[nsp-sec] Botnet takedown - Chinese SSH Brute Force
Wentworth, Brett
Brett.Wentworth at Level3.com
Wed Apr 8 13:52:05 EDT 2015
Just a heads up that Level 3 conducted a botnet takedown yesterday. Part of the activity of this botnet is extreme SSH brute force scanning. At one point throughout the previous 30 dates we saw this comprising over 30% of the total global SSH traffic, so they aren’t being subtle The purpose of this notice is to hopefully persuade you all to take similar action at your border. Infected hosts we have seen communicating with the C2 will be forthcoming.
SSH Brute Force Scanning
43.255.190.0/23 (ASN: 4134 China Telecom, 36678 China Telecom, 26484 Hostspace)
43.255.190.0/24 (ASN: 4134 China Telecom, 36678 China Telecom, 26484 Hostspace)
C2:
103.240.140.152/32 (ASN:62466 Telia, 6939 Hurricane Electric, 1299 Telia)
103.240.141.54/32 (ASN:62466 Telia, 6939 Hurricane Electric, 1299 Telia)
103.240.141.50/32 (ASN:62466 Telia, 6939 Hurricane Electric, 1299 Telia)
104.143.5.25/32 (ASN 36114 Versaweb, 53340 Fiberhub, 2914 NTT)
Malware Hosting:
23.234.60.140/32 (ASN: 4134 China Telecom, 36678 China Telecom, 26484 Hostspace)
23.234.60.143/32 (ASN: 4134 China Telecom, 36678 China Telecom, 26484 Hostspace)
23.234.19.202/32 (ASN: 4134 China Telecom, 36678 China Telecom, 26484 Hostspace)
Further details can be found in the attached report (some of the IPs have changed but the behavior is the same):
http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html
https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html
Regards,
Level (3) Communications
Network Security Operations
Level3-SOC at level3.com<mailto:Level3-SOC at level3.com>
720.888.0012
More information about the nsp-security
mailing list