Saturday, June 18, 2005

Who's That Knocking on My Firewall?

A recent report from my firewall:
Jun 17 16:36:28 fw1 sshd[13399]: Received disconnect from 80.222.63.70: 11: Bye Bye
Jun 17 16:36:38 fw1 sshd[6987]: Connection closed by 80.222.63.70
Jun 17 22:25:32 fw1 sshd[27466]: Illegal user test from 221.122.53.70
Jun 17 22:25:32 fw1 sshd[16945]: input_userauth_request: illegal user test
Jun 17 22:25:32 fw1 sshd[16945]: Failed password for illegal user test from 221.122.53.70 port 57141 ssh2
Jun 17 22:25:32 fw1 sshd[27466]: Failed password for illegal user test from 221.122.53.70 port 57141 ssh2
Jun 17 22:25:33 fw1 sshd[16945]: Received disconnect from 221.122.53.70: 11: Bye Bye
Jun 17 22:25:35 fw1 sshd[17583]: Illegal user guest from 221.122.53.70
Jun 17 22:25:35 fw1 sshd[21084]: input_userauth_request: illegal user guest
Jun 17 22:25:35 fw1 sshd[21084]: Failed password for illegal user guest from 221.122.53.70 port 57218 ssh2
Jun 17 22:25:35 fw1 sshd[17583]: Failed password for illegal user guest from 221.122.53.70 port 57218 ssh2
Jun 17 22:25:35 fw1 sshd[21084]: Received disconnect from 221.122.53.70: 11: Bye Bye
Jun 17 22:25:39 fw1 sshd[5466]: Illegal user admin from 221.122.53.70
Jun 17 22:25:39 fw1 sshd[7456]: input_userauth_request: illegal user admin
Jun 17 22:25:39 fw1 sshd[7456]: Failed password for illegal user admin from 221.122.53.70 port 57286 ssh2
Jun 17 22:25:39 fw1 sshd[5466]: Failed password for illegal user admin from 221.122.53.70 port 57286 ssh2
Jun 17 22:25:40 fw1 sshd[7456]: Received disconnect from 221.122.53.70: 11: Bye Bye
Jun 17 22:25:42 fw1 sshd[27831]: Illegal user admin from 221.122.53.70
Jun 17 22:25:42 fw1 sshd[18897]: input_userauth_request: illegal user admin
Jun 17 22:25:42 fw1 sshd[18897]: Failed password for illegal user admin from 221.122.53.70 port 57405 ssh2
Jun 17 22:25:42 fw1 sshd[27831]: Failed password for illegal user admin from 221.122.53.70 port 57405 ssh2
Jun 17 22:25:43 fw1 sshd[18897]: Received disconnect from 221.122.53.70: 11: Bye Bye
Jun 17 22:25:45 fw1 sshd[28108]: Illegal user user from 221.122.53.70
Jun 17 22:25:45 fw1 sshd[24567]: input_userauth_request: illegal user user
Jun 17 22:25:45 fw1 sshd[28108]: Failed password for illegal user user from 221.122.53.70 port 57472 ssh2
Jun 17 22:25:45 fw1 sshd[24567]: Failed password for illegal user user from 221.122.53.70 port 57472 ssh2
Jun 17 22:25:45 fw1 sshd[24567]: Received disconnect from 221.122.53.70: 11: Bye Bye
Jun 17 22:25:49 fw1 sshd[19282]: Failed password for root from 221.122.53.70 port 57548 ssh2
Jun 17 22:25:49 fw1 sshd[1007]: Failed password for root from 221.122.53.70 port 57548 ssh2
Jun 17 22:25:49 fw1 sshd[19282]: Received disconnect from 221.122.53.70: 11: Bye Bye
Jun 17 22:25:52 fw1 sshd[12117]: Failed password for root from 221.122.53.70 port 57648 ssh2
Jun 17 22:25:52 fw1 sshd[15743]: Failed password for root from 221.122.53.70 port 57648 ssh2
Jun 17 22:25:52 fw1 sshd[12117]: Received disconnect from 221.122.53.70: 11: Bye Bye
Jun 17 22:25:56 fw1 sshd[27688]: Failed password for root from 221.122.53.70 port 57742 ssh2
Jun 17 22:25:56 fw1 sshd[3944]: Failed password for root from 221.122.53.70 port 57742 ssh2
Jun 17 22:25:56 fw1 sshd[27688]: Received disconnect from 221.122.53.70: 11: Bye Bye
Jun 17 22:25:58 fw1 sshd[10387]: Illegal user test from 221.122.53.70
Jun 17 22:25:58 fw1 sshd[21661]: input_userauth_request: illegal user test
Jun 17 22:25:58 fw1 sshd[21661]: Failed password for illegal user test from 221.122.53.70 port 57829 ssh2
Jun 17 22:25:58 fw1 sshd[10387]: Failed password for illegal user test from 221.122.53.70 port 57829 ssh2
Jun 17 22:25:59 fw1 sshd[21661]: Received disconnect from 221.122.53.70: 11: Bye Bye


Looks like 221.122.53.70 is trying a dictionary attack to get in to my network... wonder where 221.122.53.70 is located on the net?
# traceroute 221.122.153.70
traceroute to 221.122.153.70 (221.122.153.70), 64 hops max, 40 byte packets
[...] removed for my own security
5 h66-59-168-61.gtconnect.net (66.59.168.61) 6.875 ms 21.712 ms 8.768 ms
6 GE5-1.WANA-TOROON.IP.GROUPTELECOM.NET (66.59.191.97) 7.310 ms 8.783 ms 19.846 ms
7 POS6-0.WANA-VANCBC.IP.GROUPTELECOM.NET (66.59.190.57) 68.950 ms 70.30 ms 70.23 ms
8 POS8-0.PEERA-STTLWA.IP.GROUPTELECOM.NET (66.59.190.46) 69.254 ms 78.836 ms 72.841 ms
9 GT-CHINATELECOM.PEERA-STTLWA.IP.GROUPTELECOM.NET (66.59.190.54) 89.790 ms 87.936 ms 87.756 ms
10 202.97.51.205 (202.97.51.205) 243.824 ms 228.701 ms 228.430 ms
11 202.97.33.37 (202.97.33.37) 226.865 ms 227.952 ms 228.472 ms
12 202.97.37.50 (202.97.37.50) 229.166 ms 233.903 ms 228.360 ms
13 202.97.39.26 (202.97.39.26) 249.466 ms 250.843 ms 255.74 ms
14 219.150.32.118 (219.150.32.118) 261.970 ms 253.639 ms 263.263 ms
15 219.150.32.102 (219.150.32.102) 251.733 ms 254.979 ms 251.826 ms
16 * * *
17 * 221.239.0.38 (221.239.0.38) 376.792 ms !H *


Surprise!

Folks, I receive thousands of hits like this from China everyday, as do most of you if you are broadband. There are hundreds of systems in China that bang away on your firewalls all day and all night trying to find a way in.

What do you suppose they want?