{"id":48,"date":"2019-03-15T20:23:55","date_gmt":"2019-03-15T21:23:55","guid":{"rendered":"https:\/\/blog.wutao.de\/?p=48"},"modified":"2019-03-15T20:23:55","modified_gmt":"2019-03-15T21:23:55","slug":"the-first-attacked-case","status":"publish","type":"post","link":"https:\/\/blog.wutao.de\/?p=48","title":{"rendered":"The First attacked case"},"content":{"rendered":"\n

Before Several Hours I received a mail from the VPS provider. They told me, my server is under attack. Wow, as you seen, in this server, there is nothing worth. So I just checked some log (below) in the server. Interesting, this is a typical BrutoForce, someone is trying to use any user name to log the pop3 port of my server. Although, they cannot benifit from this, since I dont even have configurate any usernames, this kind of action made the provide unhappy, so they ve warned me and given me a deadline to repair the issue. Otherwise, they will lock my server and may reinstall it (delete all data). So I shall do something.<\/p>\n\n\n\n

First, according to the log I noticed, the pop3, namely the smtp protocol is supported in the server, but I nerver use it. It must be some test configurations of me and some forgotten usage. So, first of all, I just disable the Mail service.<\/p>\n\n\n\n

<\/p>\n\n\n\n

Mar 14 15:51:28 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 4 secs): user=<postmaster@zaunwerk.at><\/strong>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<tyhiDg+EGMpV1jSL> Mar 14 15:51:37 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 7 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<+8+\/Dg+EnstV1jSL> Mar 14 15:51:51 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 12 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<TyBJDw+Eis5V1jSL> Mar 14 15:52:12 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<3v4dEA+ECtNV1jSL> Mar 14 15:52:33 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<9uBcEQ+EBNpV1jSL> Mar 14 15:52:54 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<ER+eEg+EmuFV1jSL> Mar 14 15:53:14 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 18 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<PqjdEw+EyOdV1jSL> Mar 14 15:53:35 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<u6YOFQ+EPIBV1jSL> Mar 14 15:53:56 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<Y8FSFg+EioVV1jSL> Mar 14 15:54:17 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<7M+PFw+E7opV1jSL> Mar 14 15:54:38 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<fkDQGA+EQpFV1jSL> Mar 14 15:54:59 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<pZETGg+EhJdV1jSL> Mar 14 15:55:21 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 20 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<BMdVGw+E4JxV1jSL> Mar 14 15:55:42 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<1CSgHA+EnKVV1jSL> Mar 14 15:56:03 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<ZznjHQ+EfqxV1jSL> Mar 14 15:56:24 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<jlAkHw+E9rJV1jSL> Mar 14 15:56:45 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<D0RmIA+EMLlV1jSL> Mar 14 15:57:06 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<mFWmIQ+Epr5V1jSL> Mar 14 15:57:27 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<0SbiIg+EtMRV1jSL> Mar 14 15:57:48 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<xrslJA+EnMxV1jSL> Mar 14 15:57:49 www dovecot: pop3-login: access(tcpwrap): Client refused (rip=85.214.52.139) Mar 15 04:20:30 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 4 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<ZfgrhRmElpBV1jSL> Mar 15 04:20:40 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 8 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<8iqDhRmEApNV1jSL> Mar 15 04:20:54 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 12 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<pXUXhhmEZpVV1jSL> Mar 15 04:21:15 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<wp\/thhmEkJlV1jSL> Mar 15 04:21:36 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<YQEviBmEvJ9V1jSL> Mar 15 04:21:57 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<Lv9riRmELKVV1jSL> Mar 15 04:22:17 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 18 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<0WKsihmEeqtV1jSL> Mar 15 04:22:38 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<DtveixmE2LBV1jSL> Mar 15 04:22:59 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<spgejRmENrZV1jSL> Mar 15 04:23:20 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<Qy5fjhmE7rxV1jSL> Mar 15 04:23:40 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 18 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<bpKgjxmEdsRV1jSL> Mar 15 04:24:01 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<5\/HVkBmE7slV1jSL> Mar 15 04:24:22 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<tsURkhmEnNBV1jSL> Mar 15 04:24:43 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<3jRTkxmEbtZV1jSL> Mar 15 04:25:04 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<h\/CXlBmETtxV1jSL> Mar 15 04:25:25 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<MU\/YlRmENuNV1jSL> Mar 15 04:25:46 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<deoRlxmEmulV1jSL> Mar 15 04:26:07 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<7XZWmBmEJIJV1jSL> Mar 15 04:26:28 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<UMuXmRmEHIlV1jSL> Mar 15 04:26:49 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<2r3YmhmEdJFV1jSL> Mar 15 04:26:50 www dovecot: pop3-login: access(tcpwrap): Client refused (rip=85.214.52.139)<\/em><\/p><\/blockquote>\n\n\n\n

Then, the used domain names are @zaunwerk.at<\/strong><\/em> , @car-selection.at<\/strong><\/em> they all share one IP 217.74.13.226, which is organiazed by https:\/\/www.rundrweb.com\/. Maybe the attacker has got some infos from this provider, and try to gain more data. But it may be practical, just block the address <\/p>\n\n\n\n

sudo iptables -A INPUT -s 217.74.13.226 -j DROP<\/p><\/blockquote>\n\n\n\n

And done.<\/p>\n\n\n\n

One more thing. My server is actually alway under attack. The attackers are from different IP and ports, and trying to have root access. ….so…… I shall set my root as read only. But this is just a future work.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n","protected":false},"excerpt":{"rendered":"

Before Several Hours I received a mail from the VPS pro … <\/p>\n

\u7ee7\u7eed\u9605\u8bfb\u201cThe First attacked case\u201d<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.wutao.de\/index.php?rest_route=\/wp\/v2\/posts\/48"}],"collection":[{"href":"https:\/\/blog.wutao.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.wutao.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.wutao.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.wutao.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=48"}],"version-history":[{"count":1,"href":"https:\/\/blog.wutao.de\/index.php?rest_route=\/wp\/v2\/posts\/48\/revisions"}],"predecessor-version":[{"id":50,"href":"https:\/\/blog.wutao.de\/index.php?rest_route=\/wp\/v2\/posts\/48\/revisions\/50"}],"wp:attachment":[{"href":"https:\/\/blog.wutao.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=48"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.wutao.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=48"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.wutao.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=48"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}