Track a hack: Find out who's hitting your servers

Do you know who's been sniffing around your servers when you're not looking? Tools like denyhosts can show you

1 2 Page 2
Page 2 of 2

But perhaps not. The boxes at hosting providers registered the most attempts of all, with each system showing an oddly similar number (between 115 and 121) of unique attempts. These were all servers running in colocation facilities around the world, with different hosting providers, on completely different subnets, with no relation to each other whatsoever. Those netblocks are widely known to be assigned to hosting providers, so these attempts were clearly aimed at servers, not gateways.

As you might imagine, these requests came from all over the world, from Ankara to Melbourne, from the Ukraine to Sarasota and back again. The attempts to access these systems involved a vast range of usernames, from your usual "root," "apache," and "bin" to "virus," "mom," and "herschel." (My favorite might be "giblets." What are the odds of hitting a bull's-eye with that username?) Most boxes showed upward of 600 unique attempted usernames. Some of the denied callers would go for seemingly random usernames, or even strings of characters, while others were clearly walking a dictionary, starting with "a" and getting only as far as "aaad" or the like before they were blocked.

The nature of this laissez-faire experiment was such that I was using production servers that were being protected from these types of attacks. If I had the time and inclination, firing up a few dozen VPSes around the world and letting them run for a while would bring in better and more complete data.

The fact of the matter is that there is a constant stream of scripts knocking on the door of SSH ports all over the globe, trying to overcome impossible odds and guess the login to a server. Many of these scripts are geared toward exploiting known holes in Linux-based appliances that are set to their defaults and thus are using known logins. Others are looking for security holes caused by software installations that create users with valid shells and default passwords.

But that's certainly not all they're looking for. The panoply of attempts I've perused over the past week show a wildly schizophrenic threat, the computing equivalent of trying to unlock a door by throwing a box full of keys at it. But once in a while, one of those scripts will work, and suddenly that threat is very real indeed.

Oh, one last thing: Across two continents, three countries, and six network providers, there was one IP address in common to them all. As far flung physically and logically as these systems were, one single, solitary IP address tried to access every single one. That IP address is located in Ningbo, China.

Who's knocking on your door? There's your answer.

This story, "Track a hack: Find out who's hitting your servers," was originally published at Read more of Paul Venezia's The Deep End blog at For the latest business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2