#infosec Troubleshooting #Syspeace and why source IP addresses aren’t always resolved by #Windowsserver in eventid 4625

Syspeace is a HIPS (Host Intrusion Prevention System) that monitors failed logins attempts on for instance Remote Desktop Servers, Exchange Server, SQL Servers, Winlogon events on Windows Servers from Windows Server 2003 and more and blocks, tracks and reports the attacker based on customazible rules

Sometimes though, the event (Eventid 4625 or eventid 529 and a few other security events we monitor) doesn’t actually contain the source IP address thus leaving Syspeace with nothing to block.
If there’s no IP address to block, it can’t be put into to the Windows Frewall Syspeace rules and the bruteforce attack can continue.

This essentially happens when you switch from RDP layer security to using a certificate.

An article on Stackoverflow might be pointing to a solution though

http://stackoverflow.com/questions/1734635/event-logging-ipaddress-does-not-always-resolve

Essentially, the suggestion is to change this setting in the Local Security Policy of the server running Syspeace.

Computer ConfigurationWindows SettingsSecurity SettingsSecurity Options

– Network security: LAN Manager authentication level — Send NTLMv2 response only. Refuse LM & NTLM
– Network security: Restrict NTLM: Audit Incoming NTLM Traffic — Enable auditing for all accounts
– Network security: Restrict NTLM: Incoming NTLM traffic — Deny all accounts

Here’s a warning though!
If you’re using the RD WEB also to publish Remote Resources.
For some reason , your MAC OS clients will stop recieving Remote Resources since it seems to run on NTLM version 1 (and I would guess Android and XP too )
Also scanners may stop working locally if they need to write files to a newtorks share
I tried a lab with this and when seting the – Network security: Restrict NTLM: Incoming NTLM traffic — Deny all accounts , the remote resources can’t be refreshed.

There are a few warnings when changing this setting and you should investigate if there are applications or services in your server environment that are dependent on LM or NTLM (v1).

I’ve changed the setting on a number of servers and haven’t seen anything stop working but still you should investigate before changing.

Syspeace - intrusion prevention for Windows servers
Syspeace website

Troubleshooting Syspeace

An interesting support case came to our attention recently.

A customer claimed that Syspeace wouldn’t block according to the rules.

The bruteforce attacks would continue , even after they should have been blocked.

We checked the ususal culprits (verify that the .Net is fully patched, that the customer is running the latest Syspeace version, verify that logging is enabled and that the firewall is turned on )

The rules were added as expected in the firewall but they didn’t have any effect.

After a lot of troubleshooting the root-cause was found.

The customers server did indeed have the firewall enabled but only in one of the firewall profiles (public, private, domain) and unfortuantely, the network used was not the one the firewall was enabled for, hence, nothing was blocked as expected. The rules were added but did not take effect in the expected amount of time

So, as a general troubleshooting tip , check how your firewall is enabled and verify that it indeed is the correct network profile in there, or, enable the firewall for all three profiles.

The usual troubleshooting tips we give are described in the manual in the troubleshooting section

1. Make sure you’ve enabled the firewall (as described in Firewall), firewall enabled, prefferably on all profiles.

2. Make sure you’ve enabled the auditing (as described in Windows login detection prerequisites).

3. Verify that the server can reach https://s.syspeace.com/ping . (You should see a message saying Hello from Stockholm. and the local time of the server and recommended Syspeace version)

4. In some instances, when running Terminal Server or Remote Desktop Services there’s actually the scenario where the Windows server itself fails to obtain the source IP address of the login attempt (you can verify this by checking the Windows event log and look for Source Network Address: ) Sometimes, that entry is empty, thus disabling Syspeace from actually having anything to block. Syspeace will attempt to corroborate the IP address from some other logs. If it doesn’t find any, there is not much that Syspeace can do.

5. In any applicable firewall or antivirus software, allow Syspeace access to https://s.syspeace.com/ (port 443).

6. Verify any proxy settings, if applicable.

7. Some methods of Windows authentication actually attempts to log in several times. Two failures may be part of one log in attempt. Syspeace has no way of knowing how many attempts were intended and has to work with the actual failures. Due to counting failures instead of attempts, rules may be triggered seemingly ahead of time.

8. One way of quickly verifying functionality is to use a workstation (not whitelisted) and attack your server with the net use command from the command prompt. After the number of tries defined in the current rules, the workstation should be blocked from communicating with the server. Example of the command: net use * \server name or server IP addressanyshare /user:syspeacetester ”anypassword”

9. If you want to submit logs to us, start Syspeace, go to Management → System settings, enable logging and start the service. The log file is created in a subfolder of the Syspeace installation folder.

10. When submitting logs,
Please create a .zip file of the logfiles, include any relevant information from Windows Eventlogs (application, system and security and when applicapble, the Syspeace eventlog ) and also create a .Zip-file of the database and email them directly to the devteam . The email address can be found in the manual

11. If your server doesn’t pick up the source IP address in your eventlog , please have a look a this blog article

12. If your database has grown above the size limit of 4 GB, in the current version ( 2.5.2) you will have to manually delete the database and set up your Syspeace again. in the upcoming version this has been fixed.

by Juha Jurvanen

#Syspeace stops due to license server inaccessable on #Windows Server 2003 #infosec

Syspeace service stops due to license server not reachable / inaccessibility on Windows Server 2003

We’ll actually update the troubleshooting section with info for Windows 2003 Servers but here’s why this can occur.

Apparently root certificates are not automatically updated on Windows Server 2003:

http://support.microsoft.com/kb/931125

> The automatic root update mechanism is enabled on Windows Server 2008 and later versions, but not on Windows Server 2003. Windows Server 2003 supports the automatic root update mechanism only partly. (This is the same as the support on Windows XP.) And because the root update package is intended for Windows XP client SKUs only, it is not intended for Windows Server SKUs. However, the root update package may be downloaded and installed on Windows Server SKUs, subject to the following restrictions.

> If you install the root update package on Windows Server SKUs, you may exceed the limit for how many root certificates that Schannel can handle when reporting the list of roots to clients in a TLS or SSL handshake, as the number of root certificates distributed in the root update package exceeds that limit. When you update root certificates, the list of trusted CAs grows significantly and may become too long. The list is then truncated and may cause problems with authorization. This behavior may also cause Schannel event ID 36885. In Windows Server 2003, the issuer list cannot be greater than 0x3000.

This can be resolved for Syspeace by manually installing the gd-class2-root.crt certificate from this page: https://certs.godaddy.com/anonymous/repository.pki

#infosec Is there a need for intrusion prevention for Windows Servers like #Syspeace?

Syspeace icon
Syspeace icon

What is a brute force attack or dictionary attack really and how would Syspeace help?

Essentially it is someone who is trying to guess the right combination of username and password to gain access into your serveers for example a Microsoft Exchange Serve and the OWA (Outlook Web Access), Terminal Server/RDS (Remote Desktop Server), Sharepoint, SQL Server, Citrix and so on.

The attacker uses automated software to try to guess the right combination to be able to login and steal data or to elevate their rights. One attack can render in thousands of login attempts, it can go on for hours or days and it is a heavy load for the server to handle that in regards of CPU, RAM, network traffic and so on.
Each login request has to validated and checked if it is legitimate or not.

A comparison of a brute force attack and the real world be be this (this is an excerpt from the Syspeace website)

Imagine that your company has a physical facility. If someone repeatedly tries to gain access with a fake key or invalid key card, you would expect that your security guards would notice and not let the intruder through

Aren’t there builtin protection into Windows Server against these attacks ?

In short. No.
The only built in mechanisms in Windows Servers are basically the ability to enforce strong passwords and to enable account lockout.

To enable strong passwords is a good thing, even if you’re running an intrusion prevention software for Windows like Syspeace.
If you have easy-to-guess passwords, it won’t really matter what protection you’re sunning since if a login is valid, no software would block it anyway. A valid username and password is always a valid login. So, please ensure you require users to use strong and complex passwords and allow for Syspeace to capture the attack.

The second method , ie. account lockout, might actaully do you more harm than good and here’s why.
If the system you’re protecting is for instance an Exchange Server or an RDS Server and it is probably facing he Intenet to provide service for your users or customers. To figure out a username doesn’t have to be that complicated fo an attacker. They’ll first try to understand the email policy naming convention, scavenge the Internet for metadata and the simply start trying to login using the email address as the username (since this is quite often a valid login name) and try guess to guess the password.

If you’ve enabled the Account Lockout Policy the affected users accounts will be constantly locked since the attacker will automate the attack and try thousands of time for each user they know are in the system.

If you’ve been hit with an attack and it is just from a single IP address, you’d probably just block it in the Windows Firewall (or the external firewall) and unlock the affected users accounts and that’s it. Hopefully you’d also report it.

Now, what if the attack is actually done from hundreds or thousands of computers at the same time ? Blocking them manually isn’t really an option is it ?
One simple and quick solution is to download the fully functional trial of Syspeace , install it and have Syspeace block, track and report the attack.

How can Syspeace help as an Intrusion Prevention for Windows Servers and do I set it up?

The idea behind Syspeace is the ease of use and independence from other software and appliances and also not to enforce a change in your network or infrastructure.

Some systems require you to change your entire infrastructure and put for instance a high performing proxy appliance or server in front of the network. Other systems are bundled with antivruses and other systems, requiring you use consultants and experts to get the systems running.

Syspeace is simply installed on the servers you want to protect. The installation process takes about 4-5 minutes maximum and that’s it. You’re done. The server is protected against brute force attacks. Out of the box.
Th Syspeace GUI is easy to understand and easy to manage. You don’t have to be a security expert to manage Syspeace.

If you want to move a Syspeace license from one server to antoher , that’s also easily done thanks to the floating licensing model within Syspeace. The length of the license can also vary so you’re not forced into buying a 1 year license if you don’t want to . You can a license fo 1 month. or 3 months, Whatever suits your needs.

The pricing of Syspeace is more or less equivavlent to an antivirus and it is a per-server based licensing so it’s not based up on the number of users you’re servicing. 1 license, 1 server. That’s it.

These are some of the features included in Syspeace

.

Secure login attempts on Windows server
The Windows server is secured by watching the result of the Logon process. If multiple logon attempts fails, actions can be taken. This works on Windows Server 2003 and on and is also automatically protection for Remote Desktop Services, Sharepoint, Exchange OWA, Citrix and basically anthing that renders an eventid of 4635 or eventid 529 (we do monitor more events also)

Secure login to Exchange Serevr SMTP connectors
The Exchange server is usually exposed by the OWA web site that is a part of Exchange. Syspeace not only protects the OWA but also logon attempts made by connectors.

Secure login to SQL Server
Many SQL-server installations expose a logon-possibility either by AD-integration or by logon by using SQL Authentication. Syspeace protects both methods

Multiple customizable rules
Syspeace can be tailored to fit your specific needs by customizing the rule-base. The rules are executed in real-time on all successful and unsuccessful logon attempts and appropriate measures are taken.

Send mail when a block is done
Whenever a block (rule) is entered in the firewall, you have the option to be notified by mail.

Send daily mail with aggregated intrusion information both as plain text and attached CSV file
Each day, there is a summary created that you can have mailed to you or the people that you see will benefit from it.

Send weekly mail with aggregated intrusion information both as plain text and attached CSV file
If the daily summary is too granular, a weekly summary is also available in the same way.

Uses local whitelist
Some computers should never be blocked in your environment. These computers can be listed in a local Whitelist so that Syspeace will never block these IP addresses.

Uses local blacklist

The local blacklist is a opportunity to force a block to a specific set of computers that you never want to connect to your server.

Uses global blacklist
Syspeace comes with a Global Blacklist. This list is maintained by Syspeace central servers and distributed once a day to your Syspeace installation. The Global Blacklist contains computers that have tried to break the security on many other sites that run Syspeace.

Searchable log of login/intrusion attempts
Syspeace have the ability to in a very easy way present information about who is attacking you and when it happened. The data is searchable, aggregated and presented in a matter of a few simple clicks.

View information on why a block was made
A block may be initiated from many different sources. Together with the block is also information stored about the origin. It is always possible to back track a block.

Access report to quickly find related information in the attempt log
The Access report takes the reporting to a new level. Here, it is possible to further aggregate and investigate what happens to your server.

Updates are free and new features are included. We’ve also released the ability write your own Syspeace Detectors thurough the Syspeace API to protect for instance a webapplication or write a special detector for your Windows applications.

Who should use Syspeace then ?

Syspeace isn’t targeted at any special types of environments or companies, we believe that Syspeace is a natural part to use for any server administrator, regardless of if you’re a Cloud Service provider or managing you own servers or if you’re an outsourcing company, hosting company or even if the servers are physical or virtual.
Syspeace can help in any scenario so the short answer is, any system admininstrator managing a Windows Server from Windows Server 2003 and on really.

It is not a ”silver bullet” for security but a piece of the security puzzle we believ you’ll need to ensure the protection of your users or customers and it solves a problem easily that no one hasn’t really been able to handle earlier.

If yuu’re up for reading more about intrusion prevention for Windows Servers, please have a look at the earlier articles written here on this blog or have simply go to the Syspeace website for more information and download a trial.

Syspeace - intrusion prevention for Windows servers
Syspeace website

#infosec VPS and #Cloud servers used for brute force attacks and #botnets against #WinServ and #MSExchange

Syspeace - intrusion prevention for Windows servers
Syspeace website

Is your VPS used for brute force attacks?

or I could also have called this post ”Do you know whom your VPS is hacking today?”

A trend that has surfaced over the years is to simply hire computer power inte the Cloud in various forms and shapes. The basic idea is to get rid of the hardware and maintenance för servers and have someone else take care of it. Also known as Infrastructure aa a Service or IaaS

The problem is often though that even if you use a hosted VPS you still have to manage it. This is something that a lot of users and companies tend to forget or neglect.

What you’ve basically done is simply get rid of the hardware hassle but you still have to take care of the Windows patching and manage security issues as with any Windows serevr (or Linux för that matter) .

There aren’t that many Cloyd services out there that actually will also manage the security and management aspects of your VPS and you really need to think these things through.

The resaon for this post is that for some time now, a VPS located at a Swedish Cloud Service provider has been trying to brute force its way into quite a few different servers with #Syspeace installed on them.
The attacks, targeted aginst RDP / Terminal Servers servers, Exchange Server and Sharepoint Servers in this case, have been blocked, traced and reported automatically but the big question is whether whoever owns/hires this VPS is actually even aware of what is going on ? Or if it’s hired especially for this purpose? This is actuallt impossible to know.

In this specific case this VPS has been going on and on for a while and it has targeted at least 5 different customers of mine with Syspeace installed and about 12 servers at least.
All attacks have been succesfully blocked, tracked and reported and eventually this VPS will end up in the Syspeace Global Blacklist (GBL) and propagated to all other Syspeace installations around the world and it will be blacklisted for all of them, thus securing them preemptively from any brute force / dictionary attacks from this VPS.

Most likely the Cloud Service Provider doesn’t know what’s going on since it’s not their responsibility really. Maybe the user / customer hirong the VPS does this on pyrpose or they have no idea that the VPS has been compromised and is used for this hacking activity. I juyt donät knoew. All I know is that it has been cinducting a lot of dicitionary attacks lately.

What I’m driving at is that if you decide to start using a hosted VPS, you still have the responsibility to manage it as any other server really.
You need to have it correctly patched, have an antivirus on it, make sure all security settings are correct and you need to monitor activity on it.

You should also ask your Cloud Service provider for intrusion prevention from Syspeace since you basically have no idea what all of the other customers VPS are really doing in your shared network since you hae no control over them.

Most Cloud Service Provers could inplement Syspeace in their various Applications portals or have a Syspeace installed in their prepared images for customers. If your providers hasn’t implemented Syspeace yet, you can simply download it yourself from http://www.syspeace.com/free-download/download-plus-getting-started-with-syspeace/

Your ”neighbors” at the Cloud Service could be trying to brute force they way into your VPS and you’d probably wouldn’t have a clue if you haven’t turned on logging and installed a brute foce prevention software for Windows servers.

By Juha Jurvanen @ JufCorp

#infosec Securing your #WinServ and #MSExchange with an acceptable baseline security

Securing your Windows Server with a baseline security

In short, to have an acceptable baseline security for any Windows server you need to think all of the things below in this list.
Sadly enough, even if you follow all of these steps, you’re still not secured forever and ever. There’s no such thing as absolute security. That’s just the way it is but you might use this as some kind of checklist and also the links provided in this post.

Syspeace logo
Syspeace logo

Securing Windows Serves with an acceptable baseline security

1. Make sure all of your software is updated with all security patches. This includes the Windows operating system but also Adobe, Java,Office and any software really. This reduces the risk for so called 0day attacks or your server being compromised by software bugs.

2. Make sure you have a good and not too resource intensive antivirus running on everything. Personally I’m a fan of F Secure PSB for servers and workstations for lots of reasons. It’s not just a pretty logo.

3. Verify you have thought your file and directory access structure and that users and groups are only allowed to use and see what they’re supposed to. Setting file permissions is a very powerful tool to secure your server and crucial.

4. Always make sure to read best practices for securing applications and servers and Google for other ideas also. No manual is the entire gospel.

5. Enable logging. If you don’t know what’s happeing, you can’t really react to it can you ? It also makes any troubleshooting hopeless in restrospect.

7. Have a good monitoring and inventory system in place such as the free SpiceWorks at http://www.spiceworks.com

8. If your server has any monitoring agents from the manufacturer such as HP Server Agents, then install them and set them up with notifications for any hardware events to be prepared.

9. User Group Policies. It’s an extermely powerful tool once you start using it and it will make you day to day operations much easier.

10. If your server is reachable from the Internet, use valifd SSL certificates. They’re not that expensive and any communications should be encrypted and secured as fa as we’re able. Yes, think Mr. Snowden.Think NSA.

11. Disable any unused services and network protocols. They can be a point of entry and for the unused network protocols, you bascially fill your local network with useless chatter that comsume bandwidth. This also goes for workstations and printers and so on.

12. Enforce complex password policies! You won’t be well-liked but that’s not what you get paid for.
If people are having trouble remembering passwords the have all over the world, maybe you could have thme read this
http://jufflan.wordpress.com/2012/11/03/remembering-complex-online-passwords/ and on the topic of online passwords and identities also, http://jufflan.wordpress.com/2012/11/03/reflections-on-theft-and-protection-of-online-identity-on-the-internet-who-are-you/

13. Use a good naming standard for user logins. Not just their first name as login or something too obvious. Here’s an old blog post on why http://syspeace.wordpress.com/2012/10/21/securing-your-webmailowa-on-microsoft-exchange-and-a-few-other-tips/

14. Backups! Backups! and again. BACKUPS!!
Make sure you have good backups (and test them at least once a year for a complete disaster revovery scenario) and make sure you have multiple generations of them in case any of them is corrupted, preferrably stored offsite in some manner in case of a fire, theft or anything really.
For day to day operations and generation management I highly recommend using the builtin VSS snapshot method but never ever have it instead of backups.
You can also use the built in Windows Server backup for DR as described here http://jufflan.wordpress.com/2013/07/15/using-windows-server-backup-20082008-r2-for-a-disaster-recovery-from-a-network-share/

15. You need to have an automatic intrusion protection against brute force and dictionary attacks with Syspeace since the ”classic” methods do not get the job done. Here’s an older blog post on why http://syspeace.wordpress.com/2013/07/11/using-various-brute-force-and-dictionary-attack-prevention-methods-to-prevent-hackers-and-why-they-dont-work-repost/ . I you don’t have the time to read the article then simply download the free Syspeace trial, install it and you’ve set up a pwerful and easy to use bruteforce prtection for your server in minutes.

If you’re up for it, I’ve written a few other related posts here:

http://jufflan.wordpress.com/2012/10/22/securing-your-server-environment-part-1-physical-environment/
and
http://jufflan.wordpress.com/2012/10/22/securing-server-environments-part-ii-networking/

By Juha Jurvanen @ JufCorp

Another weekly report of prevented intrusions against #Windowsservers by #Syspeace

Reported and blocked intrusion attempts against Windows Server

This is another report generated at a single server for one week. THis isn’t actually a highly targeted server compared to a lot of the servers running Syspeace out there but it does you you an idea of how common it is with dictionary attacks and brute force attacks.
All of these attacks were succesfully blocked, tracked and reported by Syspeace.

If you want to see if your Windows servers, Terminal Servers, Exchange and OWA, Citrix, Sharepoint, SQL server are targeted,  simply download a fully functional 30 day trial of Syspeace and see for yourself.
You might be surprised.

Report for week 2014-02-03 – 2014-02-09

— All Week ——

IP address Times Host name and country
——————– —– ——————————-
5.141.82.190 5 ; Russian Federation (RU)
31.168.75.16 11 bzq-75-168-31-16.red.bezeqint.net; Israel (IL)
37.28.157.63 1 d157063.artnet.pl; Poland (PL)
37.49.224.172 3 static-37-49-224-172-vstarvps.estroweb.in; Netherlands (NL)
46.105.59.195 2 ; France (FR)
50.52.142.2 1 static-50-52-142-2.drhm.nc.frontiernet.net; United States (US)
54.251.246.9 2 ec2-54-251-246-9.ap-southeast-1.compute.amazonaws.com; Singapore (SG)
62.20.107.114 1 ns.sdata.se; Sweden (SE)
74.95.168.97 1 74-95-168-97-Philadelphia.hfc.comcastbusiness.net; United States (US)
77.31.241.106 1 ; Saudi Arabia (SA)
77.72.55.67 1 ; Denmark (DK)
78.40.146.2 7 spider.man.kcahost.co.uk; United Kingdom (GB)
80.25.156.62 1 62.Red-80-25-156.staticIP.rima-tde.net; Spain (ES)
80.250.173.121 1 ; Russian Federation (RU)
81.204.76.158 1 ip51cc4c9e.speed.planet.nl; Netherlands (NL)
82.166.16.190 3 82-166-16-190.barak-online.net; Israel (IL)
82.199.95.156 2 STU-09-PC; Netherlands (NL)
83.218.73.146 1 ; Sweden (SE)
85.17.24.130 3 hosted-by.leaseweb.com; Netherlands (NL)
85.30.164.153 1 host-85-30-164-153.sydskane.nu; Sweden (SE)
85.225.211.107 1 c-6bd3e155.222-6-64736c12.cust.bredbandsbolaget.se; Sweden (SE)
85.234.222.197 1 85.234.222.197.wls.11-bba11has1.adsl.dyn.edpnet.net; Belgium (BE)
90.230.83.147 1 90-230-83-147-no110.tbcn.telia.com; Sweden (SE)
109.247.81.115 1 ; Norway (NO)
117.121.25.16 1 ; China (CN)
119.146.85.18 6 ; China (CN)
132.199.96.83 1 pc1011103133.uni-regensburg.de; Germany (DE)
148.160.16.132 1 host16-132.bornet.net; Sweden (SE)
165.228.5.204 1 tayper1.lnk.telstra.net; Australia (AU)
180.96.11.24 1 ; China (CN)
185.2.155.18 10 WIN-LMHRI4L8OR1; Sweden (SE)
188.20.178.75 2 ; Austria (AT)
188.75.83.216 1 ; Iran, Islamic Republic of (IR)
194.243.151.67 2 rub067.te00.c2.interbusiness.it; Italy (IT)
195.22.37.8 1 pedro.adsllink.cz; Czech Republic (CZ)
195.47.35.37 1 195.47.35.37.adsl.nextra.cz; Czech Republic (CZ)
198.200.30.110 1 198-200-30-110.dia.static.wsisd.net; United States (US)
202.105.224.22 1 ; China (CN)
203.146.30.32 5 ; Thailand (TH)
213.96.201.224 1 224.Red-213-96-201.staticIP.rima-tde.net; Spain (ES)
213.243.63.116 1 VCENTERB; Turkey (TR)
217.15.198.140 1 ; Russian Federation (RU)
222.186.32.224 1 mail.mxhichina.com; China (CN)

Hourly breakdown (blocks per hour)
00 x5
01
02 x1
03 x4
04 x4
05 x1
06 x3
07 x3
08
09 x6
10 x2
11 x6
12 x6
13 x5
14 x4
15 x7
16 x6
17 x3
18 x5
19 x4
20 x4
21 x4
22 x3
23 x6

– 2014-02-03 —

IP address Times Host name and country
——————– —– ——————————-
5.141.82.190 1 ; Russian Federation (RU)
46.105.59.195 2 ; France (FR)
50.52.142.2 1 static-50-52-142-2.drhm.nc.frontiernet.net; United States (US)
78.40.146.2 6 spider.man.kcahost.co.uk; United Kingdom (GB)
80.250.173.121 1 ; Russian Federation (RU)
85.234.222.197 1 85.234.222.197.wls.11-bba11has1.adsl.dyn.edpnet.net; Belgium (BE)
109.247.81.115 1 ; Norway (NO)
180.96.11.24 1 ; China (CN)
194.243.151.67 2 rub067.te00.c2.interbusiness.it; Italy (IT)
213.243.63.116 1 VCENTERB; Turkey (TR)

Hourly breakdown (blocks per hour)
00 x2
01
02
03 x2
04
05 x1
06
07 x1
08
09 x1
10 x1
11 x1
12
13 x3
14
15 x1
16 x1
17
18
19
20 x1
21
22
23 x2

– 2014-02-04 —

IP address Times Host name and country
——————– —– ——————————-
37.49.224.172 1 static-37-49-224-172-vstarvps.estroweb.in; Netherlands (NL)
82.199.95.156 2 STU-09-PC; Netherlands (NL)
117.121.25.16 1 ; China (CN)
119.146.85.18 1 ; China (CN)
185.2.155.18 5 WIN-LMHRI4L8OR1; Sweden (SE)
188.75.83.216 1 ; Iran, Islamic Republic of (IR)

Hourly breakdown (blocks per hour)
00
01
02
03
04 x1
05
06
07
08
09 x1
10
11 x1
12
13 x1
14 x2
15 x1
16 x1
17
18 x1
19
20
21 x1
22
23 x1

– 2014-02-05 —

IP address Times Host name and country
——————– —– ——————————-
5.141.82.190 4 ; Russian Federation (RU)
37.49.224.172 2 static-37-49-224-172-vstarvps.estroweb.in; Netherlands (NL)
62.20.107.114 1 ns.sdata.se; Sweden (SE)
74.95.168.97 1 74-95-168-97-Philadelphia.hfc.comcastbusiness.net; United States (US)
80.25.156.62 1 62.Red-80-25-156.staticIP.rima-tde.net; Spain (ES)
81.204.76.158 1 ip51cc4c9e.speed.planet.nl; Netherlands (NL)
82.166.16.190 1 82-166-16-190.barak-online.net; Israel (IL)
83.218.73.146 1 ; Sweden (SE)
90.230.83.147 1 90-230-83-147-no110.tbcn.telia.com; Sweden (SE)
119.146.85.18 2 ; China (CN)
148.160.16.132 1 host16-132.bornet.net; Sweden (SE)
185.2.155.18 5 WIN-LMHRI4L8OR1; Sweden (SE)
188.20.178.75 1 ; Austria (AT)
195.22.37.8 1 pedro.adsllink.cz; Czech Republic (CZ)
195.47.35.37 1 195.47.35.37.adsl.nextra.cz; Czech Republic (CZ)
213.96.201.224 1 224.Red-213-96-201.staticIP.rima-tde.net; Spain (ES)

Hourly breakdown (blocks per hour)
00
01
02 x1
03 x1
04 x2
05
06 x2
07
08
09 x2
10
11 x1
12 x3
13
14
15 x3
16
17 x2
18 x3
19 x1
20 x1
21 x2
22 x1
23

– 2014-02-06 —

IP address Times Host name and country
——————– —– ——————————-
77.72.55.67 1 ; Denmark (DK)
85.225.211.107 1 c-6bd3e155.222-6-64736c12.cust.bredbandsbolaget.se; Sweden (SE)
119.146.85.18 2 ; China (CN)
165.228.5.204 1 tayper1.lnk.telstra.net; Australia (AU)
198.200.30.110 1 198-200-30-110.dia.static.wsisd.net; United States (US)
203.146.30.32 1 ; Thailand (TH)

Hourly breakdown (blocks per hour)
00
01
02
03
04
05
06
07
08
09 x1
10
11 x2
12 x1
13
14
15
16
17
18 x1
19 x1
20
21 x1
22
23

– 2014-02-07 —

IP address Times Host name and country
——————– —– ——————————-
31.168.75.16 5 bzq-75-168-31-16.red.bezeqint.net; Israel (IL)
85.30.164.153 1 host-85-30-164-153.sydskane.nu; Sweden (SE)
119.146.85.18 1 ; China (CN)
202.105.224.22 1 ; China (CN)
217.15.198.140 1 ; Russian Federation (RU)

Hourly breakdown (blocks per hour)
00 x2
01
02
03 x1
04
05
06
07 x1
08
09
10
11
12
13
14 x1
15 x1
16 x2
17
18
19
20
21
22
23 x1

– 2014-02-08 —

IP address Times Host name and country
——————– —– ——————————-
31.168.75.16 6 bzq-75-168-31-16.red.bezeqint.net; Israel (IL)
77.31.241.106 1 ; Saudi Arabia (SA)
82.166.16.190 1 82-166-16-190.barak-online.net; Israel (IL)
85.17.24.130 1 hosted-by.leaseweb.com; Netherlands (NL)
132.199.96.83 1 pc1011103133.uni-regensburg.de; Germany (DE)
188.20.178.75 1 ; Austria (AT)
203.146.30.32 1 ; Thailand (TH)

Hourly breakdown (blocks per hour)
00
01
02
03
04 x1
05
06 x1
07 x1
08
09
10
11
12 x2
13
14
15 x1
16 x2
17
18
19 x1
20 x1
21
22 x1
23 x1

– 2014-02-09 —

IP address Times Host name and country
——————– —– ——————————-
37.28.157.63 1 d157063.artnet.pl; Poland (PL)
54.251.246.9 2 ec2-54-251-246-9.ap-southeast-1.compute.amazonaws.com; Singapore (SG)
78.40.146.2 1 spider.man.kcahost.co.uk; United Kingdom (GB)
82.166.16.190 1 82-166-16-190.barak-online.net; Israel (IL)
85.17.24.130 2 hosted-by.leaseweb.com; Netherlands (NL)
203.146.30.32 3 ; Thailand (TH)
222.186.32.224 1 mail.mxhichina.com; China (CN)

Hourly breakdown (blocks per hour)
00 x1
01
02
03
04
05
06
07
08
09 x1
10 x1
11 x1
12
13 x1
14 x1
15
16
17 x1
18
19 x1
20 x1
21
22 x1
23 x1

Generated 2014-02-10 00:03:15 for machine ****.****.**** by Syspeace v2.3.1.0

 

By Juha Jurvanen

Syspeace - intrusion prevention for Windows servers

Syspeace website