[nsp-sec] ATTN AS 25003/174 - VPN accounts being attacked
Daniel Robert Adinolfi
dra1 at cornell.edu
Thu Mar 1 09:37:00 EST 2012
Folks,
Can someone associated with AS 25003 take a look at this host?
94.188.247.246
AS | IP | AS Name
25003 | 94.188.247.246 | INTERNET_BINAT Internet Binat Ltd
PEER_AS | IP | AS Name
174 | 94.188.247.246 | COGENT Cogent/PSI
This guy has been connecting to our campus VPN attempting to log in with what we assume are stolen credentials over the last two days. Sadly, he had a few successes, but those were accompanied by a large number of failures. They probably got the username and password list from another website or a phishing campaign.
Can someone make this guy stop? (Yes, we're blocking the IP, though we hate doing whack-a-mole for things like this.) I'm guessing he wasn't just rattling Cornell's doorknobs with his list of compromised account info.
Thanks.
-Dan
AS 26
The bad guy was connecting to cuvpn.cuvpn.cornell.edu (132.236.56.100).
Times are in EST:
>
> Mix of failures and successes
> Remote location is Asia.Israel
>
> Thu Mar 1 05:14:45 2012(local):94.188.247.246::xxx FAIL
> Thu Mar 1 05:19:54 2012(local):94.188.247.246::xxx FAIL
> Thu Mar 1 05:20:16 2012(local):94.188.247.246::xxx FAIL
> Thu Mar 1 05:20:27 2012(local):94.188.247.246::xxx FAIL
> Thu Mar 1 05:20:37 2012(local):94.188.247.246::xxx OK
> .
_________________
Daniel Adinolfi, CISSP
Senior Security Engineer, IT Security Office
Cornell University - Office of the CIO
email: dra1 at cornell.edu phone: 607-255-7657
More information about the nsp-security
mailing list