[nsp-sec] safe browsing alerts for ASNs

Hank Nussbacher hank at efes.iucc.ac.il
Tue Aug 17 13:38:12 EDT 2010 

At 09:34 22/07/2010 -0700, Niels Provos wrote:

Much thanks for this excellent service.  On Aug 14 we got an alert about
 > http://math.huji .ac.il/~perin/
 > http://www.math.huji .ac.il/~perin/
 > http://www.math.huji .ac.il/~perin/indexfr.html

It looks like FTP password was compromised by some malware on the client
computer. The user changed her password and FTP on the server was shut down.
The malicious logins came from these addresses:
ftp    Thu Aug 12 14:11 - 14:11  (00:00)   ev1s-216-40-222-82.theplanet.com
ftp    Thu Aug 12 14:11 - 14:11  (00:00)   64-191-11-79.hostnoc.net
ftp    Thu Aug 12 14:10 - 14:10  (00:00)   www.betchannel.gr
ftp    Thu Aug 12 14:10 - 14:10  (00:00)   69.90.18.37
ftp    Wed Aug  4 17:46 - 17:46  (00:00)   asksunday.com
ftp    Wed Aug  4 17:46 - 17:46  (00:00)   69.90.18.37
ftp    Wed Aug  4 17:46 - 17:46  (00:00)   212-174-14-82.ip.ciklet.net
ftp    Wed Aug  4 17:46 - 17:46  (00:00)   h568301.serverkompetenz.net
ftp    Wed Aug  4 17:43 - 17:43  (00:00)
174-143-243-118.static.cloud-ips.com
ftp    Wed Aug  4 16:41 - 16:41  (00:00)   ix-theteam-02.fs-server.com

Someone might want to inform betchannel.gr and asksunday.com

Regards,
Hank

>----------- nsp-security Confidential --------
>
>Hi everyone,
>
>we are testing a new service called Safe Browsing Alerts for Network
>Administrators.  This service allows AS owners to sign up for daily
>emails of compromised web sites that Google is finding on their
>address space.    Although, we have not announced the tool yet, we
>would appreciate if folks here could try it and provide us with
>feedback:
>
>  http://safebrowsingalerts.googlelabs.com/
>
>To verify the ownership of an AS, we use contact information from
>whois data.   In some countries, the organizations that maintain the
>whois data are not providing contact email addresses and the safe
>browsing alerts will not work for those AS numbers.
>
>We appreciate your feedback.
>
>Thank you,
>  Niels.
>
>Ps: Please, keep this confidential for the time being, e.g. don't blog
>about it, etc.
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>community. Confidentiality is essential for effective Internet security 
>counter-measures.
>_______________________________________________

More information about the nsp-security mailing list