Next wave is in progress

For a while I have had an auto block of IPs running on my Server. Out of curiosity I had the script sent me log mails containing IPs, no. of attempts to login and the username used.

Over the last 2 weeks I had over 600 attempts from these IPs – all using port scan and brute-force. So if you don’t block IPs automatically, then it might be a good idea to add these IPs to your firewall manually.

185.153.196.145, 185.153.197.101, 185.156.177.179, 185.156.177.192, 185.156.177.200, 185.156.177.202, 185.156.177.247, 185.222.209.54, 193.188.22.218, 193.32.161.110, 193.32.161.115, 193.32.161.117, 193.32.161.119, 193.32.161.135, 45.136.108.10, 45.136.108.11, 45.136.108.12, 45.136.108.13, 45.136.108.14, 45.136.108.15, 45.136.108.16, 45.136.108.19, 45.141.84.9, 45.141.84.10, 45.141.84.12, 45.141.84.13, 45.141.84.14, 45.141.84.15, 45.141.84.20, 62.213.118.52, 92.63.194.102, 92.63.194.74, 92.63.194.75, 95.215.0.168

The most common user names was:

ABSADMIN, ACS, ADM, ADMBACKUP, ADMIN, ADMIN.LOCAL, ADMINCC, ADMINCENON, ADMINDEV, ADMINI, ADMINISTRACION, ADMINISTRADOR, ADMINISTRATEUR, ADMINISTRATOR, ADMINS, ADMINUSER, AEP_ADMIN, AJR, A-K, ALCADMINISTRATOR, ALEX.ADM, AMA_BU, APACHE, APC_ADMIN, AUBADMIN, BAKENADMIN, BBS, BCSADMIN, BESADMIN, BHATTAB, BIROU3, BOSSADMIN, BUSICOMP, BUUERJASMIN, CATHAY, CETADMIN, CHAN, CIRADMIN, CLVLLCRAMNP, COBIAN, COMELISSEN, COMMANDANT, COOPEMCROP, CSPADMIN, CUSIADMIN, DB2ADMIN, DLH-GROUP, DOMHLCTR, DTSADMIN, EKONOMI, ELITE, EPICORADMIN, EXADMIN, FARHAN, FBSADMIN, FORTINET, GESTIUNE03, HHDPC, HOPPESTATION, HOSP, IANUZGA, IMAJPAK, ITRO, JABEROLLSUSER, JEFF.HEATHER, JLAZARIDES, JSZADMIN, KASUTAJA, KODI, KPMP, KRASHR, KYM, LACH, LIGA, LOCOJOYADMINUSER, MARIE, MESSINA, NBUDZISZEWSKI, NICOLETA, NOEMLEYU, NTI, OC1, OXFORDMC, PAULALVARO, PETA, PIE, PLCADMINISTRATCR11, PMEBA, PPALMS, PPTP, PST, RAJEEB, RCCT, RDBRUCE, RDP, RECEPTION1, REMOTEUV, SALON, SCOTT, SOFTPRO, SOLWAYSCHILE, SSMZ, SUSANNE, SYM1, SYSR, TIMOLOGISI, TOE, TONY.BERTHUNEDJARDINEJOCAI, U100, VIKARINA, VINTEXDBUSER, WFDS, WINGSHOTEL, WINPIG, ZEESHAN, ZELJKO

So if you are using one of them, then you might want to make sure that the used Password is a secure one.

I’m using a PowerShell script running on the Server to auto block the IPs, but if you do not wish to do this, then I would recommend you to install IPBan. Also it is a good Idea to activate 2 factor authentication.

 

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.