Hacking my server

So anyone who runs a server knows that there will be hacking attempts.

Most of the time I just ignore them as I have some defenses to stop primitive and bot hacks.

Just for fun though, I decided to do something about a hacking attempt.

Here is part of a log file:

199.15.233.142 - - [10/Apr/2017:06:24:09 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
199.15.233.142 - - [10/Apr/2017:06:24:10 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
199.15.233.142 - - [10/Apr/2017:06:24:10 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
199.15.233.142 - - [10/Apr/2017:06:24:10 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
199.15.233.142 - - [10/Apr/2017:06:24:11 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
199.15.233.142 - - [10/Apr/2017:06:24:11 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
199.15.233.142 - - [10/Apr/2017:06:24:11 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
199.15.233.142 - - [10/Apr/2017:06:24:12 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
199.15.233.142 - - [10/Apr/2017:06:24:12 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
199.15.233.142 - - [10/Apr/2017:06:24:12 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
199.15.233.142 - - [10/Apr/2017:06:24:13 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
199.15.233.142 - - [10/Apr/2017:06:24:13 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
199.15.233.142 - - [10/Apr/2017:06:24:13 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
199.15.233.142 - - [10/Apr/2017:06:24:15 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
199.15.233.142 - - [10/Apr/2017:06:24:15 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
199.15.233.142 - - [10/Apr/2017:06:24:17 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
199.15.233.142 - - [10/Apr/2017:06:24:17 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
199.15.233.142 - - [10/Apr/2017:06:24:17 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
199.15.233.142 - - [10/Apr/2017:06:24:17 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
199.15.233.142 - - [10/Apr/2017:06:24:18 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
199.15.233.142 - - [10/Apr/2017:06:24:18 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
199.15.233.142 - - [10/Apr/2017:06:24:18 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
199.15.233.142 - - [10/Apr/2017:06:24:19 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
199.15.233.142 - - [10/Apr/2017:06:24:20 -0500] "POST /wp-login.php HTTP/1.1" 200 3277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

As you can see, 199.15.233.142 tried a lot to guess my username and password. We also know that they are running a 64-bit version of Windows 7 and Firefox 18.

Luckily, it appears that they were unsuccessful! Now to figure out who owns this IP. To do this, we can use whois. We’d run it with whois 199.15.233.142 and then look at the result as follows:


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#

#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=199.15.233.142?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

# start

NetRange: 199.15.232.0 - 199.15.239.255
CIDR: 199.15.232.0/21
NetName: IPS
NetHandle: NET-199-15-232-0-1
Parent: NET199 (NET-199-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: IPStrada (IL-19)
RegDate: 2012-07-18
Updated: 2012-10-16
Ref: https://whois.arin.net/rest/net/NET-199-15-232-0-1

OrgName: IPStrada
OrgId: IL-19
Address: 515 Houston ST, STE 800
City: Fort Worth
StateProv: TX
PostalCode: 76102
Country: US
RegDate: 2011-07-06
Updated: 2012-09-20
Comment: http://www.ipstrada.net
Comment: Standard NOC hours are 9am to 9pm CST
Ref: https://whois.arin.net/rest/org/IL-19

OrgNOCHandle: NOC12088-ARIN
OrgNOCName: NOC
OrgNOCPhone: +1-352-537-8652
OrgNOCEmail: support@ipstrada.net
OrgNOCRef: https://whois.arin.net/rest/poc/NOC12088-ARIN

OrgTechHandle: TECHS117-ARIN
OrgTechName: Tech Support
OrgTechPhone: +1-817-255-4006
OrgTechEmail: info@ipstrada.net
OrgTechRef: https://whois.arin.net/rest/poc/TECHS117-ARIN

OrgAbuseHandle: ABUSE3088-ARIN
OrgAbuseName: Abuse Dept
OrgAbusePhone: +1-817-255-4050
OrgAbuseEmail: abuse1@ipstrada.net
OrgAbuseRef: https://whois.arin.net/rest/poc/ABUSE3088-ARIN

# end

# start

NetRange: 199.15.233.136 - 199.15.233.143
CIDR: 199.15.233.136/29
NetName: IPS
NetHandle: NET-199-15-233-136-1
Parent: IPS (NET-199-15-232-0-1)
NetType: Reassigned
OriginAS: AS18981
Customer: Justin Downing (C03368055)
RegDate: 2013-04-11
Updated: 2013-04-11
Comment: N/A
Ref: https://whois.arin.net/rest/net/NET-199-15-233-136-1

CustName: Justin Downing
Address: 515 Houston St,
Address: STE 300
City: Fort Worth
StateProv: TX
PostalCode: 76102
Country: US
RegDate: 2013-04-11
Updated: 2013-04-11
Ref: https://whois.arin.net/rest/customer/C03368055

OrgNOCHandle: NOC12088-ARIN
OrgNOCName: NOC
OrgNOCPhone: +1-352-537-8652
OrgNOCEmail: support@ipstrada.net
OrgNOCRef: https://whois.arin.net/rest/poc/NOC12088-ARIN

OrgTechHandle: TECHS117-ARIN
OrgTechName: Tech Support
OrgTechPhone: +1-817-255-4006
OrgTechEmail: info@ipstrada.net
OrgTechRef: https://whois.arin.net/rest/poc/TECHS117-ARIN

OrgAbuseHandle: ABUSE3088-ARIN
OrgAbuseName: Abuse Dept
OrgAbusePhone: +1-817-255-4050
OrgAbuseEmail: abuse1@ipstrada.net
OrgAbuseRef: https://whois.arin.net/rest/poc/ABUSE3088-ARIN

# end

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#

Aha! We know that this is IPStrada and (as required) we have an abuse e-mail.

So I just fired off a quick one and we'll see what happens. (hint: nothing)

This entry was posted in Computer Science and tagged , , , . Bookmark the permalink.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.