[nsp-sec] IP Addresses with SIP credentials likely compromised

Greenberg, David A dgreenbe at iu.edu
Fri Jun 11 09:23:11 EDT 2010 

A REN-ISAC colleague gave me permission to forward his e-mail to this list.  I pulled out the text file and uploaded it to https://asn.cymru.com/nsp-sec/upload/1276261900.whois.txt  and only attached a list of ASNs affected.  He would like to keep his organization private, but indicated that he is willing to work with anybody that needs more information.

Thanks,
David Greenberg


---

We've had a persistent presence of a compromise in one department on campus where the intended pay-off seems to have been fairly random SIP credentials.  
We're still looking further, but the time frame appears to have been May 31st until June 9th.  We are doing our best to contain and remedy, but cannot be sure that new compromised machines will not come forward.

With what we know to date, compromised machines who may have scanned and attacked machines at other sites are the following:
131.104.152.57
131.104.152.63
131.104.152.66
131.104.153.13
131.104.153.134
131.104.153.135
131.104.153.136
131.104.153.236
131.104.154.36
131.104.154.41

I have attached a text file with about 2000 IP addresses (sorted alpha) with time stamps we think may have compromised SIP credentials based on the subject line of outgoing mail logs. Duplicate IP addresses indicate multiple messages at different times. Recipients email addresses of both SIP and rootkit information in this incident are (without spaces around @) :

dezde @ mymail.ro 
xqw019 @ gmail.com 
binesaurau @ gmail.com  
albert.mill3r @ gmail.com 

Gerrit Bos,
IT Security Officer, PMO/CIO
University of Guelph, On, Canada
Email: gbos at uoguelph.ca
Ph: (519) 824-4120 Ext. 53489

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: SIPcredentials_ASNs.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20100611/a87fa40c/attachment-0001.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 171 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20100611/a87fa40c/attachment-0001.sig>

More information about the nsp-security mailing list