Query from xxx YYY.YYY.YYY.YYY:ZZZZZ attempted to login with account "123.456.789.101" and failed!

Hello,

Following an observation of the logs of a teamspeak3 server what I do from time to time and randomly, I discovered strange things in the logs at the level of the logs “_0.log” here is what some of the logs contain:
I would like to understand what these failed query errors correspond to and why it is found in the log file “_0.log” and NOT this one “_1.log”.

2021-11-07 03:01:27.679933|INFO    |ServerLibPriv |   |TeamSpeak 3 Server 3.13.6 (2021-06-09 10:22:37)
2021-11-07 03:01:27.709101|INFO    |ServerLibPriv |   |SystemInformation: Linux 4.15.0-117-generic #118-Ubuntu SMP Fri Sep 4 20:02:41 UTC 2020 x86_64 Binary: 64bit
2021-11-07 03:01:27.709184|INFO    |ServerLibPriv |   |Using hardware aes
2021-11-07 03:01:27.731682|INFO    |DatabaseQuery |   |dbPlugin name:    SQLite3 plugin, Version 3, (c)TeamSpeak Systems GmbH
2021-11-07 03:01:27.731795|INFO    |DatabaseQuery |   |dbPlugin version: 3.11.1
2021-11-07 03:01:27.732272|INFO    |DatabaseQuery |   |checking database integrity (may take a while)
2021-11-07 03:01:27.962646|WARNING |Accounting    |   |Unable to open licensekey.dat, falling back to limited functionality
2021-11-07 03:01:27.997614|INFO    |Accounting    |   |Licensing Information
2021-11-07 03:01:27.997703|INFO    |Accounting    |   |licensed to       : Anonymous
2021-11-07 03:01:27.997757|INFO    |Accounting    |   |type              : No License
2021-11-07 03:01:27.997820|INFO    |Accounting    |   |starting date     : Thu Oct  1 00:00:00 2020
2021-11-07 03:01:27.997876|INFO    |Accounting    |   |ending date       : Tue Nov  1 00:00:00 2022
2021-11-07 03:01:27.997927|INFO    |Accounting    |   |max virtualservers: 1
2021-11-07 03:01:27.997976|INFO    |Accounting    |   |max slots         : 32
2021-11-07 03:01:31.673215|INFO    |              |   |Puzzle precompute time: 3569
2021-11-07 03:01:31.702340|INFO    |FileManager   |   |listening on 0.0.0.0:30033, [::]:30033
2021-11-07 03:01:31.768063|INFO    |Query         |   |Using a query thread pool size of 2
2021-11-07 03:01:32.030665|INFO    |Query         |   |listening for query on 0.0.0.0:10011, [::]:10011
2021-11-07 03:01:32.031094|INFO    |Query         |   |listening for ssh query on 0.0.0.0:10022, [::]:10022
2021-11-07 03:01:32.031256|INFO    |Query         |   |listening for http query on 0.0.0.0:10080, [::]:10080
2021-11-07 03:01:32.054121|INFO    |CIDRManager   |   |updated query_ip_allowlist ips: 192.122.42.111/32, 127.0.0.1/32, ::1/128, 
2021-11-07 03:01:32.054204|WARNING |ServerMain    |   |Warning - name 'query_ip_whitelist' from file /opt/teamspeak3-server_linux_amd64/ts3server.ini is deprecated (but understood), please use the new name 'query_ip_allowlist' instead.
2021-11-07 03:01:32.054262|WARNING |ServerMain    |   |Warning - name 'query_ip_blacklist' from file /opt/teamspeak3-server_linux_amd64/ts3server.ini is deprecated (but understood), please use the new name 'query_ip_denylist' instead.
2021-11-07 03:06:07.273931|INFO    |Query         |   |query from 11 45.177.139.66:45884 attempted to login with account "27.133.135.229" and failed!
2021-11-07 03:18:01.107629|INFO    |Query         |   |query from 34 45.177.139.66:9963 attempted to login with account "27.133.135.245" and failed!
2021-11-07 03:22:40.604058|INFO    |Query         |   |query from 45 45.177.139.66:40128 attempted to login with account "27.133.135.245" and failed!
2021-11-07 03:34:25.868951|INFO    |Query         |   |query from 70 45.177.139.66:15080 attempted to login with account "27.133.135.253" and failed!
2021-11-07 03:39:06.030931|INFO    |Query         |   |query from 81 45.177.139.66:31614 attempted to login with account "27.133.135.253" and failed!
2021-11-07 03:50:54.016078|INFO    |Query         |   |query from 104 45.177.139.66:64254 attempted to login with account "27.133.135.38" and failed!
2021-11-07 03:55:36.048511|INFO    |Query         |   |query from 115 45.177.139.66:55042 attempted to login with account "27.133.135.38" and failed!
2021-11-07 04:07:31.114937|INFO    |Query         |   |query from 140 45.177.139.66:39681 attempted to login with account "27.133.135.46" and failed!
2021-11-07 04:12:17.826097|INFO    |Query         |   |query from 151 45.177.139.66:58658 attempted to login with account "27.133.135.46" and failed!
2021-11-07 04:24:12.843846|INFO    |Query         |   |query from 176 45.177.139.66:1149 attempted to login with account "27.133.136.149" and failed!
2021-11-07 04:28:57.496791|INFO    |Query         |   |query from 185 45.177.139.66:50817 attempted to login with account "27.133.136.149" and failed!
2021-11-07 04:40:46.886262|INFO    |Query         |   |query from 210 45.177.139.66:36846 attempted to login with account "27.133.139.100" and failed!
2021-11-07 04:45:29.903010|INFO    |Query         |   |query from 221 45.177.139.66:14416 attempted to login with account "27.133.139.100" and failed!
2021-11-07 04:57:41.193416|INFO    |Query         |   |query from 246 45.177.139.66:64527 attempted to login with account "27.133.139.102" and failed!
2021-11-07 05:02:26.718010|INFO    |Query         |   |query from 257 45.177.139.66:41683 attempted to login with account "27.133.139.102" and failed!
2021-11-07 05:14:24.711742|INFO    |Query         |   |query from 282 45.177.139.66:36486 attempted to login with account "27.133.139.104" and failed!
2021-11-07 05:19:13.802166|INFO    |Query         |   |query from 293 45.177.139.66:35826 attempted to login with account "27.133.139.104" and failed!
2021-11-07 05:31:07.611010|INFO    |Query         |   |query from 318 45.177.139.66:1056 attempted to login with account "27.133.146.245" and failed!
2021-11-07 05:35:52.766579|INFO    |Query         |   |query from 327 45.177.139.66:18494 attempted to login with account "27.133.146.245" and failed!
2021-11-07 05:47:52.495889|INFO    |Query         |   |query from 352 45.177.139.66:57419 attempted to login with account "27.133.147.197" and failed!
2021-11-07 05:52:31.265439|INFO    |Query         |   |query from 363 45.177.139.66:3344 attempted to login with account "27.133.147.197" and failed!
2021-11-07 06:04:12.953763|INFO    |Query         |   |query from 388 45.177.139.66:54916 attempted to login with account "27.133.149.228" and failed!
2021-11-07 06:08:55.068846|INFO    |Query         |   |query from 397 45.177.139.66:19794 attempted to login with account "27.133.149.228" and failed!
2021-11-07 06:20:39.916166|INFO    |Query         |   |query from 422 45.177.139.66:36973 attempted to login with account "27.133.149.231" and failed!
2021-11-07 06:25:19.806829|INFO    |Query         |   |query from 433 45.177.139.66:19126 attempted to login with account "27.133.149.231" and failed!
2021-11-07 06:37:12.977286|INFO    |Query         |   |query from 458 45.177.139.66:21638 attempted to login with account "27.133.149.68" and failed!
2021-11-07 06:41:58.732261|INFO    |Query         |   |query from 467 45.177.139.66:16184 attempted to login with account "27.133.149.68" and failed!
2021-11-07 06:54:02.876441|INFO    |Query         |   |query from 493 45.177.139.66:45740 attempted to login with account "27.133.152.224" and failed!
2021-11-07 06:58:49.234629|INFO    |Query         |   |query from 503 45.177.139.66:27638 attempted to login with account "27.133.152.224" and failed!
2021-11-07 07:10:42.694055|INFO    |Query         |   |query from 528 45.177.139.66:60079 attempted to login with account "27.133.155.66" and failed!
2021-11-07 07:15:21.408517|INFO    |Query         |   |query from 539 45.177.139.66:52571 attempted to login with account "27.133.155.66" and failed!
2021-11-07 07:27:21.655233|INFO    |Query         |   |query from 564 45.177.139.66:35256 attempted to login with account "27.133.236.97" and failed!
2021-11-07 07:32:07.879293|INFO    |Query         |   |query from 575 45.177.139.66:12433 attempted to login with account "27.133.236.97" and failed!
2021-11-07 07:44:12.241725|INFO    |Query         |   |query from 600 45.177.139.66:65168 attempted to login with account "27.134.252.125" and failed!
2021-11-07 07:49:00.039777|INFO    |Query         |   |query from 609 45.177.139.66:30745 attempted to login with account "27.134.252.125" and failed!
2021-11-07 08:00:55.438677|INFO    |Query         |   |query from 637 45.177.139.66:13811 attempted to login with account "27.135.201.140" and failed!
2021-11-07 08:05:39.221321|INFO    |Query         |   |query from 648 45.177.139.66:41232 attempted to login with account "27.135.201.140" and failed!
2021-11-07 08:17:39.229686|INFO    |Query         |   |query from 673 45.177.139.66:51189 attempted to login with account "27.147.48.56" and failed!
2021-11-07 08:22:21.535535|INFO    |Query         |   |query from 684 45.177.139.66:9331 attempted to login with account "27.147.48.56" and failed!
2021-11-07 08:34:18.349744|INFO    |Query         |   |query from 709 45.177.139.66:27203 attempted to login with account "27.148.147.3" and failed!
2021-11-07 08:39:03.248660|INFO    |Query         |   |query from 720 45.177.139.66:28156 attempted to login with account "27.148.147.3" and failed!
2021-11-07 08:51:06.397120|INFO    |Query         |   |query from 745 45.177.139.66:54684 attempted to login with account "27.148.147.49" and failed!
2021-11-07 08:55:50.978107|INFO    |Query         |   |query from 754 45.177.139.66:61600 attempted to login with account "27.148.147.49" and failed!
2021-11-07 09:07:44.491331|INFO    |Query         |   |query from 779 45.177.139.66:23979 attempted to login with account "27.148.148.1" and failed!
2021-11-07 09:12:24.370942|INFO    |Query         |   |query from 790 45.177.139.66:49342 attempted to login with account "27.148.148.1" and failed!
2021-11-07 09:24:18.506580|INFO    |Query         |   |query from 815 45.177.139.66:4039 attempted to login with account "27.148.148.6" and failed!
2021-11-07 09:29:04.000908|INFO    |Query         |   |query from 826 45.177.139.66:21327 attempted to login with account "27.148.148.6" and failed!
2021-11-07 09:40:51.102338|INFO    |Query         |   |query from 849 45.177.139.66:10266 attempted to login with account "27.151.28.1" and failed!
2021-11-07 09:45:28.388081|INFO    |Query         |   |query from 860 45.177.139.66:5429 attempted to login with account "27.151.28.1" and failed!
2021-11-07 09:57:20.539174|INFO    |Query         |   |query from 885 45.177.139.66:18311 attempted to login with account "27.151.29.1" and failed!
2021-11-07 10:02:05.095781|INFO    |Query         |   |query from 896 45.177.139.66:35026 attempted to login with account "27.151.29.1" and failed!
2021-11-07 10:13:52.472767|INFO    |Query         |   |query from 919 45.177.139.66:44497 attempted to login with account "27.151.29.254" and failed!
2021-11-07 10:18:41.306048|INFO    |Query         |   |query from 930 45.177.139.66:19421 attempted to login with account "27.151.29.254" and failed!
2021-11-07 10:30:13.714533|INFO    |Query         |   |query from 955 45.177.139.66:49214 attempted to login with account "27.154.236.246" and failed!
2021-11-07 10:34:53.359179|INFO    |Query         |   |query from 964 45.177.139.66:55020 attempted to login with account "27.154.236.246" and failed!
2021-11-07 10:46:57.306163|INFO    |Query         |   |query from 989 45.177.139.66:42797 attempted to login with account "27.155.78.124" and failed!
2021-11-07 10:51:39.849611|INFO    |Query         |   |query from 1000 45.177.139.66:1962 attempted to login with account "27.155.78.124" and failed!
2021-11-07 11:03:33.059746|INFO    |Query         |   |query from 1025 45.177.139.66:21184 attempted to login with account "27.155.81.121" and failed!
2021-11-07 11:08:13.293416|INFO    |Query         |   |query from 1036 45.177.139.66:29908 attempted to login with account "27.155.81.121" and failed!
2021-11-07 11:20:36.257662|INFO    |Query         |   |query from 1061 45.177.139.66:39955 attempted to login with account "27.155.82.1" and failed!
2021-11-07 11:25:12.759570|INFO    |Query         |   |query from 1072 45.177.139.66:26753 attempted to login with account "27.155.82.1" and failed!
2021-11-07 11:36:57.420202|INFO    |Query         |   |query from 1096 45.177.139.66:8279 attempted to login with account "27.17.13.46" and failed!
2021-11-07 11:41:34.782653|INFO    |Query         |   |query from 1107 45.177.139.66:39260 attempted to login with account "27.17.13.46" and failed!
2021-11-07 11:53:26.959206|INFO    |Query         |   |query from 1132 45.177.139.66:56184 attempted to login with account "27.17.27.74" and failed!
2021-11-07 11:58:42.919287|INFO    |Query         |   |query from 1143 45.177.139.66:5317 attempted to login with account "27.17.27.74" and failed!
2021-11-07 12:11:38.411750|INFO    |Query         |   |query from 1170 45.177.139.66:8269 attempted to login with account "27.17.31.86" and failed!
2021-11-07 12:16:44.770602|INFO    |Query         |   |query from 1181 45.177.139.66:53854 attempted to login with account "27.17.31.86" and failed!
2021-11-07 12:29:55.816280|INFO    |Query         |   |query from 1208 45.177.139.66:41552 attempted to login with account "27.17.3.6" and failed!
2021-11-07 12:34:39.893719|INFO    |Query         |   |query from 1219 45.177.139.66:8905 attempted to login with account "27.17.3.6" and failed!
2021-11-07 12:47:07.544053|INFO    |Query         |   |query from 1247 45.177.139.66:28344 attempted to login with account "27.17.40.250" and failed!
2021-11-07 12:51:50.068478|INFO    |Query         |   |query from 1256 45.177.139.66:36103 attempted to login with account "27.17.40.250" and failed!
2021-11-07 13:04:21.106400|INFO    |Query         |   |query from 1283 45.177.139.66:35048 attempted to login with account "27.1.76.9" and failed!
2021-11-07 13:50:08.467092|INFO    |              |   |myTeamSpeak identifier revocation list was downloaded successfully - all related features are activated
2021-11-08 01:43:26.841755|INFO    |VirtualSvrMgr |   |startServer() VirtualServer(1) started

Hello,

Following behavioral tests I come to the conclusion that only “query connetion failed!” are displayed in the log file “_0.log” and any other successful connections are displayed in the log file “_1.log” can you confirm this behavior to me because I would like to install a system of remediation in case of attack or abusive test based on teamspeak logs?

Have a good day

If that’s a known IP for you then it means you have specified the IP address as user while trying to connect.

I’m not sure if the exact error would be logged if you don’t specify an user but it might be the case.

If you connect to endpoint you usually specify the user, IP address and port.
For example:

ssh [email protected] -p 11001

Unsuccessful login tries will always be logged in the instance log (log0 file).

Successful logins and query actions will be logged for the associated virtual server (if enabled).

If that IP address isn’t known you should consider to change the query port to a non-default value.

If that’s not possible for any reason you can drop/block inbound connections for the IP address to get rid of the login tries.

Another useful option for external query access can be to allow inbound connections from selected source IPs only.
For example for services like TSViewer etc.
(they specify requests are coming always from the same source IP)

Hello @FakE

Thank you for your answer so this confirms what it seemed to me to have observed after test.

Unfortunately most IPs are dynamic for people who need to have access to the Query only two servers TSDNS and Monitoring have fixed IPs on the other hand the port change might actually be a first good solution.
I will also think about how to set up a system of remediation in case of attack or abuse test based on the logs instance “_0.log” of teamspeak.

Another question for example currently I have the three open query interface:
listening for query (telnet)
|listening for ssh query
listening for http query

Is there a way to know which interface is being attacked in the logs

Thanks to you

In the server log you won’t find that information.

That is something you may find in firewall logs or other tools that listen to ports.

2 Likes

Hello,

Okay, thanks to both of you for the information.
This subject can therefore be closed now.

Have a good day

twitch instagram twitter facebook