brute force from private IP 192.168.2.33

J

JohnPal

Verified User
Joined
Jun 30, 2011
Messages
7
I'm getting a ton of brute force failed login attempts, but what's strange is that the reported IP is from a private 192.168.x.x IP address. What would that signify?

Here's one entry directly from the log:
192.168.2.33 data 1 exim1 2012-11-10 15:16:35 login authenticator failed for ([192.168.2.33]) [50.121.152.110]: 535 Incorrect authentication data (set_id=data)

Should I just add to the skip list?
Any guidance is appreciated.
 
50.121.152.110 is the external ip, it means that one of your users is using a bad pasword for his smtp login...

192.168.2.33 is the ip of his computer at home, so nothing fishy about this one...
(50.121.152.110 is somewhere in Rochester, NY)
 
Thanks for the reply RaZer0r.

There were a few hundred log entries all using 192.168.2.33 with different external IPs, so my guess is the joker was spoofing the external IPs to prevent getting blocked by csf. I added that private IP to the skip list, and then I received a bunch of brute force monitor messages from all of the external IPs. Then I added those to the skip list, and the number of attempts has gone way down today...

Always an adventure having a server :)
 
It is some sort of bot, I have a server at work that is getting hammered by them too, all trying to login as [email protected] and sending to [email protected]. Do a search and you will see a lot of people are constantly getting hit by them. I have blocked most of their IP's but they seem to get a few more added every day.
 
Experiencing the same issue since 11th of december... indeed some botnet that got active orso?

13552182610000 74.11.126.243 shirley 1 exim1 2012-12-11 04:30:15 login authenticator failed for ([192.168.2.33]) [74.11.126.243]: 535 Incorrect authentication data (set_id=shirley)
13552179610004 72.38.41.25 simmons 1 exim1 2012-12-11 04:25:30 login authenticator failed for d72-38-41-25.commercial1.cgocable.net ([192.168.2.33]) [72.38.41.25]: 535 Incorrect authentication data (set_id=simmons)
13552179610003 72.38.41.25 simmons 1 exim1 2012-12-11 04:25:30 login authenticator failed for d72-38-41-25.commercial1.cgocable.net ([192.168.2.33]) [72.38.41.25]: 535 Incorrect authentication data (set_id=simmons)
13552179610002 72.38.41.25 simmons 1 exim1 2012-12-11 04:25:30 login authenticator failed for d72-38-41-25.commercial1.cgocable.net ([192.168.2.33]) [72.38.41.25]: 535 Incorrect authentication data (set_id=simmons)
13552179610001 72.38.41.25 simmons 1 exim1 2012-12-11 04:25:29 login authenticator failed for d72-38-41-25.commercial1.cgocable.net ([192.168.2.33]) [72.38.41.25]: 535 Incorrect authentication data (set_id=simmons)
13552179610000 72.38.41.25 simmons 1 exim1 2012-12-11 04:25:29 login authenticator failed for d72-38-41-25.commercial1.cgocable.net ([192.168.2.33]) [72.38.41.25]: 535 Incorrect authentication data (set_id=simmons)
13552176610004 79.161.3.142 sims 1 exim1 2012-12-11 04:20:45 login authenticator failed for ([192.168.2.33]) [79.161.3.142]: 535 Incorrect authentication data (set_id=sims)
13552176610003 79.161.3.142 sims 1 exim1 2012-12-11 04:20:45 login authenticator failed for ([192.168.2.33]) [79.161.3.142]: 535 Incorrect authentication data (set_id=sims)
13552176610002 79.161.3.142 sims 1 exim1 2012-12-11 04:20:45 login authenticator failed for ([192.168.2.33]) [79.161.3.142]: 535 Incorrect authentication data (set_id=sims)
13552176610001 79.161.3.142 sims 1 exim1 2012-12-11 04:20:44 login authenticator failed for ([192.168.2.33]) [79.161.3.142]: 535 Incorrect authentication data (set_id=sims)
13552176610000 79.161.3.142 sims 1 exim1 2012-12-11 04:20:44 login authenticator failed for ([192.168.2.33]) [79.161.3.142]: 535 Incorrect authentication data (set_id=sims)
 
:cool: Yeah same issue from the same loser.... to bad he can't get a real job..

14050722010000 82.221.102.185 postmaster 1 sshd4 Jul 11 02:49:16 ESS005337 sshd[10860]: Failed password for invalid user postmaster from 82.221.102.185 port 37508 ssh2
14053439410000 72.2.20.148 postmaster 1 exim1 2014-07-14 06:18:25 login authenticator failed for ([192.168.2.33]) [72.2.20.148]: 535 Incorrect authentication data (set_id=postmaster)
14053439410001 72.2.20.148 postmaster 1 exim1 2014-07-14 06:18:25 login authenticator failed for ([192.168.2.33]) [72.2.20.148]: 535 Incorrect authentication data (set_id=postmaster)
14053439410002 72.2.20.148 postmaster 1 exim1 2014-07-14 06:18:25 login authenticator failed for ([192.168.2.33]) [72.2.20.148]: 535 Incorrect authentication data (set_id=postmaster)
14053439410003 72.2.20.148 postmaster 1 exim1 2014-07-14 06:18:25 login authenticator failed for ([192.168.2.33]) [72.2.20.148]: 535 Incorrect authentication data (set_id=postmaster)
14053439410004 72.2.20.148 postmaster 1 exim1 2014-07-14 06:18:25 login authenticator failed for ([192.168.2.33]) [72.2.20.148]: 535 Incorrect authentication data (set_id=postmaster)
14053439410005 72.2.20.148 postmaster 1 exim1 2014-07-14 06:18:25 login authenticator failed for ([192.168.2.33]) [72.2.20.148]: 535 Incorrect authentication data (set_id=postmaster)
14053439410006 101.78.154.74 postmaster 1 exim1 2014-07-14 06:18:27 login authenticator failed for ([192.168.2.33]) [101.78.154.74]: 535 Incorrect authentication data (set_id=postmaster)
14053439410007 101.78.154.74 postmaster 1 exim1 2014-07-14 06:18:28 login authenticator failed for ([192.168.2.33]) [101.78.154.74]: 535 Incorrect authentication data (set_id=postmaster)
14053439410008 101.78.154.74 postmaster 1 exim1 2014-07-14 06:18:28 login authenticator failed for ([192.168.2.33]) [101.78.154.74]: 535 Incorrect authentication data (set_id=postmaster)
14053439410009 101.78.154.74 postmaster 1 exim1 2014-07-14 06:18:29 login authenticator failed for ([192.168.2.33]) [101.78.154.74]: 535 Incorrect authentication data (set_id=postmaster)
14053439410010 101.78.154.74 postmaster 1 exim1 2014-07-14 06:18:30 login authenticator failed for ([192.168.2.33]) [101.78.154.74]: 535 Incorrect authentication data (set_id=postmaster)
14053439410011 101.78.154.74 postmaster 1 exim1 2014-07-14 06:18:30 login authenticator failed for ([192.168.2.33]) [101.78.154.74]: 535 Incorrect authentication data (set_id=postmaster)
 
..........................

test.maxlandit.com Mar 17, 2013 SMTP password hacking with HELO [192.168.2.33] Hacking
 
You must log in or register to reply here.
Back
Top