Host 217.149.246.3 is compromized

Charlie Root root at distant-sun.narf.ssji.net
Tue Jan 11 07:35:05 CET 2011 

Greetings,

[ This is an automated email, please report any problem to
<shtrom-admin at ssji.net> ]

Unauthorized login attempts have recently been observed from an IP address
in one of your administrative ranges (217.149.246.3), as identified by WHOIS
information.

Please find below reports from the blocking system, including logs of
connection attempts at the bottom.

Could you please take this machine down for cleanup, or forward this
message to its administrator in charge.

Offending IP: 217.149.246.3
Hostnames: akcyza.pld-linux.org.
Abuse addresses: abuse at atman.pl, feedback at pld-linux.org
Usernames tried: admin, oracle, sales, system, test
	
Host and WHOIS information:
3.246.149.217.in-addr.arpa domain name pointer akcyza.pld-linux.org.
#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 217.149.246.3"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=217.149.246.3?showDetails=true&showARIN=false
#

NetRange:       217.0.0.0 - 217.255.255.255
CIDR:           217.0.0.0/8
OriginAS:
NetName:        217-RIPE
NetHandle:      NET-217-0-0-0-1
Parent:
NetType:        Allocated to RIPE NCC
NameServer:     TINNIE.ARIN.NET
NameServer:     SUNIC.SUNET.SE
NameServer:     NS-PRI.RIPE.NET
NameServer:     SNS-PB.ISC.ORG
NameServer:     SEC3.APNIC.NET
NameServer:     NS3.NIC.FR
NameServer:     SEC1.APNIC.NET
Comment:        These addresses have been further assigned to users in
Comment:        the RIPE NCC region. Contact information can be found in
Comment:        the RIPE database at http://www.ripe.net/whois
RegDate:        2000-06-05
Updated:        2009-03-25
Ref:            http://whois.arin.net/rest/net/NET-217-0-0-0-1

OrgName:        RIPE Network Coordination Centre
OrgId:          RIPE
Address:        P.O. Box 10096
City:           Amsterdam
StateProv:
PostalCode:     1001EB
Country:        NL
RegDate:
Updated:        2004-12-13
Ref:            http://whois.arin.net/rest/org/RIPE

ReferralServer: whois://whois.ripe.net:43

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '217.149.246.0 - 217.149.246.15'

inetnum:      217.149.246.0 - 217.149.246.15
netname:      pld-linux
descr:        PLD Linux Distribution
descr:        http://www.pld-linux.org
country:      PL
admin-c:      MD5000-RIPE
tech-c:       ATMA1-RIPE
status:       ASSIGNED PA
remarks:      abuse: feedback at pld-linux.org
mnt-by:       ATMAN-MNT
mnt-lower:    ATMAN-MNT
source:       RIPE # Filtered

role:           ATMAN NOC
address:        ATM S.A.
address:        ul. Grochowska 21a
address:        04-186 Warsaw
address:        Poland
phone:          +48-22-5156900
fax-no:         +48-22-5156777
admin-c:        DZ124-RIPE
admin-c:        AK4926-RIPE
admin-c:        AW1695-RIPE
admin-c:        SSZ3-RIPE
admin-c:        SO1041-RIPE
admin-c:        MW2381-RIPE
tech-c:         SSZ3-RIPE
tech-c:         DZ124-RIPE
tech-c:         AW1695-RIPE
tech-c:         SO1041-RIPE
tech-c:         MW2381-RIPE
nic-hdl:        ATMA1-RIPE
mnt-by:         ATMAN-MNT
source:         RIPE # Filtered
abuse-mailbox:  abuse at atman.pl

person:         Marcin Dolinski
org:            ORG-SS73-RIPE
address:        Spray S.A.
address:        Al. Armii Ludowej 14
address:        Warsaw, Poland
mnt-by:         SPY-MNT
phone:          +48 22 303 03 31
nic-hdl:        MD5000-RIPE
source:         RIPE # Filtered

% Information related to '217.149.240.0/20AS15694'

route:        217.149.240.0/20
descr:        ATMAN (PL)
origin:       AS15694
mnt-by:       ATMAN-MNT
source:       RIPE # Filtered


Incriminating logs:
Jan 11 07:14:33 distant-sun sshd[6132]: Invalid user test from 217.149.246.3
Jan 11 07:14:33 distant-sun sshd[6132]: Failed password for invalid user test from 217.149.246.3 port 45580 ssh2
Jan 11 07:14:34 distant-sun sshd[32160]: Invalid user test from 217.149.246.3
Jan 11 07:14:34 distant-sun sshd[32160]: Failed password for invalid user test from 217.149.246.3 port 45594 ssh2
Jan 11 07:14:34 distant-sun sshd[14191]: Invalid user test from 217.149.246.3
Jan 11 07:14:34 distant-sun sshd[14191]: Failed password for invalid user test from 217.149.246.3 port 45606 ssh2
Jan 11 07:14:35 distant-sun sshd[10233]: Invalid user test from 217.149.246.3
Jan 11 07:14:35 distant-sun sshd[10233]: Failed password for invalid user test from 217.149.246.3 port 45619 ssh2
Jan 11 07:14:38 distant-sun sshd[13176]: Invalid user system from 217.149.246.3
Jan 11 07:14:38 distant-sun sshd[13176]: Failed password for invalid user system from 217.149.246.3 port 45635 ssh2
Jan 11 07:14:46 distant-sun sshd[5907]: Invalid user oracle from 217.149.246.3
Jan 11 07:14:48 distant-sun sshd[5907]: Failed password for invalid user oracle from 217.149.246.3 port 45810 ssh2
Jan 11 07:14:50 distant-sun sshd[13163]: Invalid user sales from 217.149.246.3
Jan 11 07:14:50 distant-sun sshd[13163]: Failed password for invalid user sales from 217.149.246.3 port 45845 ssh2
Jan 11 07:14:53 distant-sun sshd[30135]: Invalid user test from 217.149.246.3
Jan 11 07:14:53 distant-sun sshd[30135]: Failed password for invalid user test from 217.149.246.3 port 45891 ssh2
Jan 11 07:15:11 distant-sun sshd[11014]: Invalid user admin from 217.149.246.3
Jan 11 07:15:11 distant-sun sshd[11014]: Failed password for invalid user admin from 217.149.246.3 port 46143 ssh2

More information about the feedback mailing list