locked
Compromised computer with Microsoft IP address 138.91.146.9 RRS feed

  • Question

  • SSH attacks are incredibly common, and usually originate from foreign countries and random compromised systems on the Internet and I don't pay much attention to them. This attack, however, originated from a Microsoft IP address. That means it's a server or employee machine at Microsoft that is infected/compromised. I thought it was worth spending a minute to report it so that the machine in question can be located and cleaned up before any harm is done.

    Here are the relevant SSH logs:

    Jan 01 03:24:01 [sshd] Did not receive identification string from 138.91.146.9
    Jan 01 03:24:01 [sshd] SSH: Server;Ltype: Version;Remote: 138.91.146.9-1024;Protocol: 2.0;Client: Granados-1.0
    Jan 01 03:24:01 [sshd] SSH: Server;Ltype: Kex;Remote: 138.91.146.9-1024;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
    Jan 01 03:24:03 [sshd] SSH: Server;Ltype: Authname;Remote: 138.91.146.9-1024;Name: admin [preauth]
    Jan 01 03:24:09 [sshd] Invalid user admin from 138.91.146.9
    Jan 01 03:24:09 [sshd] input_userauth_request: invalid user admin [preauth]
    Jan 01 03:24:11 [sshd] Connection closed by 138.91.146.9 [preauth]
    Jan 01 03:24:12 [sshd] SSH: Server;Ltype: Version;Remote: 138.91.146.9-1025;Protocol: 2.0;Client: Granados-1.0
    Jan 01 03:24:12 [sshd] SSH: Server;Ltype: Kex;Remote: 138.91.146.9-1025;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
    Jan 01 03:24:14 [sshd] SSH: Server;Ltype: Authname;Remote: 138.91.146.9-1025;Name: root [preauth]
    Jan 01 03:24:19 [sshd] Connection closed by 138.91.146.9 [preauth]
    Jan 01 03:24:20 [sshd] SSH: Server;Ltype: Version;Remote: 138.91.146.9-1026;Protocol: 2.0;Client: Granados-1.0
    Jan 01 03:24:20 [sshd] SSH: Server;Ltype: Kex;Remote: 138.91.146.9-1026;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
    Jan 01 03:24:23 [sshd] SSH: Server;Ltype: Authname;Remote: 138.91.146.9-1026;Name: guest [preauth]
    Jan 01 03:24:28 [sshd] Invalid user guest from 138.91.146.9
    Jan 01 03:24:28 [sshd] input_userauth_request: invalid user guest [preauth]
    Jan 01 03:24:29 [sshd] fatal: Read from socket failed: Connection reset by peer [preauth]
    Jan 01 03:24:31 [sshd] SSH: Server;Ltype: Version;Remote: 138.91.146.9-1026;Protocol: 2.0;Client: Granados-1.0
    Jan 01 03:24:31 [sshd] SSH: Server;Ltype: Kex;Remote: 138.91.146.9-1026;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
    Jan 01 03:24:34 [sshd] SSH: Server;Ltype: Authname;Remote: 138.91.146.9-1026;Name: uucp [preauth]
    Jan 01 03:24:40 [sshd] fatal: Read from socket failed: Connection reset by peer [preauth]
    Jan 01 03:24:41 [sshd] SSH: Server;Ltype: Version;Remote: 138.91.146.9-1026;Protocol: 2.0;Client: Granados-1.0
    Jan 01 03:24:41 [sshd] SSH: Server;Ltype: Kex;Remote: 138.91.146.9-1026;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
    Jan 01 03:24:43 [sshd] SSH: Server;Ltype: Authname;Remote: 138.91.146.9-1026;Name: support [preauth]
    Jan 01 03:24:48 [sshd] Invalid user support from 138.91.146.9
    Jan 01 03:24:48 [sshd] input_userauth_request: invalid user support [preauth]
    Jan 01 03:24:49 [sshd] fatal: Read from socket failed: Connection reset by peer [preauth]
    Jan 01 03:24:51 [sshd] SSH: Server;Ltype: Version;Remote: 138.91.146.9-1026;Protocol: 2.0;Client: Granados-1.0
    Jan 01 03:24:51 [sshd] SSH: Server;Ltype: Kex;Remote: 138.91.146.9-1026;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
    Jan 01 03:24:53 [sshd] SSH: Server;Ltype: Authname;Remote: 138.91.146.9-1026;Name: upnt [preauth]
    Jan 01 03:24:58 [sshd] Invalid user upnt from 138.91.146.9
    Jan 01 03:24:58 [sshd] input_userauth_request: invalid user upnt [preauth]

    • Moved by Mike Kinsman Wednesday, January 8, 2014 7:04 PM off topic
    Wednesday, January 1, 2014 9:37 AM

Answers

All replies

  • Hi,

    It's unlikely that anyone will actually see this here, this forum is meant for feedback on the TechNet website/subscriptions and isn't really active any longer.

    This might be your best avenue for reporting:

    http://technet.microsoft.com/en-US/security/ff852094.aspx


    Don't retire TechNet! - (Don't give up yet - 12,420+ strong and growing)

    • Proposed as answer by Just Karl Friday, January 10, 2014 4:48 PM
    • Marked as answer by Just Karl Monday, January 27, 2014 4:42 PM
    Tuesday, January 7, 2014 2:38 PM
  • Unfortunately your post is off topic here, in the TechNet Site Feedback forum, because it is not Feedback about the TechNet Website or Subscription.  This is a standard response I’ve written up in advance to help many people (thousands, really.) who post their question in this forum in error, but please don’t ignore it.  The links I share below I’ve collected to help you get right where you need to go with your issue.

    For technical issues with Microsoft products that you would run into as an end user of those products, one great source of info and help is http://answers.microsoft.com, which has sections for Windows, Hotmail, Office, IE, and other products. Office related forums are also here: http://office.microsoft.com/en-us/support/contact-us-FX103894077.aspx

    For Technical issues with Microsoft products that you might have as an IT professional (like technical installation issues, or other IT issues), you should head to the TechNet Discussion forums at http://social.technet.microsoft.com/forums/en-us, and search for your product name.

    For issues with products you might have as a Developer (like how to talk to APIs, what version of software do what, or other developer issues), you should head to the MSDN discussion forums at http://social.msdn.microsoft.com/forums/en-us, and search for your product or issue.

    If you’re asking a question particularly about one of the Microsoft Dynamics products, a great place to start is here: http://community.dynamics.com/

    If you really think your issue is related to the subscription or the TechNet Website, and I screwed up, I apologize!  Please repost your question to the discussion forum and include much more detail about your problem, that could include screenshots of the issue (do not include subscription information or product keys in your screenshots!), and/or links to the problem you’re seeing. 

    If you really had no idea where to post this question but you still posted it here, you still shouldn’t have because we have a forum just for you!  It’s called the Where is the forum for…? forum and it’s here: http://social.msdn.microsoft.com/forums/en-us/whatforum/

    Moving to off topic. 

    Thanks, Mike

    MSDN and TechNet Subscriptions Support <br/> Read the Subscriptions <a href="http://blogs.msdn.com/msdnsubscriptions">Blog! </a>

    Wednesday, January 8, 2014 7:04 PM
  • Hello,

    Either post in the forum Mike Laughlin suggested, or in the Virus and Malware forum on Microsoft Community.

    Karl


    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
    My Blog: Unlock PowerShell
    My Book: Windows PowerShell 2.0 Bible
    My E-mail: -join ('6F6C646B61726C40686F746D61696C2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})

    Friday, January 10, 2014 4:49 PM