Wierd Query Login Attempts

Alligatoras

Administrator
Joined
Mar 31, 2016
Messages
2,047
Points
341
Age
26
Location
Greece
Today i updated both of my servers and after that i get failed query login attempts from the same ip.
PS: servers are in two different machines with different ip and didn't have this issue before.

Anyone else experiencing this?

1862


Update:
So someone is trying to gain access with wierd / random accounts, or trying to flood or what?
Same stuff on the other server, no point to send the same log again. Just random other login names.

Everything looks like started yesterday morning. Looks like some bot or something.

 

Bluscream

Retired Staff
Contributor
Joined
May 8, 2015
Messages
959
Points
171
Location
Germany
Maybe its related to the "exploit" they fixed in the new version
Fixed: Server crash when a client sent a malformed login.
Maybe he was trying that?
 
Last edited:

Alligatoras

Administrator
Joined
Mar 31, 2016
Messages
2,047
Points
341
Age
26
Location
Greece
Maybe its related to the "exploit" they fixed in the new version

Maybe he was trying that?
Really don't know. Started yesterday in the morning at 10:00am and was keep going on until i added the ip in the blacklist.
 

Bluscream

Retired Staff
Contributor
Joined
May 8, 2015
Messages
959
Points
171
Location
Germany
It would be helpful if that instance was a TeaSPeak instance because then you can see the passwords he tried
 

Asphyxia

Server Monkey
Administrator
Joined
Apr 25, 2015
Messages
1,212
Points
252
Age
26
Location
North America
because then you can see the passwords he tried
Not sure why you are becoming a TeaSpeak puppet lol, lately all you ever post about now is that. They found debug info left in a compile release and spent months reverse engineering the TeamSpeak protocol and replicating it and now add a few features that are miniscule as in not really helpful at all plus:

  1. The codebase is buggy as hell which results in plenty of crashing.
  2. It is not an official client and never will be, so say goodbye to any business use.
  3. The legality is questionable which is why your server can end up on a blacklist anyway.
The idea of TeaSpeak does nothing except hurt the TeamSpeak community, literally every part of TeaSpeak is copied/stolen and even worse done so under proprietary compiles and then placed behind a paywall. The idea of the project is literally autistic and useless. It's like "A private World of Warcraft server" but.. for TeamSpeak which makes no sense because TeamSpeak already allows you to run your own 32 slot free servers.

---

back on topic..

It's an automated bot system that is automating login attempts for common passwords. The passwords do not matter because they're mostly root::1234, root::root, admin::admin, etc..

https://www.abuseipdb.com/check/118.151.209.119 info on the abusive IP here.

You used to offer helpful/insightful content and now are only advertising TeaSpeak.. if you are going to only ever post about them, why post? It's empty content.. you're basically spamming.

To more fully answer your question: The attacker is a known abusive IP and is probably just spraying all Telnet protocols in the wild and trying default login credentials - hence the "root" username.
 
Last edited:

Alligatoras

Administrator
Joined
Mar 31, 2016
Messages
2,047
Points
341
Age
26
Location
Greece
It's an automated bot system that is automating login attempts for common passwords. The passwords do not matter because they're mostly root::1234, root::root, admin::admin, etc..
Huh, thank god then that i use hard passwords. ;)
Good luch to them to find my pass with 32 letters(capital or not)/numbers/sumbols :p

But still i blocked that ip from my server so i guess i am fine until another ip shows up...
 

Asphyxia

Server Monkey
Administrator
Joined
Apr 25, 2015
Messages
1,212
Points
252
Age
26
Location
North America
But still i blocked that ip from my server so i guess i am fine until another ip shows up...
You can automate this type of banning for example if 3 logins are tried and fail within an hour or two. You may adjust this accordingly!

A while ago @Bluscream posted something somewhat helpful, he mentioned Fail2ban which is appropriate here.

https://forum.teamspeak.com/threads/123543-Fail2Ban-Filter-for-Teamspeak?p=427311#post427311 is a post showcasing how one would go about configuring Fail2ban to scan the ts3server log file and auto ban (blacklist IP). I could make a video on this if help is needed.
 

Alligatoras

Administrator
Joined
Mar 31, 2016
Messages
2,047
Points
341
Age
26
Location
Greece
You can automate this type of banning for example if 3 logins are tried and fail within an hour or two. You may adjust this accordingly!

A while ago @Bluscream posted something somewhat helpful, he mentioned Fail2ban which is appropriate here.

https://forum.teamspeak.com/threads/123543-Fail2Ban-Filter-for-Teamspeak?p=427311#post427311 is a post showcasing how one would go about configuring Fail2ban to scan the ts3server log file and auto ban (blacklist IP). I could make a video on this if help is needed.
The default automatic ban ip works fine. I just haven't changed the default ban period which is 10 minutes as you can see that's the difference between the login attempts. I will maybe make 2-3 hours.
 

lukasjanra

Active Member
Joined
Jan 7, 2016
Messages
103
Points
65
Age
22
i had these logins also same random names yday too. was on older version. today i updated to newest. will see whats going on
 

Asphyxia

Server Monkey
Administrator
Joined
Apr 25, 2015
Messages
1,212
Points
252
Age
26
Location
North America
i had these logins also same random names yday too. was on older version. today i updated to newest. will see whats going on
Nothing to worry too much over.

This is just a dictionary attack, they are common and mostly harmless unless you have weak default credentials like: admin for the username and admin for the password.

It's similar to a project like this: https://github.com/forScie/SSHAttacker

Basically malicious attacker scans every IPv4 address for port 1234, detects if port 1234 is listening for a telnet connection. If so, does the connection request ask "Enter username", if yes, then we try "root," if password is asked, we try "root", if "success", then the attacker stores this credential.

In most cases, you are safe with these types of attacks. They are basic and annoying, you probably have more SSH login attempts. On your Linux-based server for example type "lastb" command. You will probably see many invalid login attempts trying to break into your server itself.
 

lukasjanra

Active Member
Joined
Jan 7, 2016
Messages
103
Points
65
Age
22
i always try to change default ports. which i didnt xhange is only ssh query which is now changed also. so ye before i changed from default ssh port 22 i had many weird login tries.
 
Joined
Dec 23, 2015
Messages
3
Points
35
Age
33
You can just allow your IP to access query port and than neither of attack/exploit will work for query port
 

Top