[nsp-sec] IP addresses used to access compromised server
SURFcert - Peter
p.g.m.peters at utwente.nl
Thu Jan 8 10:30:21 EST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Yesterday we noticed a IPv6 DoS emitting from a linux server at our
network (more espcially University of Twente). After examination we
noticed one compromised account running a script named "pwned".
The system is cleaned and we managed to get the list of IP addresses who
logged into the compromised accounts during the last couple of months.
Please take care of these because they might be compromised. A number of
these IP addresses are TOR exit nodes, so they might not be of any help.
Bulk mode; whois.cymru.com [2009-01-08 15:20:23 +0000]
174 | 149.9.0.58 | Oct 21 18:34:08 | COGENT Cogent/PSI
174 | 149.9.0.58 | Sep 29 10:22:31 | COGENT Cogent/PSI
577 | 67.69.131.12 | Dec 29 02:06:00 | BACOM - Bell Canada
577 | 67.69.131.12 | Dec 29 18:04:55 | BACOM - Bell Canada
577 | 67.69.131.12 | Dec 5 09:36:28 | BACOM - Bell Canada
577 | 67.69.131.12 | Dec 9 20:11:47 | BACOM - Bell Canada
577 | 67.69.131.12 | Nov 20 23:39:23 | BACOM - Bell Canada
577 | 67.69.131.12 | Oct 29 21:33:27 | BACOM - Bell Canada
577 | 67.69.131.8 | Dec 10 05:16:22 | BACOM - Bell Canada
577 | 67.69.131.8 | Dec 14 22:23:43 | BACOM - Bell Canada
577 | 67.69.131.8 | Dec 26 07:45:47 | BACOM - Bell Canada
577 | 67.69.131.8 | Dec 29 16:51:50 | BACOM - Bell Canada
577 | 67.69.131.8 | Jan 1 22:41:12 | BACOM - Bell Canada
577 | 67.69.131.8 | Jan 5 16:56:57 | BACOM - Bell Canada
577 | 67.69.131.8 | Nov 12 19:49:53 | BACOM - Bell Canada
577 | 67.69.131.8 | Nov 20 17:19:50 | BACOM - Bell Canada
577 | 67.69.131.8 | Nov 4 03:56:46 | BACOM - Bell Canada
577 | 67.69.131.8 | Oct 29 21:32:56 | BACOM - Bell Canada
680 | 193.174.33.200 | Sep 29 16:15:56 | DFN-IP service G-WiN
3292 | 80.63.56.148 | Oct 2 23:04:41 | TDC TDC Data Networks
3292 | 80.63.56.148 | Oct 25 16:32:12 | TDC TDC Data Networks
3292 | 80.63.56.148 | Oct 9 18:42:20 | TDC TDC Data Networks
6805 | 192.251.226.205 | Oct 3 23:02:16 | TDDE-ASN1 Telefonica
Deutschland Autonomous System
6805 | 192.251.226.205 | Oct 9 21:21:32 | TDDE-ASN1 Telefonica
Deutschland Autonomous System
7015 | 76.119.137.26 | Oct 14 11:20:44 | CCCH-AS2 - Comcast Cable
Communications Holdings, Inc
7132 | 70.243.15.122 | Oct 9 20:32:33 | SBIS-AS - AT&T Internet
Services
8972 | 85.25.135.137 | Oct 20 23:19:10 | PLUSSERVER-AS PlusServer
AG, Germany
16237 | 217.148.84.179 | Oct 10 09:07:15 | NXS Nxs Internet BV
17621 | 210.22.83.146 | Oct 18 02:10:26 | CNCGROUP-SH China Unicom
Shanghai network
20766 | 80.67.172.19 | Oct 15 14:31:32 | GITOYEN-MAIN-AS The main
Autonomous System of Gitoyen (Paris, France).
20773 | 87.230.76.245 | Oct 28 20:24:25 | HOSTEUROPE-AS AS of
Hosteurope Germany / Cologne
20773 | 87.230.76.245 | Oct 28 20:26:36 | HOSTEUROPE-AS AS of
Hosteurope Germany / Cologne
24940 | 88.198.252.124 | Oct 3 23:12:43 | HETZNER-AS Hetzner Online
AG RZ-Nuernberg
29073 | 89.248.169.108 | Oct 13 14:28:16 | ECATEL-AS AS29073, Ecatel
Network
29073 | 89.248.169.108 | Oct 17 21:06:59 | ECATEL-AS AS29073, Ecatel
Network
29073 | 89.248.169.108 | Oct 6 22:54:21 | ECATEL-AS AS29073, Ecatel
Network
30490 | 216.224.124.124 | Oct 16 09:19:55 | ETHRN - Ethr.Net LLC
30490 | 216.224.124.124 | Oct 18 02:22:01 | ETHRN - Ethr.Net LLC
33681 | 204.13.236.244 | Oct 19 14:59:01 | NNFIBER - NN-FIBERNET LLC
33681 | 204.13.236.244 | Oct 19 14:59:03 | NNFIBER - NN-FIBERNET LLC
Timezone is CET (GMT+1) after October 26 2:00:00. Before that date the
timezone is CETDST (GMT+2).
January is 2009. The other months are 2008.
If needed I can provide the period they were logged in (sometimes over
one week at a time).
- --
Peter Peters
SURFcert Officer off Duty
cert at surfnet.nl http://cert.surfnet.nl/
office-hours: +31 302 305 305 emergency (24/7): +31 622 923 564
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJZhwMelLo80lrIdIRAnc5AKCHOfJmfKp6Ci6qqgMYewnUcyvwogCgomIk
fEtTQGzk5+2O7JLtuTzM8Cc=
=U4Pj
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list