[nsp-sec] SSH scanners are back

[CERT-UT - Peter]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mike Tancsa wrote on 22-Jan-10 16:48:

> Interesting, mine are cranked up as well. But seems to be a different
> program in that its back to trying 3 or 4 per bot at much longer
> intervals than blast from last week.  Complete list (853) sent off to
> bruteforce at cymru.com

I have seen another kind of brute-force scanning. Not directed at SSH
but at the mail ports (POP3(S) and IMAP(S)). There is one major problem
with scanners aiming at these ports. While SSH is hardly used outside
the own organization, IMAPS is mainly used outside the organization.
Inside out network most users just use Outlook, but outside users have
all kinds of IMAP clients. And being a university they are all over the
world, even in China, Turkey, Brazil and other countries where we see
scanning coming from.

So it is very hard to compile a list of the scanners, because the times
we have seen this the overflowed the system and even normal users
started trying to access the server more often.

And it didn't help Microsoft Exchange in a standard setup doesn't log
all the relevant information. We have cranked up the logging and hope to
be able to catch the bad guys next time.

- --
Peter Peters
CERT-UT Officer off Duty
cert at utwente.nl               http://www.utwente.nl/itsecurity
office-hours: +31 53 489 2301
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFLYp7KelLo80lrIdIRAhZ2AJ4z5kgEK5csxS/e4+f60anhq0nW0QCfazuP
3oKSWecBzkDcaFULIAmrWKM=
=uDRj
-----END PGP SIGNATURE-----