[nsp-sec] as 6453 38550 ssh bruteforce from a /24 block?
Rob Thomas
robt at cymru.com
Fri Feb 29 10:58:32 EST 2008
Hi, Don.
> 58.147.10.0/24.
How does this netblock love thee? I can not count all the ways.
This is a /24 full of fun!
There are a couple of botnets that have quite a few bots in that /
24. Some examples include:
bloodz.bloodzx.com
zeroh4xbj.no-ip.biz
Those bots are often used as IRC bounces, so I suspect that /24
receives as much DDoS and scans as it generates.
The /24 is mostly Windows machines with a smattering of Linux boxes.
We see lots of TCP 22 scanning from that netblock starting at least
as early as 2008-01-02 11:04:20 UTC. The scanners appear to be
attached to a botnet on:
209.61.182.250 TCP 9173
That seems defunct presently.
There's also a fair bit of TCP 135 scanning coming from that /24,
going back at least to 2008-01-09 07:56:25 UTC.
I'd wager this is a largely compromised netblock chock-full of bots.
Anyone have a contact at Maxnet AS24326? Barry?
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
More information about the nsp-security
mailing list