[nsp-sec] 598 Compromised hosts
Smith, Donald
Donald.Smith at qwest.com
Tue Jul 1 17:31:17 EDT 2008
Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac
> -----Original Message-----
> From: Nicholas Ianelli [mailto:ni at cert.org]
> Sent: Tuesday, July 01, 2008 3:06 PM
> To: Smith, Donald
> Cc: nsp-security NSP
> Subject: Re: [nsp-sec] 598 Compromised hosts
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>
>
> | :i use stacheldraht.
> | :mostly out of Solaris boxes
> | :shcrew kit and t0rnkit coded by me.
> |
>
> |> shv5 and others in the family included synscan.
> |> Tornkit2 shared elements from ramen which used synscan.
> |> I was told that some versions of torn used synscan but I
> never saw one:(
> |
> |> Does he use psych0id, mixer, or pint as an aliases?
>
> I've only seen the following:
>
> KH4ALED
> Danny-Boy
> brzi
> SDK
>
> I highly doubt he's the author of any of those. I'd chalk it up to
> talking trash. Though he may have made "custom" mods (take
> that for what
> ever it's worth).
>
> What I'd like to know is the OS' of the compromised hosts, if they are
> Solaris boxes, he may have some power. I've sent emails to a few South
> American contacts (thanks Guilherme), I'm hoping for some data points.
>
> Any ideas on the three below?
Three dynamic dsl ip addresses in phoenix, KC and Portland.
Our dsl dynamic ip address space is not a good place to run services.
The ips change to fequently.
None of them appear to be running well known services (ssh, telnet nor
http) on standard ports.
I will go look at netflow but I would bet nearly anything these are not
solaris systems.
I am running a report now to see what is in netflow for those systems
but this is being to look like a false positive.
>
> | |
> | | The ASN - IP mapping can be found here:
> | |
> | | https://asn.cymru.com/nsp-sec/upload/1214882891.whois.txt
>
> | |
> | | 209 | 63.229.83.8 | ASN-QWEST - Qwest
> | | 209 | 70.56.99.180 | ASN-QWEST - Qwest
> | | 209 | 71.34.70.112 | ASN-QWEST - Qwest
>
> Nick
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (MingW32)
>
> iD8DBQFIapw4i10dJIBjZIARCNGeAKCCRUd4Sj20oxAIdHyKT/9J68fdvACgn8An
> jV0xXH1Fey5LM/uUb2QZaeI=
> =y0nG
> -----END PGP SIGNATURE-----
>
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list