[nsp-sec] ACK: SSH scanners are out in force
Smith, Donald
Donald.Smith at qwest.com
Mon Mar 8 15:43:06 EST 2010
Anyone with access to netflow may want to check for flows towards 74.103.65.7.
I saw some suspect flows that could be the bot coordination.
Additionally one of the ips Joel listed for Qwest was reported on another list as being part of a distributed coordinated bruteforce attack. I am not sure how those are being coordinated but there is a possiblity that coordination will be noisy and could lead to us finding the upstream controller (better then wackAmole)
(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia
>
> Joel Rosenblatt wrote:
> > ----------- nsp-security Confidential --------
> >
> >
> >
> >
> --------------------------------------------------------------
> ----------
> >
> > Hi,
> >
> > Big SSH scanner run last night. See attached file
> >
> > Number after time stamp is number of attempts
> >
> > Time stamps are -0500 (EST)
> >
> > This seems to be a different collection of ASNs then the
> usual suspects,
> > but that's not a scientific analysis, just an eyeball
> observation :-)
> >
> > Happy hunting!
> >
> > Thanks,
> > Joel
> >
> > Joel Rosenblatt, Manager Network & Computer Security
> > Columbia Information Security Office (CISO)
> > Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> > http://www.columbia.edu/~joel
> >
> >
> >
> --------------------------------------------------------------
> ----------
> >
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of
> the nsp-security
> > community. Confidentiality is essential for effective
> Internet security counter-measures.
> > _______________________________________________
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list