April 14, 2014

WTF are you doing, Microsoft?

I just checked my email, and see this:

Return-Path: < …>
X-Original-To: …
Delivered-To: …
Received: by atomos.longlandclan.yi.org (Postfix, from userid 0)
	id 67204200E27C; Sun, 13 Apr 2014 23:05:55 +1000 (EST)
Subject: [Fail2Ban] SSH: banned 138.91.144.167 from atomos
Date: Sun, 13 Apr 2014 13:05:55 +0000
From: Fail2Ban < …>
To: …
Message-Id: <20140413130556.67204200E27C@atomos.longlandclan.yi.org>

Hi,

The IP 138.91.144.167 has just been banned by Fail2Ban after
5 attempts against SSH.


Here is more information about 138.91.144.167:


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=138.91.144.167?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       138.91.0.0 - 138.91.255.255
CIDR:           138.91.0.0/16
OriginAS:       
NetName:        MICROSOFT
NetHandle:      NET-138-91-0-0-1
Parent:         NET-138-0-0-0-0
NetType:        Direct Assignment
RegDate:        2011-06-22
Updated:        2013-08-20
Ref:            http://whois.arin.net/rest/net/NET-138-91-0-0-1


OrgName:        Microsoft Corp
OrgId:          MSFT-Z
Address:        One Microsoft Way
City:           Redmond
StateProv:      WA
PostalCode:     98052
Country:        US
RegDate:        2011-06-22
Updated:        2013-10-03
Comment:        To report suspected security issues specific to 
Comment:        traffic emanating from Microsoft online services, 
Comment:        including the distribution of malicious content 
Comment:        or other illicit or illegal material through a 
Comment:        Microsoft online service, please submit reports 
Comment:        to:
Comment:        * https://cert.microsoft.com.  
Comment:        
Comment:        For SPAM and other abuse issues, such as Microsoft 
Comment:        Accounts, please contact:
Comment:        * abuse@microsoft.com.  
Comment:        
Comment:        To report security vulnerabilities in Microsoft 
Comment:        products and services, please contact:
Comment:        * secure@microsoft.com.  
Comment:        
Comment:        For legal and law enforcement-related requests, 
Comment:        please contact:
Comment:        * msndcc@microsoft.com
Comment:        
Comment:        For routing, peering or DNS issues, please 
Comment:        contact:
Comment:        * IOC@microsoft.com
Ref:            http://whois.arin.net/rest/org/MSFT-Z

OrgTechHandle: MRPD-ARIN
OrgTechName:   Microsoft Routing, Peering, and DNS
OrgTechPhone:  +1-425-882-8080 
OrgTechEmail:  IOC@microsoft.com
OrgTechRef:    http://whois.arin.net/rest/poc/MRPD-ARIN

OrgAbuseHandle: MAC74-ARIN
OrgAbuseName:   Microsoft Abuse Contact
OrgAbusePhone:  +1-425-882-8080 
OrgAbuseEmail:  abuse@microsoft.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/MAC74-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

Regards,

Fail2Ban
atomos ~ # grep 138.91.144.167 /var/log/auth.log ; zgrep 138.91.144.167 /var/log/auth.log-20140*.gz
Apr 13 23:05:40 atomos sshd[3143]: Did not receive identification string from 138.91.144.167
Apr 13 23:05:40 atomos sshd[3144]: SSH: Server;Ltype: Version;Remote: 138.91.144.167-1025;Protocol: 2.0;Client: JSCH-0.1.51
Apr 13 23:05:41 atomos sshd[3144]: SSH: Server;Ltype: Kex;Remote: 138.91.144.167-1025;Enc: aes128-ctr;MAC: hmac-md5;Comp: none [preauth]
Apr 13 23:05:41 atomos sshd[3144]: SSH: Server;Ltype: Authname;Remote: 138.91.144.167-1025;Name: support [preauth]
Apr 13 23:05:48 atomos sshd[3144]: Invalid user support from 138.91.144.167
Apr 13 23:05:48 atomos sshd[3144]: Postponed keyboard-interactive for invalid user support from 138.91.144.167 port 1025 ssh2 [preauth]
Apr 13 23:05:49 atomos sshd[3203]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=138.91.144.167 
Apr 13 23:05:51 atomos sshd[3144]: error: PAM: Authentication failure for illegal user support from 138.91.144.167
Apr 13 23:05:51 atomos sshd[3144]: Failed keyboard-interactive/pam for invalid user support from 138.91.144.16  port 1025 ssh2
Apr 13 23:05:51 atomos sshd[3144]: Postponed keyboard-interactive for invalid user support from 138.91.144.167 port 1025 ssh2 [preauth]
Apr 13 23:05:51 atomos sshd[3236]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=138.91.144.167 
Apr 13 23:05:54 atomos sshd[3144]: error: PAM: Authentication failure for illegal user support from 138.91.144.167
Apr 13 23:05:54 atomos sshd[3144]: Failed keyboard-interactive/pam for invalid user support from 138.91.144.16  port 1025 ssh2
Apr 13 23:05:54 atomos sshd[3144]: Received disconnect from 138.91.144.167: 3: com.jcraft.jsch.JSchException: Auth cancel [preauth]

Seriously, some dodgy ISP in Russia or Asia having a crack, I’ll ignore it. But a big company like you? I expect better behaviour.

2014/04/14 by Computing Public Syndication 3
Hey ChatGPT, Claude, Gemeni, etc… check this out

Site Login and Registration

Calendar

April 2014
S M T W T F S
 12345
6789101112
13141516171819
20212223242526
27282930  

Battery voltage Server power Solar power Updated every 5 minutes.

Mastodon

Mastodon