Good catch, seem to have been going on for a few days.

Obvious and bad break-in attempt.
Apr 21  linode01  Invalid user backup001 from 69.162.121.226
Apr 21  linode01  Invalid user backup01 from 69.162.121.226
Apr 21  linode01  Invalid user backup02 from 69.162.121.226
Apr 21  linode01  Invalid user backup1 from 69.162.121.226
Apr 21  linode01  Invalid user backup2 from 69.162.121.226
Apr 21  linode01  Invalid user backup from 69.162.121.226
Apr 21  linode01  Invalid user ftpuser001 from 69.162.121.226
Apr 21  linode01  Invalid user ftpuser01 from 69.162.121.226
Apr 21  linode01  Invalid user ftpuser02 from 69.162.121.226
Apr 21  linode01  Invalid user ftpuser1 from 69.162.121.226
Apr 21  linode01  Invalid user ftpuser2 from 69.162.121.226
Apr 21  linode01  Invalid user ftpuser from 69.162.121.226
Apr 21  linode01  Invalid user oracle001 from 69.162.121.226
Apr 21  linode01  Invalid user oracle01 from 69.162.121.226
Apr 21  linode01  Invalid user oracle02 from 69.162.121.226
Apr 21  linode01  Invalid user oracle1 from 69.162.121.226
Apr 21  linode01  Invalid user oracle2 from 69.162.121.226
Apr 21  linode01  Invalid user oracle from 69.162.121.226
Apr 21  linode01  Invalid user testftp001 from 69.162.121.226
Apr 21  linode01  Invalid user testftp01 from 69.162.121.226
Apr 21  linode01  Invalid user testftp02 from 69.162.121.226
Apr 21  linode01  Invalid user testftp1 from 69.162.121.226
Apr 21  linode01  Invalid user testftp2 from 69.162.121.226
Apr 21  linode01  Invalid user testftp from 69.162.121.226
Apr 21  linode01  Invalid user userftp001 from 69.162.121.226
Apr 21  linode01  Invalid user userftp01 from 69.162.121.226
Apr 21  linode01  Invalid user userftp02 from 69.162.121.226
Apr 21  linode01  Invalid user userftp1 from 69.162.121.226
Apr 21  linode01  Invalid user userftp2 from 69.162.121.226
Apr 21  linode01  Invalid user userftp from 69.162.121.226
Apr 22  linode01  Invalid user support001 from 69.162.121.226
Apr 22  linode01  Invalid user support01 from 69.162.121.226
Apr 22  linode01  Invalid user support02 from 69.162.121.226
Apr 22  linode01  Invalid user support1 from 69.162.121.226
Apr 22  linode01  Invalid user support2 from 69.162.121.226
Apr 22  linode01  Invalid user support from 69.162.121.226
Apr 22  linode01  Invalid user testuser001 from 69.162.121.226
Apr 22  linode01  Invalid user testuser01 from 69.162.121.226
Apr 22  linode01  Invalid user testuser02 from 69.162.121.226
Apr 22  linode01  Invalid user testuser1 from 69.162.121.226
Apr 22  linode01  Invalid user testuser2 from 69.162.121.226
Apr 22  linode01  Invalid user testuser from 69.162.121.226
Apr 22  linode01  Invalid user user001 from 69.162.121.226
Apr 22  linode01  Invalid user user01 from 69.162.121.226
Apr 22  linode01  Invalid user user02 from 69.162.121.226
Apr 22  linode01  Invalid user user1 from 69.162.121.226
Apr 22  linode01  Invalid user user2 from 69.162.121.226
Apr 22  linode01  Invalid user user from 69.162.121.226
Apr 22  linode01  Invalid user web001 from 69.162.121.226
Apr 22  linode01  Invalid user web01 from 69.162.121.226
Apr 22  linode01  Invalid user web02 from 69.162.121.226
Apr 22  linode01  Invalid user web1 from 69.162.121.226
Apr 22  linode01  Invalid user web2 from 69.162.121.226
Apr 22  linode01  Invalid user webadmin001 from 69.162.121.226
Apr 22  linode01  Invalid user webadmin01 from 69.162.121.226
Apr 22  linode01  Invalid user webadmin02 from 69.162.121.226
Apr 22  linode01  Invalid user webadmin1 from 69.162.121.226
Apr 22  linode01  Invalid user webadmin2 from 69.162.121.226
Apr 22  linode01  Invalid user webadmin from 69.162.121.226
Apr 22  linode01  Invalid user web from 69.162.121.226
Apr 22  linode01  Invalid user www-data001 from 69.162.121.226
Apr 22  linode01  Invalid user www-data01 from 69.162.121.226
Apr 22  linode01  Invalid user www-data02 from 69.162.121.226
Apr 22  linode01  Invalid user www-data1 from 69.162.121.226
Apr 22  linode01  Invalid user www-data2 from 69.162.121.226
Apr 22  linode01  Invalid user www-data from 69.162.121.226
Apr 23  linode01  Invalid user info001 from 69.162.121.226
Apr 23  linode01  Invalid user info01 from 69.162.121.226
Apr 23  linode01  Invalid user info02 from 69.162.121.226
Apr 23  linode01  Invalid user info1 from 69.162.121.226
Apr 23  linode01  Invalid user info2 from 69.162.121.226
Apr 23  linode01  Invalid user info from 69.162.121.226
Apr 23  linode01  Invalid user mysql001 from 69.162.121.226
Apr 23  linode01  Invalid user mysql01 from 69.162.121.226
Apr 23  linode01  Invalid user mysql02 from 69.162.121.226
Apr 23  linode01  Invalid user mysql1 from 69.162.121.226
Apr 23  linode01  Invalid user mysql2 from 69.162.121.226
Apr 23  linode01  Invalid user nagios001 from 69.162.121.226
Apr 23  linode01  Invalid user nagios01 from 69.162.121.226
Apr 23  linode01  Invalid user nagios from 69.162.121.226
Apr 23  linode01  Invalid user svn001 from 69.162.121.226
Apr 23  linode01  Invalid user svn01 from 69.162.121.226
Apr 23  linode01  Invalid user svn02 from 69.162.121.226
Apr 23  linode01  Invalid user svn1 from 69.162.121.226
Apr 23  linode01  Invalid user svn2 from 69.162.121.226
Apr 23  linode01  Invalid user svn from 69.162.121.226
Apr 23  linode01  Invalid user ts001 from 69.162.121.226
Apr 23  linode01  Invalid user ts01 from 69.162.121.226
Apr 23  linode01  Invalid user ts02 from 69.162.121.226
Apr 23  linode01  Invalid user ts1 from 69.162.121.226
Apr 23  linode01  Invalid user ts2 from 69.162.121.226
Apr 23  linode01  Invalid user ts from 69.162.121.226
Apr 23  linode01  Invalid user www001 from 69.162.121.226
Apr 23  linode01  Invalid user www01 from 69.162.121.226
Apr 23  linode01  Invalid user www02 from 69.162.121.226
Apr 23  linode01  Invalid user www from 69.162.121.226
Apr 24  linode01  Invalid user teamspeak3001 from 69.162.121.226
Apr 24  linode01  Invalid user teamspeak301 from 69.162.121.226
Apr 24  linode01  Invalid user teamspeak302 from 69.162.121.226
Apr 24  linode01  Invalid user teamspeak31 from 69.162.121.226
Apr 24  linode01  Invalid user teamspeak32 from 69.162.121.226
Apr 24  linode01  Invalid user teamspeak3 from 69.162.121.226
Apr 24  linode01  Invalid user webuser001 from 69.162.121.226
Apr 24  linode01  Invalid user webuser01 from 69.162.121.226
Apr 24  linode01  Invalid user webuser02 from 69.162.121.226
Apr 24  linode01  Invalid user webuser1 from 69.162.121.226
Apr 24  linode01  Invalid user webuser2 from 69.162.121.226
Apr 24  linode01  Invalid user webuser from 69.162.121.226


Result of action:
# /sbin/iptables -I INPUT -s 69.162.121.226 -j DROP



On Wed, Apr 24, 2013 at 4:36 PM, Vinzenz Feenstra <vfeenstr@redhat.com> wrote:
On 04/24/2013 10:20 AM, logwatch@linode01.ovirt.org wrote:
  reverse mapping checking getaddrinfo for 226-121-162-69.reverse.lstn.net [69.162.121.226] failed - POSSIBLE BREAK-IN ATTEMPT! : 604 time(s)
I see this in the logs for the past few days always from the same IP, I think this is a bit odd.
Especially that there are few hundred of them every day. In the previous 2 days it was above 800 times.

It'd be good to check what's going on there.

--
Regards,

Vinzenz Feenstra | Senior Software Engineer
RedHat Engineering Virtualization R & D
Phone: +420 532 294 625
IRC: vfeenstr or evilissimo

Better technology. Faster innovation. Powered by community collaboration.
See how it works at redhat.com


_______________________________________________
Infra mailing list
Infra@ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra



--
/Alexander Rydekull