[nsp-sec] 598 Compromised hosts

Nicholas Ianelli ni at cert.org
Tue Jul 1 18:37:29 EDT 2008 

I didn't mean to imply that the boxes were all compromised *nix boxes or solaris. The attacker was just referring to having a botnet of that caliber.

Nick


--------------------------
Not PGP signed, sent from my BlackBerry


-----Original Message-----
From: Smith, Donald
To: Nicholas Ianelli
CC: nsp-security NSP
Sent: Tue Jul 01 17:31:17 2008
Subject: RE: [nsp-sec] 598 Compromised hosts



Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: Nicholas Ianelli [mailto:ni at cert.org] 
> Sent: Tuesday, July 01, 2008 3:06 PM
> To: Smith, Donald
> Cc: nsp-security NSP
> Subject: Re: [nsp-sec] 598 Compromised hosts
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> 
> 
> | :i use stacheldraht.
> | :mostly out of Solaris boxes
> | :shcrew kit and t0rnkit coded by me.
> |
> 
> |> shv5 and others in the family included synscan.
> |> Tornkit2 shared elements from ramen which used synscan.
> |> I was told that some versions of torn used synscan but I 
> never saw one:(
> |
> |> Does he use psych0id, mixer, or pint as an aliases?
> 
> I've only seen the following:
> 
> KH4ALED
> Danny-Boy
> brzi
> SDK
> 
> I highly doubt he's the author of any of those. I'd chalk it up to
> talking trash. Though he may have made "custom" mods (take 
> that for what
> ever it's worth).
> 
> What I'd like to know is the OS' of the compromised hosts, if they are
> Solaris boxes, he may have some power. I've sent emails to a few South
> American contacts (thanks Guilherme), I'm hoping for some data points.
> 
> Any ideas on the three below?

Three dynamic dsl ip addresses in phoenix, KC and Portland.
Our dsl dynamic ip address space is not a good place to run services.
The ips change to fequently.

None of them appear to be running well known services (ssh, telnet nor
http) on standard ports.
I will go look at netflow but I would bet nearly anything these are not
solaris systems.
I am running a report now to see what is in netflow for those systems
but this is being to look like a false positive.


> 
> | |
> | | The ASN - IP mapping can be found here:
> | |
> | | https://asn.cymru.com/nsp-sec/upload/1214882891.whois.txt
> 
> | |
> | | 209     | 63.229.83.8      | ASN-QWEST - Qwest
> | | 209     | 70.56.99.180     | ASN-QWEST - Qwest
> | | 209     | 71.34.70.112     | ASN-QWEST - Qwest
> 
> Nick
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (MingW32)
> 
> iD8DBQFIapw4i10dJIBjZIARCNGeAKCCRUd4Sj20oxAIdHyKT/9J68fdvACgn8An
> jV0xXH1Fey5LM/uUb2QZaeI=
> =y0nG
> -----END PGP SIGNATURE-----
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

More information about the nsp-security mailing list