Does this apache status message mean someone is trying to hack us?

ozstar · 28 January 2023 02:31

Does this message after systemctl status apache2 mean someone is trying to hack us ? It is not my IP.

Jan 28 11:26:28 zorin162-VirtualBox phpMyAdmin[32005]: user denied: root (mysql-denied) from 149.102.155.120
Jan 28 11:26:29 zorin162-VirtualBox phpMyAdmin[32005]: user denied: admin (mysql-denied) from 149.102.155.120
Jan 28 11:26:29 zorin162-VirtualBox phpMyAdmin[32005]: user denied: root (mysql-denied) from 149.102.155.120
Jan 28 11:26:30 zorin162-VirtualBox phpMyAdmin[32005]: user denied: qnap (mysql-denied) from 149.102.155.120
Jan 28 11:26:30 zorin162-VirtualBox phpMyAdmin[32005]: user denied: root (mysql-denied) from 149.102.155.120
Jan 28 11:26:31 zorin162-VirtualBox phpMyAdmin[32005]: user denied: root (mysql-denied) from 149.102.155.120
Jan 28 11:26:32 zorin162-VirtualBox phpMyAdmin[32005]: user denied: wordspress (mysql-denied) from 149.102.155.120
Jan 28 11:26:32 zorin162-VirtualBox phpMyAdmin[32005]: user denied: root (mysql-denied) from 149.102.155.120
Jan 28 11:26:33 zorin162-VirtualBox phpMyAdmin[32005]: user denied: root (mysql-denied) from 149.102.155.120
Jan 28 11:26:33 zorin162-VirtualBox phpMyAdmin[32005]: user denied: root (mysql-denied) from 149.102.155.120

Mr_Magoo · 28 January 2023 03:10

From the outside, there's no way to be sure... do you have any dealings with the following company?

|ASN|AS51167 - Contabo GmbH|
|---|---|
|Hostname|vmi1033318.contaboserver.net|
|Range|149.102.152.0/21|
|Company|Cogent Communications|

# Whois IP 149.102.155.120

NetRange: 149.102.0.0 - 149.102.255.255 CIDR: 149.102.0.0/16

NetName: COGENT-149-102-16
NetHandle: NET-149-102-0-0-1
Parent: NET149 (NET-149-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS174
Organization: PSINet, Inc. (PSI-1)
RegDate: 1992-01-28
Updated: 2016-02-04
Ref: https://rdap.arin.net/registry/ip/149.102.0.0
OrgName: PSINet, Inc.
OrgId: PSI-1
Address: 2450 N Street NW
City: Washington
StateProv: DC
PostalCode: 20037
Country: US
RegDate: 1992-01-28
Updated: 2015-06-04
Ref: https://rdap.arin.net/registry/entity/PSI-1
ReferralServer: rwhois://rwhois.cogentco.com:4321
OrgAbuseHandle: COGEN-ARIN
OrgAbuseName: Cogent Abuse
OrgAbusePhone: +1-877-875-4311
OrgAbuseEmail: ![email](https://www.whois.com/eimg/e/50/e502e135499fed13f19d1a9628734b9eeb3e4245.png)@cogentco.com
OrgAbuseRef: https://rdap.arin.net/registry/entity/COGEN-ARIN
OrgNOCHandle: ZC108-ARIN
OrgNOCName: Cogent Communications
OrgNOCPhone: +1-877-875-4311
OrgNOCEmail: ![email](https://www.whois.com/eimg/0/9f/09f86b701623d751fcfa9c1251b57649d92ad089.png)@cogentco.com
OrgNOCRef: https://rdap.arin.net/registry/entity/ZC108-ARIN
OrgTechHandle: IPALL-ARIN
OrgTechName: IP Allocation
OrgTechPhone: +1-877-875-4311
OrgTechEmail: ![email](https://www.whois.com/eimg/2/ee/2ee63e9922ba3bf26470f9138165acde823ed740.png)@cogentco.com
OrgTechRef: https://rdap.arin.net/registry/entity/IPALL-ARIN

ozstar · 28 January 2023 04:09

Thank you for the reply and help.
No I don't know who they are.

Best double check my security settings.

Mr_Magoo · 28 January 2023 07:39

Given their headquarters in DC, it's likely your own personal FBI agent.

Nah, JK. Here's where they are:

City Portsmouth
Region Portsmouth (POR)
Postal code PO5
Country United Kingdom (GB)
Continent Europe (EU)
Coordinates 50.7988 (lat) / -1.0944 (long)
Time 2023-01-28 07:42:23 (Europe/London)

NETWORK

IP address 149.102.155.120
Hostname vmi1033318.contaboserver.net
Provider Contabo GmbH
ASN 51167

If you want to launch a complaint with their upstream provider (and that upstream provider's upstream provider, and that upstream provider's upstream provider) let me know... I used to track down spammers and use that technique to get them booted from networks, it's highly effective.

I was the guy who tracked down The Russian Spam Gang... no one knew who they were, nor where they were... come to find out, they were operating out of Brighton, MA. I hacked their servers, outed all of their employees across 3 countries, ran the head guy out of 3 countries (taunting him the whole while via Usenet), hacked his personal server and uncovered a bunch of embarrassing photos (before that, no one had seen his face, no one knew who he was), personally shut down thousands of his spam-servers due to overusage of bandwidth, polluted his leads database so badly with a program I created that he lost nearly $1 million the first month I released it to the public (his credit card provider charged him a fee for each bad card... my fake persona creator had a card number generator which passed LUHN checksum tests, so he could only determine that the card numbers were fake by trying to charge them... it hurt him so badly he called me and begged me to stop... I recorded it and released it to the internet, he chimped out and spammed so hard for 3 weeks that he was shutting down parts of the internet), got a $37.5 million court judgement started against him by providing all my information on them to the FBI (then a lot of manufacturers piled on to sue him because he was selling counterfeits of their goods); and provided the Russian police with the information to get him arrested for more than 60 counts of CP (he was renting little girls from orphanages and starring in films with them).

And all because when I told him to stop spamming me, he laughed at me and dared me to stop him.

Now, when I tell a spammer to stop spamming an email address, they darned well stop.

mohawk · 28 January 2023 20:01

Nice to meet ya. Sounds like you got a little edu. behind you. Rookie here but like Snoop said "G recognizes G". Is the spam thing a hobby?

Edit: Sorry op for the derail. Ya better secure your systems and data b/c you have and Active Threat. Somebody is behind the keyboard trying to get you or your data.

ozstar · 29 January 2023 09:01

Wow ! It's guys like you we need. Good on you and thanks.

Looks like every day I'm getting looked at from a different IP every time although could be the same person.

149.102.155.120
27.125.128.164
66.175.232.136

I have written to all registries for the IP numbers.

Not sure what I can do to stop it.

Mr_Magoo · 30 January 2023 15:56

Block the IP range at your router, for one.

I used to redirect hacking attempts to hit FBI or CIA IP addresses... that tends to speed problem resolution up tremendously.

Another thing I did, although it's highly frowned upon nowadays, is to hit the offending IP address range with a half-open connection attempt DDoS... I once took an entire country offline doing that. Not recommended if you fear going to jail, but I was fighting the largest organized criminal organization in the world at the time while feeding the data to the FBI, so the FBI turned a blind eye.

Mr_Magoo · 30 January 2023 16:14

Used to be... I used to be an anti-spammer and scam-baiter. We once turned a would-be Nigerian scammer into a wannabe entrepreneur by making him think he was buying laptops for a tremendously good price (we named the fake company A N U S, with the catchphrase of "Get your hands on our A N U S")... we actually shipped him a crushed car (he paid for the shipping)... via DHL. Put the whole thing online, it might still be there. LOL

But once you've done a few big ones like that, word gets around, and the spammers and scammers get to know who you are, so you become less effective, and it's no longer fun.

ozstar · 25 February 2023 23:46

Wow! What a story! I reported them to their domain registries and they stopped so maybe it did work. Thanks...

system · 26 May 2023 23:46

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.