[kwlug-disc] Identify this exploit?

Mikalai Birukou mb at 3nsoft.com
Sun Dec 29 13:19:20 EST 2019


Was it a ... "horribly configured" PHP application :) ?

On 2019-12-29 12:34 p.m., Ron Singh wrote:
> From a non-techy/new-ish to Linux guy's perspectrive, what do I take 
> away from this bit of "follow the bouncing ball"?
>
>   153.126.166.203 (ik1-319-19699.vs.sakura.ne.jp 
> <http://ik1-319-19699.vs.sakura.ne.jp>)
>
> gives me this:
> ________________________________________________________________
>
>
>   Welcome to nmp3000's site
>
> yukkuri goran kudasai
>
> ________________________________________________________________
>
> and googling nmp3000, I get this twitter user as a top hit and he 
> seems to be a Linux-y kind of guy in Japan:
>
> https://twitter.com/nmp3000
>
> No idea if there is any meaning to be gleaned from this, but I thought 
> it might be mildly interesting. I do wonder if that fella's site is 
> hacked and someone is using his url for dastardly deeds. I am not at 
> all savvy about how these things work, but I thought it curious.
>
> Thanks,
>
> Ron Singh
>
>
>
> On Sun, Dec 29, 2019 at 12:06 PM Khalid Baheyeldin <kb at 2bits.com 
> <mailto:kb at 2bits.com>> wrote:
>
>     Here is an example from the scary internet ...
>
>     From today's logs of a server I manage (via logwatch):
>
>      Failed logins from:
>     92.246.17.5 <http://92.246.17.5>: 1 time
>         95.88.219.197 (ip5f58dbc5.dynamic.kabel-deutschland.de
>     <http://ip5f58dbc5.dynamic.kabel-deutschland.de>): 1 time
>         153.126.166.203 (ik1-319-19699.vs.sakura.ne.jp
>     <http://ik1-319-19699.vs.sakura.ne.jp>): 1 time
>
>      Illegal users from:
>         undef: 3 times
>     12.22.203.226 <http://12.22.203.226>: 1 time
>         63.142.97.181 (63-142-97-63-142-97-181.cpe.sparklight.net
>     <http://63-142-97-63-142-97-181.cpe.sparklight.net>): 1 time
>     92.246.17.5 <http://92.246.17.5>: 2 times
>         97.84.76.88 (97-84-76-88.dhcp.snlo.ca.charter.com
>     <http://97-84-76-88.dhcp.snlo.ca.charter.com>): 1 time
>     115.160.163.195 <http://115.160.163.195>: 2 times
>         142.4.208.131 (ns502558.ip-142-4-208.net
>     <http://ns502558.ip-142-4-208.net>): 1 time
>         153.126.141.19 (ik1-306-13265.vs.sakura.ne.jp
>     <http://ik1-306-13265.vs.sakura.ne.jp>): 1 time
>
>     These are all ssh login attempts from various IP addresses.
>
>     _______________________________________________
>     kwlug-disc mailing list
>     kwlug-disc at kwlug.org <mailto:kwlug-disc at kwlug.org>
>     http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
-- 
Mikalai Birukou
CEO | 3NSoft Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20191229/4e4421ba/attachment.htm>


More information about the kwlug-disc mailing list