Announcement

Collapse
No announcement yet.

Is this a hack attempt?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Is this a hack attempt?

    Just saw this in the logs, happening now. I have shut down "enable server for remote access" in tools/setup/network.

    A brute force attack? What should I do to cut the crap?
    Oct-03 1:34:12 PM Web Server Web Server login failed from: 35.237.235.210 User:
    Oct-03 1:34:12 PM Web Server Web Server login failed from: 35.237.235.210 User:
    Oct-03 1:34:11 PM Web Server Web Server login failed from: 35.237.235.210 User: user
    Oct-03 1:34:11 PM Web Server Web Server login failed from: 35.237.235.210 User: user
    Oct-03 1:34:10 PM Web Server Web Server login failed from: 35.237.235.210 User: user
    Oct-03 1:34:10 PM Web Server Web Server login failed from: 35.237.235.210 User: user
    Oct-03 1:34:10 PM Web Server Web Server login failed from: 35.237.235.210 User: root
    Oct-03 1:34:09 PM Web Server Web Server login failed from: 35.237.235.210 User: root
    Oct-03 1:34:09 PM Web Server Web Server login failed from: 35.237.235.210 User: root
    Oct-03 1:34:08 PM Web Server Web Server login failed from: 35.237.235.210 User: root
    Oct-03 1:34:08 PM Web Server Web Server login failed from: 35.237.235.210 User: pnadmin
    Oct-03 1:34:08 PM Web Server Web Server login failed from: 35.237.235.210 User: pnadmin
    Oct-03 1:34:07 PM Web Server Web Server login failed from: 35.237.235.210 User: enable
    Oct-03 1:34:07 PM Web Server Web Server login failed from: 35.237.235.210 User: enable


    It went on for about a half hour before I shut it down. This is about 10% of what was in the log.
    Last edited by lakemirror; October 3, 2018, 01:05 PM. Reason: brevity

    #2
    Yes, that's a remote attack, probably automated by the looks of it trying common passwords. You probably shouldn't have port 80 exposed to the internet, that's better left local only.

    Comment


      #3
      It is a bot "fishing" for vulnerable systems. Re-configure HS to using another web port than port 80. Pick a number between 1024 and 65535, then restart HS.

      Remember that from now on you will need specify the port http://ipaddressortaddress to get to HS.

      HomeSeer 2, HomeSeer 3, Allonis myServer, Amazon Alexa Dots, ELK M1G, ISY 994i, HomeKit, BlueIris, and 6 "4k" Cameras using NVR, and integration between all of these systems. Home Automation since 1980.

      Comment


        #4
        That's a colon between the ipaddress and the port:

        Code:
        http://ipaddress:port
        HomeSeer 2, HomeSeer 3, Allonis myServer, Amazon Alexa Dots, ELK M1G, ISY 994i, HomeKit, BlueIris, and 6 "4k" Cameras using NVR, and integration between all of these systems. Home Automation since 1980.

        Comment


          #5
          Thanks, folks. The port number has not been 80 for a couple of years now.

          Comment


            #6
            Originally posted by lakemirror View Post
            Thanks, folks. The port number has not been 80 for a couple of years now.
            Check your setup in HS and make sure you have these kinds of attacks blocked. Click image for larger version

Name:	Untitled.png
Views:	32
Size:	11.1 KB
ID:	1251136
            HS4 4.2.6.0 &HSTouch Designer 3.0.80
            Plugin's:
            BLBackup, BLOccupied, BLShutdown, EasyTrigger, Ecobee, Nest, AK Bond
            EnvisaLink DSC, PHLocation, Pushover, SONOS, Blue Iris, UltraRachio3,
            weatherXML, Jon00 Alexa Helper, Network Monitor, MyQ, Z-Wave

            Comment


              #7
              It has been reported here: https://www.abuseipdb.com/check/35.237.235.210

              Comment


                #8
                Originally posted by The Profit View Post

                Check your setup in HS and make sure you have these kinds of attacks blocked.
                Thanks, just set that up this afternoon.

                Comment

                Working...
                X