[nsp-sec] 598 Compromised hosts

Smith, Donald Donald.Smith at qwest.com
Tue Jul 1 18:35:03 EDT 2008 

Netflow report complete. I stand corrected in that I now believe those
ips are botted.

They are talking to 69.64.76.38 on tcp port 2008.
That ip is listed here:
http://www.emergingthreats.net/rules/emerging-botcc-BLOCK.rules
alert ip $HOME_NET any -> [<SNIP long list of ips] any (msg:"ET DROP
Known Bot C&C Traffic (group 15) - BLOCKING SOURCE";
reference:url,www.shadowserver.org; threshold: type limit, track by_src,
seconds 3600, count 1; classtype:trojan-activity; sid:2405014; rev:1211;
fwsam: dst, 30 days;)

They are also talking to 189.17.122.195 on tcp 5555
That ip also shows up in the emergingthreats rules with a pointer to
shadowserver.org.
I searched shadowserver.org for the ips and didn't get a match.

We will get our customers notified.


Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Smith, Donald
> Sent: Tuesday, July 01, 2008 3:31 PM
> To: Nicholas Ianelli
> Cc: nsp-security NSP
> Subject: Re: [nsp-sec] 598 Compromised hosts
> 
> ----------- nsp-security Confidential --------
> 
> 
> 
> Security through obscurity WORKS against some worms and ssh attacks:)
> Donald.Smith at qwest.com giac 
> 
> > -----Original Message-----
> > From: Nicholas Ianelli [mailto:ni at cert.org] 
> > Sent: Tuesday, July 01, 2008 3:06 PM
> > To: Smith, Donald
> > Cc: nsp-security NSP
> > Subject: Re: [nsp-sec] 598 Compromised hosts
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> > 
> > 
> > 
> > | :i use stacheldraht.
> > | :mostly out of Solaris boxes
> > | :shcrew kit and t0rnkit coded by me.
> > |
> > 
> > |> shv5 and others in the family included synscan.
> > |> Tornkit2 shared elements from ramen which used synscan.
> > |> I was told that some versions of torn used synscan but I 
> > never saw one:(
> > |
> > |> Does he use psych0id, mixer, or pint as an aliases?
> > 
> > I've only seen the following:
> > 
> > KH4ALED
> > Danny-Boy
> > brzi
> > SDK
> > 
> > I highly doubt he's the author of any of those. I'd chalk it up to
> > talking trash. Though he may have made "custom" mods (take 
> > that for what
> > ever it's worth).
> > 
> > What I'd like to know is the OS' of the compromised hosts, 
> if they are
> > Solaris boxes, he may have some power. I've sent emails to 
> a few South
> > American contacts (thanks Guilherme), I'm hoping for some 
> data points.
> > 
> > Any ideas on the three below?
> 
> Three dynamic dsl ip addresses in phoenix, KC and Portland.
> Our dsl dynamic ip address space is not a good place to run services.
> The ips change to fequently.
> 
> None of them appear to be running well known services (ssh, telnet nor
> http) on standard ports.
> I will go look at netflow but I would bet nearly anything 
> these are not
> solaris systems.
> I am running a report now to see what is in netflow for those systems
> but this is being to look like a false positive.
> 
> 
> > 
> > | |
> > | | The ASN - IP mapping can be found here:
> > | |
> > | | https://asn.cymru.com/nsp-sec/upload/1214882891.whois.txt
> > 
> > | |
> > | | 209     | 63.229.83.8      | ASN-QWEST - Qwest
> > | | 209     | 70.56.99.180     | ASN-QWEST - Qwest
> > | | 209     | 71.34.70.112     | ASN-QWEST - Qwest
> > 
> > Nick
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.6 (MingW32)
> > 
> > iD8DBQFIapw4i10dJIBjZIARCNGeAKCCRUd4Sj20oxAIdHyKT/9J68fdvACgn8An
> > jV0xXH1Fey5LM/uUb2QZaeI=
> > =y0nG
> > -----END PGP SIGNATURE-----
> > 
> 
> 
> This communication is the property of Qwest and may contain 
> confidential or
> privileged information. Unauthorized use of this 
> communication is strictly 
> prohibited and may be unlawful.  If you have received this 
> communication 
> in error, please immediately notify the sender by reply 
> e-mail and destroy 
> all copies of the communication and any attachments.
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
>

More information about the nsp-security mailing list