[nsp-sec] SSH scanning - we are now up over 1000
Michael Sinatra
michael at rancid.berkeley.edu
Tue Aug 10 14:10:13 EDT 2010
On 08/10/10 11:05, Joel Rosenblatt wrote:
> ----------- nsp-security Confidential --------
>
> I've been feeding all of our attackers to Cymru for years .. I just send
> these lists as a public service for those who don't get the daily
> reports :-)
>
> We also send out a message to each of the abuse contacts for the ASN, so
> we catch a lot of people not on the NSP list ... I get lots of thank you
> notes :-)
I also feed to the cymru notification service, and I am seeing the same
uptick as others.
One thing I have noticed is that a compromised system that is doing
brute-force ssh tends to generate a lot of notifications from the people
being attacked--more so than some other types of compromises.
michael
> Joel
>
> --On Tuesday, August 10, 2010 10:56 AM -0700 Kevin Oberman
> <oberman at es.net> wrote:
>
>>> Date: Tue, 10 Aug 2010 10:02:15 -0400
>>> From: Joel Rosenblatt <joel at columbia.edu>
>>> Sender: nsp-security-bounces at puck.nether.net
>>>
>>> ----------- nsp-security Confidential --------
>>>
>>>
>>> Hi,
>>>
>>> Looks like this is going to get worse before it gets worse ... list
>>> attached.
>>>
>>> Thanks,
>>> Joel
>>>
>>> Joel Rosenblatt, Manager Network & Computer Security
>>> Columbia Information Security Office (CISO)
>>> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
>>> http://www.columbia.edu/~joel
>>
>> This is the worst of these I've seen and it just keeps getting heavier.
>>
>> I have been seeing over 500 new unique source addresses daily from the
>> start of this and the number is growing daily. I only had 960 unique
>> new addresses this morning, but I have rather careful vetting to avoid
>> false positives as we feed this data into our RTBH and I don't want to
>> block any legitimate access. I'm sure that if I looked at the data
>> manually, theat I would have a number of added hits.
>>
>> BTW, all of the attempts log are reported to the Cymru brute-force list
>> for inclusion in the daily reports.
>> --
>> R. Kevin Oberman, Network Engineer
>> Energy Sciences Network (ESnet)
>> Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
>> E-mail: oberman at es.net Phone: +1 510 486-8634
>> Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
>>
>
>
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list