[nsp-sec] Some compromised machines and IDs
Joel Rosenblatt
joel at columbia.edu
Wed May 26 19:27:00 EDT 2010
Hi,
As a result of reporting a machine that was scanning our campus, we received some intel on some compromised systems and IDs
Bulk mode; whois.cymru.com [2010-05-26 23:17:46 +0000]
2 | 128.4.134.91 | User: dark1 | DCN-AS - University of Delaware
46 | 128.6.231.84 | User: 6052 | RUTGERS - Rutgers University
27 | 128.8.91.240 | User: fenris | UMDNET - University of Maryland at College Park
786 | 128.16.66.5 | User: felipe | JANET The JANET IP Service
3 | 128.30.65.255 | User: bill | MIT-GATEWAYS - Massachusetts Institute of Technology
3 | 128.30.67.30 | User: debbie | MIT-GATEWAYS - Massachusetts Institute of Technology
3257 | 128.58.121.51 | User: xxxxxx | TINET-BACKBONE Tinet SpA
3257 | 128.58.121.52 | User: wrangler | TINET-BACKBONE Tinet SpA
2637 | 128.61.158.21 | User: angel | GEORGIA-TECH - Georgia Institute of Technology
This was the notification (partial) sent to the machine owner
>>> Name: 235.64.238.89.serverhousing.manitu.net
>>> Address: 89.238.64.235
>>>
>>> Incident type: 5060/udp
>>> First attempt: 25-may-2010 23:05:00 GMT-0400
>>> Last attempt: 25-may-2010 23:10:00 GMT-0400
>>> Total attempts: 64973
>>>
I asked them not to send us the passwords (they said that the passwords were weak), and I verified that I was allowed to pass this information along .. happy
hunting (the source was not 100% sure about the IDs, he was sure of the IP addresses)
Thanks,
Joel
Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
More information about the nsp-security
mailing list