v/programming: What is an active Blackhole collection group? My Server logs are madness..

What is an active Blackhole collection group? My Server logs are madness..

3 12 Jun 2018 18:10 by u/veriodd

This bozo today:


[Tue Jun 12 13:05:23.404628 2018] [proxy:warn] [pid 7382] [client 110.141.221.58:38766] AH01144: No protocol handler was valid for the URL http://66.135.33.212:80/phpmyadmin/. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.

I could spend the next 40 hours hardening and not get any fucking productive work done. Fuck these motherfuckers.


Jun 12 13:01:45 verioddd kernel: [86111.516490] [UFW BLOCK] IN=eth0 OUT= MAC=54:9f:35:05:fb:36:80:71:1f:8f:ff:f0:08:00 SRC=119.184.125.74 DST=66.135.33.212 LEN=40 TOS=0x00 PREC=0x00 TTL=109 ID=256 PROTO=TCP SPT=6000 DPT=3030 WINDOW=16384 RES=0x00 SYN URGP=0 
Jun 12 13:02:39 verioddd kernel: [86165.827734] [UFW BLOCK] IN=eth0 OUT= MAC=54:9f:35:05:fb:36:80:71:1f:8f:ff:f0:08:00 SRC=181.214.87.34 DST=66.135.33.212 LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=60047 PROTO=TCP SPT=42164 DPT=3956 WINDOW=1024 RES=0x00 SYN URGP=0 
Jun 12 13:02:43 verioddd kernel: [86169.567902] [UFW BLOCK] IN=eth0 OUT= MAC=54:9f:35:05:fb:36:80:71:1f:84:0f:f0:08:00 SRC=196.52.43.84 DST=66.135.33.212 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=39162 PROTO=TCP SPT=6666 DPT=21 WINDOW=1024 RES=0x00 SYN URGP=0 
Jun 12 13:03:28 verioddd kernel: [86214.219077] [UFW BLOCK] IN=eth0 OUT= MAC=54:9f:35:05:fb:36:80:71:1f:84:0f:f0:08:00 SRC=45.55.2.34 DST=66.135.33.212 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=54321 PROTO=TCP SPT=43859 DPT=123 WINDOW=65535 RES=0x00 SYN URGP=0 
Jun 12 13:03:36 verioddd kernel: [86222.321004] [UFW BLOCK] IN=eth0 OUT= MAC=54:9f:35:05:fb:36:80:71:1f:8f:ff:f0:08:00 SRC=77.72.85.17 DST=66.135.33.212 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=62423 PROTO=TCP SPT=58696 DPT=2814 WINDOW=1024 RES=0x00 SYN URGP=0 
Jun 12 13:05:07 verioddd kernel: [86313.436985] [UFW BLOCK] IN=eth0 OUT= MAC=54:9f:35:05:fb:36:80:71:1f:8f:ff:f0:08:00 SRC=111.67.198.59 DST=66.135.33.212 LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=45538 PROTO=TCP SPT=43287 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 
Jun 12 13:05:35 verioddd kernel: [86341.748677] [UFW BLOCK] IN=eth0 OUT= MAC=54:9f:35:05:fb:36:80:71:1f:8f:ff:f0:08:00 SRC=46.161.27.254 DST=66.135.33.212 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=64891 PROTO=TCP SPT=56306 DPT=5800 WINDOW=1024 RES=0x00 SYN URGP=0 
Jun 12 13:06:28 verioddd kernel: [86394.608047] [UFW BLOCK] IN=eth0 OUT= MAC=54:9f:35:05:fb:36:80:71:1f:8f:ff:f0:08:00 SRC=181.214.87.75 DST=66.135.33.212 LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=48746 PROTO=TCP SPT=45875 DPT=3390 WINDOW=1024 RES=0x00 SYN URGP=0 
Jun 12 13:08:04 verioddd kernel: [86490.452943] [UFW BLOCK] IN=eth0 OUT= MAC=54:9f:35:05:fb:36:80:71:1f:8f:ff:f0:08:00 SRC=185.222.211.102 DST=66.135.33.212 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=29508 PROTO=TCP SPT=51168 DPT=4142 WINDOW=1024 RES=0x00 SYN URGP=0 
Jun 12 13:08:36 verioddd kernel: [86522.514982] [UFW BLOCK] IN=eth0 OUT= MAC=54:9f:35:05:fb:36:80:71:1f:84:0f:f0:08:00 SRC=196.52.43.59 DST=66.135.33.212 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=54321 PROTO=TCP SPT=10397 DPT=3389 WINDOW=65535 RES=0x00 SYN URGP=0

5 comments

0 u/parnellsUprising 12 Jun 2018 20:47

Why don’t you use an open source HIDS like ossec, and modify the rules if need be? Worse comes to worse, just use fail2ban

0 u/veriodd [OP] 12 Jun 2018 21:38

This looks very promising. It's running now we'll see what it can do.

First "Strategic Partner" listed is Amazon Web Services. Can't escape the signal!

0 u/veriodd [OP] 12 Jun 2018 21:52

Sweet, good advice, it's working good. I assume I have to manually enable some actions, but it's much easier than watching logfiles!

This guy is hitting all angles:

[Tue Jun 12 16:35:24.396912 2018] [proxy:warn] [pid 26766] [client 51.15.56.143:58380] AH01144: No protocol handler was valid for the URL http://66.135.33.212:80/phpmyadmin/. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.

Damn. So now I can use this to automatically update blacklists and get more pre-emptive?


** Alert 1528839189.1451: - pam,syslog,authentication_failed,
2018 Jun 12 16:33:09 p4876504->/var/log/auth.log
Rule: 5503 (level 5) -> 'User login failed.'
Src IP: 59.10.239.26
Jun 12 16:33:09 p4876504 sshd[28744]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.10.239.26
** Alert 1528839191.1768: - syslog,sshd,invalid_login,authentication_failed,
2018 Jun 12 16:33:11 p4876504->/var/log/auth.log
Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user'
Src IP: 59.10.239.26
Jun 12 16:33:11 p4876504 sshd[28744]: Failed password for invalid user temp from 59.10.239.26 port 58832 ssh2
** Alert 1528839354.2095: - syslog,sshd,invalid_login,authentication_failed,

This is ridiculous.

0 u/parnellsUprising 12 Jun 2018 22:37

Not sure which one you setup, but I would imagine fail2ban. At any rate, then you can perform an iptables -L, and that will show you exactly the rules that are being triggered. If you are not seeing anything, you may need to go through your config files in /etc/fail2ban , just make sure that if you are making changes to use the jail.local file, as the other will be overwritten upon system updates.

BTW, while ossec is a lot harder in the beginning, it is a lot more efficient when you figure out how to generate your own rules when you get hit by something more than the usual script kiddies.

0 u/veriodd [OP] 12 Jun 2018 23:38

Thanks. I don't want to give away all the keys to my kingdom but it is playing nicely with fail2ban and others.

It's already quieted the logs down considerably on top of just fail2ban.