[nsp-sec] coordinated telnet scan of 149.163.0.0

Smith, Donald Donald.Smith at qwest.com
Mon Feb 11 13:18:29 EST 2008 

David by coordinated do you mean they shared a common dictionary but
used separate portions of that dictionary?

We had reports of that type of coordination for ssh attacks last year.
http://isc2.sans.org/diary.html?storyid=3529


RM=for(1)
{manage_risk(identify_risk(product[i++]))}
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Greenberg, David A
> Sent: Monday, February 11, 2008 10:56 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] coordinated telnet scan of 149.163.0.0
> 
> ----------- nsp-security Confidential --------
> 
> Over the past day, we noticed a coordinated telnet sweep of part of
our address space (149.163.0.0).  It seems like each source IP would
scan a section, then an hour or so later, a different IP would pick up
where the last left off.  Below is the list of sources with a UTC
timestamp.

Thanks,
David Greenberg - AS87

AS      | IP               | Info                    | AS Name
71      | 15.235.211.254   | 2008-02-11 09:32:26 UTC | HP-INTERNET-AS
Hewlett-Packard Company
109     | 64.102.253.107   | 2008-02-11 06:54:50 UTC | CISCO-EU-109
Cisco Systems Global ASN - ARIN Assigned
4538    | 222.17.127.252   | 2008-02-10 21:06:48 UTC | ERX-CERNET-BKB
China Education and Research Network Center
4766    | 121.147.172.11   | 2008-02-10 17:41:57 UTC | KIXS-AS-KR Korea
Telecom
4766    | 220.123.31.12    | 2008-02-11 04:27:12 UTC | KIXS-AS-KR Korea
Telecom
7132    | 69.215.194.211   | 2008-02-11 06:21:00 UTC | SBIS-AS - AT&T
Internet Services
8077    | 66.251.130.91    | 2008-02-11 10:16:10 UTC | OHIOONLINE -
OhioOnline, Inc.
9498    | 203.101.103.194  | 2008-02-10 22:08:23 UTC | BBIL-AP BHARTI BT
INTERNET LTD.
12969   | 193.4.194.2      | 2008-02-11 05:13:57 UTC | VODAFONE_ICELAND
Backbone Autonomous System
18530   | 206.124.145.215  | 2008-02-11 12:28:43 UTC | ISOMEDIA-1 -
Isomedia Inc.
38094   | 58.76.216.15     | 2008-02-10 16:17:06 UTC | TCBNET-AS-KR
TCBNET


-- 
David Greenberg, GSEC, GCWN, GCFA
University Information Security Office
Information and Infrastructure Assurance
Office of the Vice President for Information Technology and CIO
Indiana University 
dgreenbe at iu.edu
(317) 274-0745


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

More information about the nsp-security mailing list