For a while I have had an auto block of IPs running on my Server. Out of curiosity I had the script sent me log mails containing IPs, no. of attempts to login and the username used.
Over the last 2 weeks I had over 600 attempts from these IPs – all using port scan and brute-force. So if you don’t block IPs automatically, then it might be a good idea to add these IPs to your firewall manually.
18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52
The most common user names was:
ABSADMIN, ACS, ADM, ADMBACKUP, ADMIN, ADMIN.LOCAL, ADMINCC, ADMINCENON, ADMINDEV, ADMINI, ADMINISTRACION, ADMINISTRADOR, ADMINISTRATEUR, ADMINISTRATOR, ADMINS, ADMINUSER, AEP_ADMIN, AJR, A-K, ALCADMINISTRATOR, ALEX.ADM, AMA_BU, APACHE, APC_ADMIN, AUBADMIN, BAKENADMIN, BBS, BCSADMIN, BESADMIN, BHATTAB, BIROU3, BOSSADMIN, BUSICOMP, BUUERJASMIN, CATHAY, CETADMIN, CHAN, CIRADMIN, CLVLLCRAMNP, COBIAN, COMELISSEN, COMMANDANT, COOPEMCROP, CSPADMIN, CUSIADMIN, DB2ADMIN, DLH-GROUP, DOMHLCTR, DTSADMIN, EKONOMI, ELITE, EPICORADMIN, EXADMIN, FARHAN, FBSADMIN, FORTINET, GESTIUNE03, HHDPC, HOPPESTATION, HOSP, IANUZGA, IMAJPAK, ITRO, JABEROLLSUSER, JEFF.HEATHER, JLAZARIDES, JSZADMIN, KASUTAJA, KODI, KPMP, KRASHR, KYM, LACH, LIGA, LOCOJOYADMINUSER, MARIE, MESSINA, NBUDZISZEWSKI, NICOLETA, NOEMLEYU, NTI, OC1, OXFORDMC, PAULALVARO, PETA, PIE, PLCADMINISTRATCR11, PMEBA, PPALMS, PPTP, PST, RAJEEB, RCCT, RDBRUCE, RDP, RECEPTION1, REMOTEUV, SALON, SCOTT, SOFTPRO, SOLWAYSCHILE, SSMZ, SUSANNE, SYM1, SYSR, TIMOLOGISI, TOE, TONY.BERTHUNEDJARDINEJOCAI, U100, VIKARINA, VINTEXDBUSER, WFDS, WINGSHOTEL, WINPIG, ZEESHAN, ZELJKO
So if you are using one of them, then you might want to make sure that the used Password is a secure one.
I’m using a PowerShell script running on the Server to auto block the IPs, but if you do not wish to do this, then I would recommend you to install IPBan. Also it is a good Idea to activate 2 factor authentication.
Leave a Reply