Being hammered by an IP belonging to Vrtservers.net
Is anyone else here being bombarded by IP 64.56.65.150?
The reason I ask is that if you put that IP into a web browser, it points to a very suspicious page that appears to be logging questionable activity. In fact, last month, I reported the IP to ISC.sans.org and they stated that they'd help to get the server taken down, as it was positively hammering my public server and hammering my home network. Using links, I perused the logs listed there and there was a TON of IPs listed. It took about 3 weeks for the site to stop pounding my firewalls, but apparently whoever owns that webserver just restored the latest backup because almost immediately, the machine was popped and began scanning again.
Here is a very small snippet of my logs:
May 27 04:52:45 starchild kernel: Blocked hosts violation: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=64.56.65.150 DST=xxx.xxx.xxx.xxx LEN=64 TOS=0x08 PREC=0x00 TTL=54 ID=47538 DF PROTO=TCP SPT=60112 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
May 27 05:07:46 starchild kernel: Blocked hosts violation: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=64.56.65.150 DST=xxx.xxx.xxx.xxx LEN=64 TOS=0x08 PREC=0x00 TTL=54 ID=41147 DF PROTO=TCP SPT=50682 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
May 27 05:22:46 starchild kernel: Blocked hosts violation: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=64.56.65.150 DST=xxx.xxx.xxx.xxx LEN=64 TOS=0x08 PREC=0x00 TTL=54 ID=35161 DF PROTO=TCP SPT=58373 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
May 27 05:37:48 starchild kernel: Blocked hosts violation: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=64.56.65.150 DST=xxx.xxx.xxx.xxx LEN=64 TOS=0x08 PREC=0x00 TTL=54 ID=32708 DF PROTO=TCP SPT=55703 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
May 27 05:52:48 starchild kernel: Blocked hosts violation: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=64.56.65.150 DST=xxx.xxx.xxx.xxx LEN=64 TOS=0x08 PREC=0x00 TTL=54 ID=28312 DF PROTO=TCP SPT=62717 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
.
.
.
Jun 3 01:33:25 starchild kernel: Blocked hosts violation: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=64.56.65.150 DST=xxx.xxx.xxx.xxx LEN=64 TOS=0x10 PREC=0x00 TTL=54 ID=13852 DF PROTO=TCP SPT=57961 DPT=113 WINDOW=65535 RES=0x00 SYN URGP=0
Jun 3 01:34:30 starchild kernel: Blocked hosts violation: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=64.56.65.150 DST=xxx.xxx.xxx.xxx LEN=64 TOS=0x10 PREC=0x00 TTL=54 ID=20748 DF PROTO=TCP SPT=56074 DPT=113 WINDOW=65535 RES=0x00 SYN URGP=0
Jun 3 01:35:31 starchild kernel: Blocked hosts violation: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=64.56.65.150 DST=xxx.xxx.xxx.xxx LEN=64 TOS=0x10 PREC=0x00 TTL=54 ID=23696 DF PROTO=TCP SPT=51647 DPT=113 WINDOW=65535 RES=0x00 SYN URGP=0
I've like 5000 entries in my logs, going back a month. Luckily, the IP isn't hammering my home account this time...yet. Previously, the IP was attempting mysql connections. It is now trying port 80 and 113.
I haven't been able to find much, other than ISC.sans.org's history of abuse reported by few others.
Reading up on Vrtservers.net, it does appear that many people have complained about the owner of the business. Is there a way to get this IP added to a blacklist? whois.sc currently shows that the IP isn't listed at spamhaus.
I'm not so worried, as traffic is being blocked totally. Seeing this in the logs is highly annoying, though, and my worry is that at some point, if this person is persistent, he/she may eventually get in.
Anyone ever dealt with something like this before?
TIA
|