[nsp-sec] as 6453 38550 ssh bruteforce from a /24 block?
Smith, Donald
Donald.Smith at qwest.com
Fri Feb 29 11:15:59 EST 2008
I was theorizing that one or a few systems were compromised within that block and doing some type of man in the middle arp hijack to spoof the full connection within a "LAN".
donald.smith at qwest.com giac
________________________________
From: Rob Thomas [mailto:robt at cymru.com]
Sent: Fri 2/29/2008 8:58 AM
To: Smith, Donald
Cc: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] as 6453 38550 ssh bruteforce from a /24 block?
Hi, Don.
> 58.147.10.0/24.
How does this netblock love thee? I can not count all the ways.
This is a /24 full of fun!
There are a couple of botnets that have quite a few bots in that /
24. Some examples include:
bloodz.bloodzx.com
zeroh4xbj.no-ip.biz
Those bots are often used as IRC bounces, so I suspect that /24
receives as much DDoS and scans as it generates.
The /24 is mostly Windows machines with a smattering of Linux boxes.
We see lots of TCP 22 scanning from that netblock starting at least
as early as 2008-01-02 11:04:20 UTC. The scanners appear to be
attached to a botnet on:
209.61.182.250 TCP 9173
That seems defunct presently.
There's also a fair bit of TCP 135 scanning coming from that /24,
going back at least to 2008-01-09 07:56:25 UTC.
I'd wager this is a largely compromised netblock chock-full of bots.
Anyone have a contact at Maxnet AS24326? Barry?
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list