brute force from private IP 192.168.2.33

JohnPal

Verified User
Joined
Jun 30, 2011
Messages
7
I'm getting a ton of brute force failed login attempts, but what's strange is that the reported IP is from a private 192.168.x.x IP address. What would that signify?

Here's one entry directly from the log:
192.168.2.33 data 1 exim1 2012-11-10 15:16:35 login authenticator failed for ([192.168.2.33]) [50.121.152.110]: 535 Incorrect authentication data (set_id=data)

Should I just add to the skip list?
Any guidance is appreciated.
 

RaZer0r

Verified User
Joined
Sep 14, 2007
Messages
62
50.121.152.110 is the external ip, it means that one of your users is using a bad pasword for his smtp login...

192.168.2.33 is the ip of his computer at home, so nothing fishy about this one...
(50.121.152.110 is somewhere in Rochester, NY)
 

JohnPal

Verified User
Joined
Jun 30, 2011
Messages
7
Thanks for the reply RaZer0r.

There were a few hundred log entries all using 192.168.2.33 with different external IPs, so my guess is the joker was spoofing the external IPs to prevent getting blocked by csf. I added that private IP to the skip list, and then I received a bunch of brute force monitor messages from all of the external IPs. Then I added those to the skip list, and the number of attempts has gone way down today...

Always an adventure having a server :)
 

toml

Verified User
Joined
Oct 3, 2003
Messages
1,238
Location
Scottsdale, AZ
It is some sort of bot, I have a server at work that is getting hammered by them too, all trying to login as test@live.com and sending to therichsheickc@yahoo.com. Do a search and you will see a lot of people are constantly getting hit by them. I have blocked most of their IP's but they seem to get a few more added every day.
 

marvinh

New member
Joined
Aug 24, 2012
Messages
1
Experiencing the same issue since 11th of december... indeed some botnet that got active orso?

13552182610000 74.11.126.243 shirley 1 exim1 2012-12-11 04:30:15 login authenticator failed for ([192.168.2.33]) [74.11.126.243]: 535 Incorrect authentication data (set_id=shirley)
13552179610004 72.38.41.25 simmons 1 exim1 2012-12-11 04:25:30 login authenticator failed for d72-38-41-25.commercial1.cgocable.net ([192.168.2.33]) [72.38.41.25]: 535 Incorrect authentication data (set_id=simmons)
13552179610003 72.38.41.25 simmons 1 exim1 2012-12-11 04:25:30 login authenticator failed for d72-38-41-25.commercial1.cgocable.net ([192.168.2.33]) [72.38.41.25]: 535 Incorrect authentication data (set_id=simmons)
13552179610002 72.38.41.25 simmons 1 exim1 2012-12-11 04:25:30 login authenticator failed for d72-38-41-25.commercial1.cgocable.net ([192.168.2.33]) [72.38.41.25]: 535 Incorrect authentication data (set_id=simmons)
13552179610001 72.38.41.25 simmons 1 exim1 2012-12-11 04:25:29 login authenticator failed for d72-38-41-25.commercial1.cgocable.net ([192.168.2.33]) [72.38.41.25]: 535 Incorrect authentication data (set_id=simmons)
13552179610000 72.38.41.25 simmons 1 exim1 2012-12-11 04:25:29 login authenticator failed for d72-38-41-25.commercial1.cgocable.net ([192.168.2.33]) [72.38.41.25]: 535 Incorrect authentication data (set_id=simmons)
13552176610004 79.161.3.142 sims 1 exim1 2012-12-11 04:20:45 login authenticator failed for ([192.168.2.33]) [79.161.3.142]: 535 Incorrect authentication data (set_id=sims)
13552176610003 79.161.3.142 sims 1 exim1 2012-12-11 04:20:45 login authenticator failed for ([192.168.2.33]) [79.161.3.142]: 535 Incorrect authentication data (set_id=sims)
13552176610002 79.161.3.142 sims 1 exim1 2012-12-11 04:20:45 login authenticator failed for ([192.168.2.33]) [79.161.3.142]: 535 Incorrect authentication data (set_id=sims)
13552176610001 79.161.3.142 sims 1 exim1 2012-12-11 04:20:44 login authenticator failed for ([192.168.2.33]) [79.161.3.142]: 535 Incorrect authentication data (set_id=sims)
13552176610000 79.161.3.142 sims 1 exim1 2012-12-11 04:20:44 login authenticator failed for ([192.168.2.33]) [79.161.3.142]: 535 Incorrect authentication data (set_id=sims)
 

MaxPower

Verified User
Joined
Nov 10, 2006
Messages
72
Location
North America
:cool: Yeah same issue from the same loser.... to bad he can't get a real job..

14050722010000 82.221.102.185 postmaster 1 sshd4 Jul 11 02:49:16 ESS005337 sshd[10860]: Failed password for invalid user postmaster from 82.221.102.185 port 37508 ssh2
14053439410000 72.2.20.148 postmaster 1 exim1 2014-07-14 06:18:25 login authenticator failed for ([192.168.2.33]) [72.2.20.148]: 535 Incorrect authentication data (set_id=postmaster)
14053439410001 72.2.20.148 postmaster 1 exim1 2014-07-14 06:18:25 login authenticator failed for ([192.168.2.33]) [72.2.20.148]: 535 Incorrect authentication data (set_id=postmaster)
14053439410002 72.2.20.148 postmaster 1 exim1 2014-07-14 06:18:25 login authenticator failed for ([192.168.2.33]) [72.2.20.148]: 535 Incorrect authentication data (set_id=postmaster)
14053439410003 72.2.20.148 postmaster 1 exim1 2014-07-14 06:18:25 login authenticator failed for ([192.168.2.33]) [72.2.20.148]: 535 Incorrect authentication data (set_id=postmaster)
14053439410004 72.2.20.148 postmaster 1 exim1 2014-07-14 06:18:25 login authenticator failed for ([192.168.2.33]) [72.2.20.148]: 535 Incorrect authentication data (set_id=postmaster)
14053439410005 72.2.20.148 postmaster 1 exim1 2014-07-14 06:18:25 login authenticator failed for ([192.168.2.33]) [72.2.20.148]: 535 Incorrect authentication data (set_id=postmaster)
14053439410006 101.78.154.74 postmaster 1 exim1 2014-07-14 06:18:27 login authenticator failed for ([192.168.2.33]) [101.78.154.74]: 535 Incorrect authentication data (set_id=postmaster)
14053439410007 101.78.154.74 postmaster 1 exim1 2014-07-14 06:18:28 login authenticator failed for ([192.168.2.33]) [101.78.154.74]: 535 Incorrect authentication data (set_id=postmaster)
14053439410008 101.78.154.74 postmaster 1 exim1 2014-07-14 06:18:28 login authenticator failed for ([192.168.2.33]) [101.78.154.74]: 535 Incorrect authentication data (set_id=postmaster)
14053439410009 101.78.154.74 postmaster 1 exim1 2014-07-14 06:18:29 login authenticator failed for ([192.168.2.33]) [101.78.154.74]: 535 Incorrect authentication data (set_id=postmaster)
14053439410010 101.78.154.74 postmaster 1 exim1 2014-07-14 06:18:30 login authenticator failed for ([192.168.2.33]) [101.78.154.74]: 535 Incorrect authentication data (set_id=postmaster)
14053439410011 101.78.154.74 postmaster 1 exim1 2014-07-14 06:18:30 login authenticator failed for ([192.168.2.33]) [101.78.154.74]: 535 Incorrect authentication data (set_id=postmaster)
 

MaxPower

Verified User
Joined
Nov 10, 2006
Messages
72
Location
North America
..........................

test.maxlandit.com Mar 17, 2013 SMTP password hacking with HELO [192.168.2.33] Hacking
 
Top