[CRTech] Christian Radio Tech [MSG 79169]
[Thread Prev] [-- Thread Index --] [Thread Next] [Date Prev] [-- Date Index --] [Date Next]
Re: hacking continued
To: CRTech <crtech@crtech.org>
Subject: Re: hacking continued
From: Shane Toven <shanetoven@gmail.com>
Date: Tue, 14 Mar 2017 09:46:58 -0600
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=2xBDqf3wj9xX18YntOiK2dfh6obUz2h2ACdBDGM8oPE=; b=p1J439xDtZp5eEWUmPY0rIIpZD2BMMtoVQgtFLbnLnt+JK1+A6Slc/xPkEJ1nsJGFU njLeFYgLiClqmUWFa1vPQ/xUt+M9lMu9iei9lUetIYs3lKPF2/EM2mpFMsD5AoIb55X1 hne2ylskgmx1+o6NqQm1MG2p2demq2AF135cQtI+uQPR3t4jHsav65+EeD1bSCltSt0K gIo9ohC368ccbm8f3kdnrJARn13S0IJbskSbDD7qreIQ4DjY3gEXUMB3MfJ7VWfzlyRC AxWD28qlCW20oCRBHIIqUS8n/T0pTOI67NoYNQgOE0IGi1ZWraw13KCrAxOaiRUVxwwa 0zXg==
In-reply-to: <CA+0ZtTbaKdN5=+5Az7+QMLY2bJSmn-5ZpVyAHTA5TQ+xg=-uDg@mail.gmail.com>
References: <812f36bb-e2cc-bf85-ba40-df7d81d2e32b@knlr.com> <CA+0ZtTbaKdN5=+5Az7+QMLY2bJSmn-5ZpVyAHTA5TQ+xg=-uDg@mail.gmail.com>
Once an interesting "target" is found on the public internet, the scanner(s) tend to keep hitting it until they either get in or the IP they are targeting is no longer responsive. I get all sorts of hits to my VPS on the SSH port and attempts on my test Asterisk environment (which is why I generally shut that down when not using it).

On Tue, Mar 14, 2017 at 9:45 AM, Matthew Chambers <mchambers@showmeham.info> wrote:
I'd be wondering if there is any pattern to where those IP addresses belong to?

Matthew A. Chambers, NR0Q



On Tue, Mar 14, 2017 at 10:43 AM, Terry Cowan <tcowan@knlr.com> wrote:

Several weeks ago we found "tone" on some of our programs.  Apparently our AMBOS receiver was hacked and the tone generator turned on.  True the receiver was port forwarded without protection.  So I created a program and redirected that port to it to see if we were being hacked.  Here is the log of the "hacking". 

Terry Cowan

KNLR/KNLX

03/04/17 22:27:14 89.248.167.131
03/05/17 14:40:31 177.140.27.47
03/05/17 14:40:31 177.140.27.47
03/10/17 08:52:24 94.102.49.190
03/13/17 08:11:57 189.34.242.231
03/13/17 08:11:58 189.34.242.231
03/14/17 04:07:58 86.110.119.19





References: hacking continued
(Terry Cowan <tcowan@knlr.com>, 14 Mar 2017 15:43:11 -0000)
Re: hacking continued
(Matthew Chambers <mchambers@showmeham.info>, 14 Mar 2017 15:45:06 -0000)
Prev by date: Re: hacking continued
(Matthew Chambers, 14 Mar 2017 15:45:06 -0000)
Next by date: Re: hacking continued
(Terry Cowan, 14 Mar 2017 16:11:58 -0000)
Prev by thread: Re: hacking continued
(Matthew Chambers, 14 Mar 2017 15:45:06 -0000)
Next by thread: Re: hacking continued
(Terry Cowan, 14 Mar 2017 16:11:58 -0000)
CRTech.org