My logwatch report shows illegal login attempts from a planet i.p. address -

Has anybody else received "SPECIAL ATTENTION" from this i.p 70.84.233.98 -

I normally get such acttacks from Korea..I wonder if the korean has compromised a server at the planet or has he spoofed the I.P address -



Failed logins from these:
account/password from 70.84.233.98: 4 Time(s)
adam/password from 70.84.233.98: 4 Time(s)
adm/password from 70.84.233.98: 8 Time(s)
alan/password from 70.84.233.98: 4 Time(s)
apache/password from 70.84.233.98: 4 Time(s)
backup/password from 70.84.233.98: 4 Time(s)
cip51/password from 70.84.233.98: 4 Time(s)
cip52/password from 70.84.233.98: 4 Time(s)
cosmin/password from 70.84.233.98: 4 Time(s)
cyrus/password from 70.84.233.98: 4 Time(s)
data/password from 70.84.233.98: 4 Time(s)
frank/password from 70.84.233.98: 4 Time(s)
george/password from 70.84.233.98: 4 Time(s)
henry/password from 70.84.233.98: 4 Time(s)
horde/password from 70.84.233.98: 4 Time(s)
iceuser/password from 70.84.233.98: 4 Time(s)
irc/password from 70.84.233.98: 8 Time(s)
jane/password from 70.84.233.98: 4 Time(s)
john/password from 70.84.233.98: 4 Time(s)
master/password from 70.84.233.98: 4 Time(s)
matt/password from 70.84.233.98: 4 Time(s)
mysql/password from 70.84.233.98: 4 Time(s)
nobody/password from 70.84.233.98: 4 Time(s)
noc/password from 70.84.233.98: 4 Time(s)
operator/password from 70.84.233.98: 4 Time(s)
oracle/password from 70.84.233.98: 4 Time(s)
pamela/password from 70.84.233.98: 4 Time(s)
patrick/password from 70.84.233.98: 8 Time(s)
rolo/password from 70.84.233.98: 4 Time(s)
root/password from 70.84.233.98: 236 Time(s)
server/password from 70.84.233.98: 4 Time(s)
sybase/password from 70.84.233.98: 4 Time(s)
test/password from 70.84.233.98: 20 Time(s)
user/password from 70.84.233.98: 12 Time(s)
web/password from 70.84.233.98: 8 Time(s)
webmaster/password from 70.84.233.98: 4 Time(s)
www-data/password from 70.84.233.98: 4 Time(s)
www/password from 70.84.233.98: 4 Time(s)
wwwrun/password from 70.84.233.98: 4 Time(s)

**Unmatched Entries**
Illegal user patrick from 70.84.233.98
Illegal user patrick from 70.84.233.98
Illegal user patrick from 70.84.233.98
Illegal user patrick from 70.84.233.98
Illegal user patrick from 70.84.233.98
Illegal user patrick from 70.84.233.98
Illegal user patrick from 70.84.233.98
Illegal user patrick from 70.84.233.98
Illegal user rolo from 70.84.233.98
Illegal user rolo from 70.84.233.98
Illegal user rolo from 70.84.233.98
Illegal user iceuser from 70.84.233.98
Illegal user iceuser from 70.84.233.98
Illegal user iceuser from 70.84.233.98
Illegal user horde from 70.84.233.98
Illegal user horde from 70.84.233.98
Illegal user rolo from 70.84.233.98
Illegal user horde from 70.84.233.98
Illegal user cyrus from 70.84.233.98
Illegal user cyrus from 70.84.233.98
Illegal user iceuser from 70.84.233.98
Illegal user cyrus from 70.84.233.98
Illegal user www from 70.84.233.98
Illegal user www from 70.84.233.98
Illegal user horde from 70.84.233.98
Illegal user www from 70.84.233.98
Illegal user wwwrun from 70.84.233.98
Illegal user wwwrun from 70.84.233.98
Illegal user cyrus from 70.84.233.98
Illegal user wwwrun from 70.84.233.98
Illegal user matt from 70.84.233.98
Illegal user matt from 70.84.233.98
Illegal user www from 70.84.233.98
Illegal user matt from 70.84.233.98
Illegal user test from 70.84.233.98
Illegal user test from 70.84.233.98
Illegal user wwwrun from 70.84.233.98
Illegal user test from 70.84.233.98
Illegal user test from 70.84.233.98
Illegal user test from 70.84.233.98
Illegal user matt from 70.84.233.98
Illegal user test from 70.84.233.98
Illegal user test from 70.84.233.98
Illegal user test from 70.84.233.98
Illegal user test from 70.84.233.98
Illegal user test from 70.84.233.98
Illegal user test from 70.84.233.98
Illegal user test from 70.84.233.98
Illegal user test from 70.84.233.98
Illegal user test from 70.84.233.98
Illegal user www-data from 70.84.233.98
Illegal user www-data from 70.84.233.98
Illegal user test from 70.84.233.98
Illegal user www-data from 70.84.233.98
Illegal user test from 70.84.233.98
Illegal user www-data from 70.84.233.98
Illegal user irc from 70.84.233.98
Illegal user irc from 70.84.233.98
Illegal user irc from 70.84.233.98
Illegal user irc from 70.84.233.98
Illegal user irc from 70.84.233.98
Illegal user irc from 70.84.233.98
Illegal user irc from 70.84.233.98
Illegal user irc from 70.84.233.98
Illegal user jane from 70.84.233.98
Illegal user jane from 70.84.233.98
Illegal user jane from 70.84.233.98
Illegal user pamela from 70.84.233.98
Illegal user pamela from 70.84.233.98
Illegal user pamela from 70.84.233.98
Illegal user jane from 70.84.233.98
Illegal user pamela from 70.84.233.98
Illegal user cosmin from 70.84.233.98
Illegal user cosmin from 70.84.233.98
Illegal user cosmin from 70.84.233.98
Illegal user cosmin from 70.84.233.98
Illegal user cip52 from 70.84.233.98
Illegal user cip52 from 70.84.233.98
Illegal user cip52 from 70.84.233.98
Illegal user cip51 from 70.84.233.98
Illegal user cip51 from 70.84.233.98
Illegal user cip51 from 70.84.233.98
Illegal user cip52 from 70.84.233.98
Illegal user noc from 70.84.233.98
Illegal user noc from 70.84.233.98
Illegal user cip51 from 70.84.233.98
Illegal user noc from 70.84.233.98
Illegal user noc from 70.84.233.98
Illegal user webmaster from 70.84.233.98
Illegal user webmaster from 70.84.233.98
Illegal user webmaster from 70.84.233.98
Illegal user data from 70.84.233.98
Illegal user data from 70.84.233.98
Illegal user data from 70.84.233.98
Illegal user user from 70.84.233.98
Illegal user user from 70.84.233.98
Illegal user webmaster from 70.84.233.98
Illegal user user from 70.84.233.98
Illegal user user from 70.84.233.98
Illegal user user from 70.84.233.98
Illegal user data from 70.84.233.98
Illegal user user from 70.84.233.98
Illegal user user from 70.84.233.98
Illegal user user from 70.84.233.98
Illegal user user from 70.84.233.98
Illegal user user from 70.84.233.98
Illegal user web from 70.84.233.98
Illegal user web from 70.84.233.98
Illegal user user from 70.84.233.98
Illegal user web from 70.84.233.98
Illegal user web from 70.84.233.98
Illegal user web from 70.84.233.98
Illegal user user from 70.84.233.98
Illegal user web from 70.84.233.98
Illegal user oracle from 70.84.233.98
Illegal user oracle from 70.84.233.98
Illegal user web from 70.84.233.98
Illegal user oracle from 70.84.233.98
Illegal user sybase from 70.84.233.98
Illegal user sybase from 70.84.233.98
Illegal user web from 70.84.233.98
Illegal user sybase from 70.84.233.98
Illegal user master from 70.84.233.98
Illegal user master from 70.84.233.98
Illegal user oracle from 70.84.233.98
Illegal user master from 70.84.233.98
Illegal user account from 70.84.233.98
Illegal user account from 70.84.233.98
Illegal user sybase from 70.84.233.98
Illegal user account from 70.84.233.98
Illegal user backup from 70.84.233.98
Illegal user backup from 70.84.233.98
Illegal user master from 70.84.233.98
Illegal user backup from 70.84.233.98
Illegal user server from 70.84.233.98
Illegal user server from 70.84.233.98
Illegal user account from 70.84.233.98
Illegal user server from 70.84.233.98
Illegal user adam from 70.84.233.98
Illegal user adam from 70.84.233.98
Illegal user backup from 70.84.233.98
Illegal user adam from 70.84.233.98
Illegal user alan from 70.84.233.98
Illegal user alan from 70.84.233.98
Illegal user server from 70.84.233.98
Illegal user alan from 70.84.233.98
Illegal user frank from 70.84.233.98
Illegal user frank from 70.84.233.98
Illegal user adam from 70.84.233.98
Illegal user frank from 70.84.233.98
Illegal user george from 70.84.233.98
Illegal user george from 70.84.233.98
Illegal user alan from 70.84.233.98
Illegal user george from 70.84.233.98
Illegal user henry from 70.84.233.98
Illegal user henry from 70.84.233.98
Illegal user frank from 70.84.233.98
Illegal user henry from 70.84.233.98
Illegal user john from 70.84.233.98
Illegal user john from 70.84.233.98
Illegal user george from 70.84.233.98
Illegal user john from 70.84.233.98
Illegal user henry from 70.84.233.98
Illegal user john from 70.84.233.98
Illegal user test from 70.84.233.98
Illegal user test from 70.84.233.98
Illegal user test from 70.84.233.98
Illegal user test from 70.84.233.98

Send your logs to abuse@theplanet.com

I had opened a ticket and got this reply,

(akitchens-11/23/04-06:07):
Due to the nature of this issue I'm sending this ticket to our abuse departmnet for further review.
Resolution:

Please do not reply to this email. If you have additional information, please update the ticket using the link to the support system provided. If the support ticket was closed, and the issue was not resolved to your satisfaction, please feel free to open another ticket and reference this ticket number.

Thank you,
The Planet


P.S. Paul, thanks for your reply, your helpul posts were one of the reasons, I selected The Planet :-) Thanks, for being out there...

I'd suggest using an SU user for root.

Do you have APF and BFD installed? Those should have kicked in and blocked the IP before you got that many failed attempts...

I have APF installed but have not yet installed BFD. My ISP has changed my Static IP's in the past without warning and if this happens in the future, BFD would lock me out of the server...

...while using SU user for root...the hacker has to guess two passwords when he hacks via SSH but does he have to guess two passwords if he uses port 2087 via browser... or does cpanel still allow a single password access.

Meanwhile, I have recd. a reply from support confirming that a server might have been compromised and they are investigating...

Only if you tried to login with the wrong password several times within a set time-frame.

Paul's posts helpful? What have you been smoking?