[nsp-sec] finding the controllers/stepping stones.

Smith, Donald Donald.Smith at qwest.com
Thu Sep 11 14:17:19 EDT 2008 


Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> sthaug at nethelp.no
> Sent: Thursday, September 11, 2008 11:24 AM
> To: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] coordinated slow ssh crack attempts
> 
> ----------- nsp-security Confidential --------
> 
> > Daniel Gerzo who has been fairly active in ssh bruteforce 
> blocking has a list of ssh bruteforce attackers here:
> > http://danger.rulez.sk/projects/bruteforceblocker/blist.php
> > 
> > Whois info here:
> > https://asn.cymru.com/nsp-sec/upload/1221065932.whois.txt
> > 
> > I checked several of the IP addresses that Mike submitted. 
> The ones I checked were in this list too.
> > Those were also checked at 
> http://isc.sans.org/ipdetails.html?ip=xxx.xxx.xxx.xxx and the 
> ones I checked showed up there as being reported for ssh attacks.
> > 
> > So I didn't validate the ENTIRE list but did spot check 
> against several sources with zero false positives so far.
> 
> AS 2116 hosts validated against netflow data, handed to abuse team.
Thanks Steinar! It helps when others validate these types of lists.

Did you see any remote control traffic or unusual traffic.
I assume the bot control is on port 22 but that is just an assumtion.
Here is a list of systems coming towards some of the bruteforcers on
port 22.
Now these could just be other systems trying to ssh bruteforce.


39906   | 77.104.220.225   | COPROSYS CoProSys a.s.
20959   | 80.207.171.46    | TELECOM-ITALIA-DATA-COM This AS Number will
be used
 by the Datacom Network.
7738    | 200.141.223.99   | Telecomunicacoes da Bahia S.A.
7256    | 166.77.191.141   | VIACOM-AS - Viacom Inc.
4847    | 219.142.3.250    | CNIX-AP China Networks Inter-Exchange
4808    | 61.135.173.69    | CHINA169-BJ CNCGROUP IP network China169
Beijing Pr
ovince Network
3304    | 193.34.91.174    | SCARLET Scarlet Belgium
Bulk mode; whois.cymru.com [2008-09-11 18:07:41 +0000]


  20 61.135.173.69
   5 166.77.191.141
   1 80.207.171.46
   1 77.104.220.225
   1 219.142.3.250
   1 200.141.223.99
   1 193.34.91.174
All but 166.77.191.141 are in the list I provided yesterday as ssh
bruteforcers.
This could mean more then one set of ssh bruteforcers and they are
attempting to break into each others systems. Or these could be the
control systems (stepping stones).

> 
> Steinar Haug, AS 2116
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

More information about the nsp-security mailing list