[nsp-sec] Question about potentially compromised email credentials

Buchanan, Mark Mark.Buchanan at savvis.net
Fri Sep 18 12:51:01 EDT 2009 

Gabe/NSP-sec folks,

Here's a shell script I wrote (sorry perl would have taken me much
longer) to convert multiple email domains to ASN.

I'll allow Stephen Gill or another Cymru member to chide me for not
using a bulk transfer method against the IP->ASN database  :).   I
thought it better to one method as to worry about if nc, whois or
wget/links/elinks were on the machine.  As long as dig and a few other
typical UNIX commands (echo, tr, sort, grep, awk, sort, tail) it should
function.

Here's an example of the run:

<mbuchana at sl1xs350830:~>$ ./mx-as.sh mckendree.edu savvis.net mit.edu |
sort -n
3 | 18.0.0.0/8 | US | arin | 1994-01-01 | 18.7.21.220 mit.edu
W92-130-BARRACUDA-1.mit.edu. 100
3 | 18.0.0.0/8 | US | arin | 1994-01-01 | 18.7.21.223 mit.edu
W92-130-BARRACUDA-2.mit.edu. 100
3 | 18.0.0.0/8 | US | arin | 1994-01-01 | 18.7.21.224 mit.edu
W92-130-BARRACUDA-3.mit.edu. 100
3 | 18.0.0.0/8 | US | arin | 1994-01-01 | 18.7.7.111 mit.edu
M24-004-BARRACUDA-1.mit.edu. 100
3 | 18.0.0.0/8 | US | arin | 1994-01-01 | 18.7.7.112 mit.edu
M24-004-BARRACUDA-2.mit.edu. 100
3 | 18.0.0.0/8 | US | arin | 1994-01-01 | 18.7.7.114 mit.edu
M24-004-BARRACUDA-3.mit.edu. 100
6325 | 66.99.128.0/17 | US | arin | 2001-04-09 | 66.99.172.41
mckendree.edu mx01.mckendree.edu. 1
26282 | 216.82.240.0/22 | US | arin | 2003-09-17 | 216.82.242.19
savvis.net cluster9.us.messagelabs.com. 10
26282 | 216.82.248.0/22 | US | arin | 2003-09-17 | 216.82.248.44
savvis.net cluster9a.us.messagelabs.com. 20
26282 | 216.82.248.0/22 | US | arin | 2003-09-17 | 216.82.248.45
savvis.net cluster9a.us.messagelabs.com. 20
26282 | 216.82.248.0/22 | US | arin | 2003-09-17 | 216.82.249.19
savvis.net cluster9a.us.messagelabs.com. 20
26282 | 216.82.248.0/22 | US | arin | 2003-09-17 | 216.82.249.19
savvis.net cluster9.us.messagelabs.com. 10
26282 | 216.82.248.0/22 | US | arin | 2003-09-17 | 216.82.249.35
savvis.net cluster9a.us.messagelabs.com. 20
26282 | 216.82.248.0/22 | US | arin | 2003-09-17 | 216.82.249.35
savvis.net cluster9.us.messagelabs.com. 10
26282 | 216.82.248.0/22 | US | arin | 2003-09-17 | 216.82.249.51
savvis.net cluster9a.us.messagelabs.com. 20
26282 | 216.82.248.0/22 | US | arin | 2003-09-17 | 216.82.249.51
savvis.net cluster9.us.messagelabs.com. 10
26282 | 216.82.252.0/22 | US | arin | 2003-09-17 | 216.82.254.227
savvis.net cluster9a.us.messagelabs.com. 20
26282 | 216.82.252.0/22 | US | arin | 2003-09-17 | 216.82.254.227
savvis.net cluster9.us.messagelabs.com. 10
26282 | 216.82.252.0/22 | US | arin | 2003-09-17 | 216.82.254.243
savvis.net cluster9a.us.messagelabs.com. 20
26282 | 216.82.252.0/22 | US | arin | 2003-09-17 | 216.82.254.243
savvis.net cluster9.us.messagelabs.com. 10
26282 | 216.82.252.0/22 | US | arin | 2003-09-17 | 216.82.254.35
savvis.net cluster9a.us.messagelabs.com. 20
26282 | 216.82.252.0/22 | US | arin | 2003-09-17 | 216.82.254.35
savvis.net cluster9.us.messagelabs.com. 10
26282 | 216.82.252.0/22 | US | arin | 2003-09-17 | 216.82.254.3
savvis.net cluster9a.us.messagelabs.com. 20
26282 | 216.82.252.0/22 | US | arin | 2003-09-17 | 216.82.254.3
savvis.net cluster9.us.messagelabs.com. 10
26282 | 216.82.252.0/22 | US | arin | 2003-09-17 | 216.82.254.51
savvis.net cluster9a.us.messagelabs.com. 20
26282 | 216.82.252.0/22 | US | arin | 2003-09-17 | 216.82.254.51
savvis.net cluster9.us.messagelabs.com. 10

Script attached...

Enjoy! (as someone's always told me)

Mark

-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Christoph
Sprongl
Sent: Friday, September 18, 2009 10:13 AM
To: Gabriel Iovino
Cc: NSP nsp-security
Subject: Re: [nsp-sec] Question about potentially compromised email
credentials

----------- nsp-security Confidential --------

Gabe, out of my opionion a strong YES.

Event without AS but with email adr. data, it is possible to combine the
information and see which company could have impact of this and take
steps
in mitigations.

Thx in advance!
christoph


> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> A list of *potentially* compromised email credentials was harvested
from
> the following server/(HTML Phishing form) over the last few days.
>
>>    [URL
>>
]hxxp://www.losnaranjos23.com/phpformgenerator/use/oncedial/form1.html
>> [Status] Offline
>
> I have already reached out to eight .edu's and am trying to decide
what
> to do with the remaining 55.
>
> It would be trivial for me to post a file with the following:
>
>> Email Address | Username | Password | Confirm Password
>
> but this community usually does not exchange datasets without AS
> numbers. It would probably take me an hour or so to hack together a
perl
> script to resolve the MX record > hostname > IP > ASN which would
allow
> me to put it in a format that is typical for this community.
>
> My question is, are *potentially* compromised email accounts as a
result
> of credential dropboxes something this community is interested in?
>
> Thanks
>
> Gabe
>
> - --
> Gabriel Iovino
> Principal Security Engineer, REN-ISAC
> http://www.ren-isac.net
> 24x7 Watch Desk +1(317)278-6630
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkqzm8EACgkQwqygxIz+pTuwxQCfeAnEsyh//Gi1QeIFyWzgPUZa
> 5a4An0HaL94Ri9LLpBzvhi0MrXGc//g1
> =lOjF
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
> community. Confidentiality is essential for effective Internet
security
> counter-measures.
> _______________________________________________
>
>




_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________

This message contains information which may be confidential and/or privileged. Unless you are the intended recipient (or authorized to receive for the intended recipient), you may not read, use, copy or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail and delete the message and any attachment(s) thereto without retaining any copies.

More information about the nsp-security mailing list