and root. Here is the IP and the attack list, so just in case you are coming to search for this IP from Google and find this articles, add this attacker IP address to your blocked lists.

Time:     Sun Jan 30 18:11:14 2011 +0700
IP:       210.162.116.68 (JP/Japan/-)
Failures: 10 (pop3d)
Interval: 300 seconds
Blocked:  Permanent Block

Log entries:

Jan 30 18:11:03 server dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=210.162.116.68, lip=174.138.xxx.xxx
Jan 30 18:11:05 server dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=210.162.116.68, lip=174.138.xxx.xxx
Jan 30 18:11:06 server dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=210.162.116.68, lip=174.138.xxx.xxx
Jan 30 18:11:07 server dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=210.162.116.68, lip=174.138.xxx.xxx
Jan 30 18:11:09 server dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=210.162.116.68, lip=174.138.xxx.xxx
Jan 30 18:11:11 server dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=210.162.116.68, lip=174.138.xxx.xxx
Jan 30 18:11:13 server dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=210.162.116.68, lip=174.138.xxx.xxx

2 failed login attempts to account root (system) — Large number of attempts from this IP: 210.162.116.68
Origin Country: Japan (JP)

You may add the following IP to the CSF deny IP :

210.162.0.0/16

Leave a Reply

Your email address will not be published. Required fields are marked *