fake abuse logs

Usually I get about 2-4 abuse complaints each month, having over 700 sites on both servers its bound to happen. I guess that is just a part of doing hosting. Doesn’t mean I have that many clients, most are my reseller customer’s clients. Most of the time the complaints are about content or in the case of Jamie the Spamtard Ballie he was just on a crusade against that particular site where he went to the point of harassing my datacenter and making fake usenet posts with their link and claiming they were spamvertising. My datacenter caved to that issue but overall they are good to work with.

So today I got an abuse complaint on a site I host, This was obviously fake and even sent from a free email address, you can even see where the guy was inserting the ips in the logs and messed up. Still I was forwarded this crap which kinda pissed me off. So take a look at this:

> It appears this box is being used to try and hack into other servers using
> the typical SSH brute force dictionary attack. I have since blocked this
> IP
> address from my servers as a result.
>
> The following are event logs from 72.20.26.18 on service sshd (all time
> stamps are GMT -0400):
>
> Jun 12 21:21:43 main sshd[32466]: Did not receive identification string
> from
> 72.20.26.18
> Jun 12 21:33:24 main sshd[922]: Failed password for root from
> 72.20.26.18port 20167 ssh2
> Jun 12 21:33:24 main sshd[923]: Received disconnect from 72.20.26.18: 11:
> Bye Bye
> Jun 12 21:33:27 main sshd[924]: Invalid user admin from 72.20.26.18
> Jun 12 21:33:29 main sshd[924]: Failed password for invalid user admin
> from
> 72.20.26.18 port 20375 ssh2
> Jun 12 21:33:30 main sshd[925]: Received disconnect from 72.20.26.18: 11:
> Bye Bye
> Jun 12 21:33:33 main sshd[926]: Invalid user test from 72.20.26.18
> Jun 12 21:33:35 main sshd[926]: Failed password for invalid user test from
> 72.20.26.18 port 20524 ssh2
> Jun 12 21:33:35 main sshd[927]: Received disconnect from 72.20.26.18: 11:
> Bye Bye</code>

The rest is just more attempts. If you look at the top lines you can see this

> Jun 12 21:33:24 main sshd[922]: Failed password for root from
> 72.20.26.18port 20167 ssh2

The guy forgot to put a space between 72.20.26.18 and port and the system doesnt make typos like this or in this syntax so its obviously a doctored log. Not to mention the log was just sent today and the date on the logs is June 12. Why someone would do this I dont know, maybe he doesnt like the site on the ip or whatever. Also the primary ip for that server is 72.20.4.242, any program you run such as a brute forcer or port scanner will bind to the primary ip unless you explicitly tell the script to use a different source ip. And if you are running such a program you wouldnt care what ip you have binded to and most likely wouldnt go through the trouble of getting all the other ips and binding to that one.

One look at this abuse email i could tell it was obviously a fake but I still investigated on my side and could not find anything. The sad thing is some datacenters would actually suspend you for stupid crap like this so I guess Im glad to be on a datacenter with some sense.

Anyway just an interesting happening I thought I would share today.