[nsp-sec] coordinated ssh brute force scanning
Tim Wilde
twilde at cymru.com
Fri Nov 6 17:27:05 EST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/6/2009 3:34 PM, Mike Tancsa wrote:
> ----------- nsp-security Confidential --------
>
>
> IP addresses below are part of a seemingly coordinated net doing a
> bruteforce scan targeting 64.7.128.98. (Sample of the username pattern
> below). Each IP is well spaced apart so as not to trigger any rate
> limiters.
>
> Should this just go to bruteforce at cymru.com in the future ?
Mike,
You're welcome to send any bruteforce scanning data you have to
bruteforce at cymru.com for inclusion in the bruteforce Daily Reports
category, absolutely. You (and anyone else) can find details of the
format requested here:
https://www.cymru.com/nsp-sec/dailyreports/bruteforce.html
Timestamps need to be in UTC, please. Any type of confirmed scanning
activity is welcome, not just that detected by the more traditional
tools mentioned on the page - as long as you're sure it's brute force
scanning, it's fair game for this category. If you let us know when
you're starting to send the data, that would be appreciated so that we
can confirm it's coming in okay.
Thanks,
Tim
- --
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkr0orkACgkQluRbRini9thZGgCcCxJwb3h8ijIgJJsaHBG/AlkU
mmoAmwXLRlr1y0DXQjotR5lX7a7Kzwb5
=Mc/s
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list