Microsoft IP trying to break in to my ssh server

I run a private server that I use for all sorts of tasks (webserver, sftp, ssh,vpn personal cloud etc), on wich I keep a close eye, when it comes to traffic. Normally that is a couple of chinese and/or someone from malasia. However, recently there has been a shift towards U.S. based IP's. Most of them are from random places and networks, but today I came across one that tickled my radar.

This one came straight from Microsoft, trying to gain access to the ssh server. It could mean that some non MS person gained acces to a terminal, but why my little old ssh server? And if it is a person working for MS, it's even more suspicious. I didn't think that breaking in to personal computers and servers, was brought to me by Microsoft. Anyway, here is the full trace:

The IP 137.135.12.202 has just been banned by Fail2Ban after
3 attempts against ssh.


Here are more information about 137.135.12.202:


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: www.arin.net...
#


#
# The following results may also be obtained via:
# whois.arin.net...;q=137.135.12.202?showDetails=true&showARIN=false&ext=netref2
#

NetRange: 137.135.0.0 - 137.135.255.255
CIDR: 137.135.0.0/16
OriginAS:
NetName: NTMTV
NetHandle: NET-137-135-0-0-1
Parent: NET-137-0-0-0-0
NetType: Direct Assignment
RegDate: 2011-06-22
Updated: 2012-10-16
Ref: whois.arin.net...


OrgName: Microsoft Corp
OrgId: MSFT-Z
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US
RegDate: 2011-06-22
Updated: 2013-04-12
Ref: whois.arin.net...

OrgNOCHandle: ZM23-ARIN
OrgNOCName: Microsoft Corporation
OrgNOCPhone: +1-425-882-8080
OrgNOCEmail: [email protected]
OrgNOCRef: whois.arin.net...

OrgAbuseHandle: MSNAB-ARIN
OrgAbuseName: MSN ABUSE
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: [email protected]
OrgAbuseRef: whois.arin.net...

OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: [email protected]
OrgAbuseRef: whois.arin.net...

OrgTechHandle: MSFTP-ARIN
OrgTechName: MSFT-POC
OrgTechPhone: +1-425-882-8080
OrgTechEmail: [email protected]
OrgTechRef: whois.arin.net...

OrgAbuseHandle: HOTMA-ARIN
OrgAbuseName: Hotmail Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: [email protected]
OrgAbuseRef: whois.arin.net...


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: www.arin.net...
#

Regards,

Fail2Ban

Is there anyone here that runs a server, asside from the obvious, like ATS? And if so, do you check your logs frequently? What are your findings?

Also, I would encourage anyone who's running a server, to check their logs or have them checked by something like fail2ban. fail2ban.

Just a thought, could it be one of their licensing verification engines?
Do you have clients running windows or is there a group licensing contract running on your network?

the alphabets have back door into any pc anyway. just read that the other day on blacklistednews, i think it was onthere. but i hope ya get every thing worked out.

good luck.

reply to post by InverseLookingGlass


None whatsoever!
The server is a linux based system by the way. And makes a great second line!

reply to post by 2Faced


Probably automated from a compromised machine.

Change from default port. I bet your log size will decrease.

Could be someone sniffing for open proxies to use. I wonder how many people freak out when I need to refresh my proxy list and their computers keep getting hit while my bot looks for usable IPs.

reply to post by sixswornsermon


That was my first thought too, ill be eyeballin' it for the coming days to see if there are similar actions. I'm not that woried about them gaining access, the ssh/sftp server is only accessable by RSA-key. changing ports was on my mind too, but that would mean I have to change client settings etc. I'm too lazy for that

reply to post by 2Faced


Sounds like you are good to go then.

Wrong Thread

How do you know it not a bot from microsoft randomly scanning/indexing for search engines?

I've seen google trawl my sites before it usually comes from about 7-10 servers all at once

That looks like a Microsoft Azure IP address for North America-West. May not be Microsoft trying to gain entry but a Virtual Machine running in the cloud. Could be anyone's even if it is on their pipe.

Just not sure MS is at fault here.

Sounds like IP spoofing.

Hacking by spoofing a "trusted" ip address.

searchsecurity.techtarget.com...

I had a few hours where my computer was sending from a ip address in china

Since one of the sites i was on had a block on traffic from china i was banned from the site.
I got a Email from one of the mods that knew me to check my computer for Malware.(i found nothing on my computer)

It ended up to be a hack on my internet provider by china on the main IP in town. (Mediacom claims it never happened)
The town is right out side a major navy research base and a lot of the workers and contractors use this IP provider.

They spoof the IP and bounce a copy of everything through there servers then back to the spoofed IP address.

They can then read everything at there own pace and harvest what they want credit card numbers, secret data, ECT ECT

The way to spot these sometime is to do a PathPing and look for IPs that should not be there like China or NSA.

Originally posted by roughycannon
How do you know it not a bot from microsoft randomly scanning/indexing for search engines?

I've seen google trawl my sites before it usually comes from about 7-10 servers all at once

Because scanning does not mean trying to break in to a ssh server, by attempting to log in.

Originally posted by thishereguy
the alphabets have back door into any pc anyway. just read that the other day on blacklistednews, i think it was onthere. but i hope ya get every thing worked out.

good luck.

Not if you have a firewall that is administrated by yourself . Cisco tried to make users use "The Cloud" in order to control the settings of their combo wi-fi router firewalls. Hmmmm, I wonder why...

If you have a USB connector to your cable model, you can monitor all USB traffic using various development tools. Same for TCP/IP - things like "tcpdump", "wireshark" for Linux, "lsof", "netstat -a" let you sell all the internet traffic.