[nsp-sec] SSH brute-force from ccert.edu.cn, AS4538?
Rob Thomas
robt at cymru.com
Wed Aug 26 15:43:14 EDT 2009
Hi, Borja!
> Aug 24 10:58:53 earendil2 sshd[40909]: Invalid user red from 202.112.50.28
Yeah that one has been pretty active. It first entered our incident
tracking on 2009-08-25 08:32:23 UTC. Other pods see it scanning for TCP
22 as early as 2009-08-22 07:41:14 UTC.
> the surprising thing is,
>
> arendil2# host 202.112.50.28
> 28.50.112.202.in-addr.arpa domain name pointer mala.ccert.edu.cn.
> ;; ANSWER SECTION:
> mala.ccert.edu.cn. 6965 IN A 202.112.50.28
Ouch!
Thanks,
Rob.
--
Rob Thomas
Team Cymru
https://www.team-cymru.org/
ASSERT(coffee != empty);
More information about the nsp-security
mailing list