[nsp-sec] Cisco customers experiencing grief from 212.73.150.63
J. Chambers
jchambers at ucla.edu
Fri Sep 27 11:42:07 EDT 2019
On 2019-09-25 17:56, J. Chambers wrote:
>
> I'll see if I can determine what types of ASAs and versions were involved.
>
Three of the targets were Juniper SSL VPN, all the rest report as ASA 5500s.
The Juniper VPNs were inactive at the time 212.73.150.63 attempted
communication.
Of the five ASA5500s, three received more attention than others; repeat
activity across multiple days, each event lasting less than 2 seconds
with slight packet and byte count differences.
Two devices may have been successfully exploited or crashed, there were
a few ~5 minute delays on the TCP connection. (see
ASA-attacks--possible-crash.txt)
Across the past 30 days, all activity is within a window of 22:00 -
11:00 UTC. (See ASA-attacks--timeframe.txt)
Regards,
--Jason
(FYI - I'm in search of a new job. Please contact off-list if you're
hiring remote, occasional travel isn't an issue. Thanks.)
-------------- next part --------------
128.97.000.001 was contacted only once and exhibits the TCP communication delay.
sIP| dIP|sPort|dPort|pro| packets| bytes| flags| sTime| duration| eTime| sensor|
128.97.000.001| 212.73.150.63| 443|64776| 6| 9| 745|FS PA |2019/09/11T04:23:17.905| 1.240|2019/09/11T04:23:19.145| Border|
212.73.150.63| 128.97.000.001|64776| 443| 6| 9| 1516|F PA |2019/09/11T04:23:18.070| 1.075|2019/09/11T04:23:19.145| Border|
212.73.150.63| 128.97.000.001|64777| 443| 6| 9| 1544|FS PA EC|2019/09/11T04:23:18.985| 1.071|2019/09/11T04:23:20.056| Border|
128.97.000.001| 212.73.150.63| 443|64777| 6| 12| 3225|FS PA |2019/09/11T04:23:18.985| 1.071|2019/09/11T04:23:20.056| Border|
212.73.150.63| 128.97.000.001|64778| 443| 6| 9| 1560|FS PA EC|2019/09/11T04:23:19.899| 1.058|2019/09/11T04:23:20.957| Border|
128.97.000.001| 212.73.150.63| 443|64778| 6| 12| 3225|FS PA |2019/09/11T04:23:19.900| 1.057|2019/09/11T04:23:20.957| Border|
128.97.000.001| 212.73.150.63| 443|64779| 6| 7| 1963| S PA |2019/09/11T04:23:20.856| 240.916|2019/09/11T04:27:21.772| Border|
212.73.150.63| 128.97.000.001|64779| 443| 6| 10| 1456| S PA EC|2019/09/11T04:23:20.856| 240.916|2019/09/11T04:27:21.772| Border|
212.73.150.63| 128.97.000.001|64779| 443| 6| 5| 205| A |2019/09/11T04:28:21.780| 240.035|2019/09/11T04:32:21.815| Border|
212.73.150.63| 128.97.000.001|64779| 443| 6| 2| 81| R A |2019/09/11T04:33:21.823| 59.999|2019/09/11T04:34:21.822| Border|
128.97.000.002 was contacted three different times, each time exhibiting the TCP communication delay:
sIP| dIP|sPort|dPort|pro| packets| bytes| flags| sTime| duration| eTime| sensor|
212.73.150.63| 128.97.000.002|60276| 443| 6| 11| 1892|FS PA EC|2019/09/10T03:52:01.898| 1.232|2019/09/10T03:52:03.130| Border|
128.97.000.002| 212.73.150.63| 443|60276| 6| 16| 8832|FS PA |2019/09/10T03:52:01.899| 1.231|2019/09/10T03:52:03.130| Border|
128.97.000.002| 212.73.150.63| 443|60277| 6| 13| 5209|FS PA |2019/09/10T03:52:02.975| 1.060|2019/09/10T03:52:04.035| Border|
212.73.150.63| 128.97.000.002|60277| 443| 6| 10| 1884|FS PA EC|2019/09/10T03:52:02.975| 1.060|2019/09/10T03:52:04.035| Border|
128.97.000.002| 212.73.150.63| 443|60278| 6| 4| 694| PA |2019/09/10T03:52:04.050| 0.728|2019/09/10T03:52:04.778| Border|
212.73.150.63| 128.97.000.002|60278| 443| 6| 1| 40|F A |2019/09/10T03:52:04.778| 0.000|2019/09/10T03:52:04.778| Border|
212.73.150.63| 128.97.000.002|60279| 443| 6| 11| 1512| S PA EC|2019/09/10T03:52:04.866| 240.903|2019/09/10T03:56:05.769| Border|
128.97.000.002| 212.73.150.63| 443|60279| 6| 8| 3773| S PA |2019/09/10T03:52:04.867| 240.902|2019/09/10T03:56:05.769| Border|
212.73.150.63| 128.97.000.002|60279| 443| 6| 5| 205| A |2019/09/10T03:57:05.776| 240.021|2019/09/10T04:01:05.797| Border|
212.73.150.63| 128.97.000.002|60279| 443| 6| 2| 81| R A |2019/09/10T04:02:05.798| 60.008|2019/09/10T04:03:05.806| Border|
212.73.150.63| 128.97.000.002|51852| 443| 6| 12| 1932|FS PA EC|2019/09/17T22:28:07.228| 1.239|2019/09/17T22:28:08.467| Border|
128.97.000.002| 212.73.150.63| 443|51852| 6| 16| 8832|FS PA |2019/09/17T22:28:07.233| 1.234|2019/09/17T22:28:08.467| Border|
212.73.150.63| 128.97.000.002|51853| 443| 6| 8| 1287| S PA EC|2019/09/17T22:28:08.315| 1.066|2019/09/17T22:28:09.381| Border|
128.97.000.002| 212.73.150.63| 443|51853| 6| 7| 1868|F PA |2019/09/17T22:28:08.481| 0.900|2019/09/17T22:28:09.381| Border|
128.97.000.002| 212.73.150.63| 443|51854| 6| 13| 5209|FS PA |2019/09/17T22:28:09.216| 1.066|2019/09/17T22:28:10.282| Border|
212.73.150.63| 128.97.000.002|51854| 443| 6| 10| 1884|FS PA EC|2019/09/17T22:28:09.216| 1.066|2019/09/17T22:28:10.282| Border|
128.97.000.002| 212.73.150.63| 443|51855| 6| 8| 3773| S PA |2019/09/17T22:28:10.242| 240.955|2019/09/17T22:32:11.197| Border|
212.73.150.63| 128.97.000.002|51855| 443| 6| 11| 1512| S PA EC|2019/09/17T22:28:10.242| 240.955|2019/09/17T22:32:11.197| Border|
212.73.150.63| 128.97.000.002|51855| 443| 6| 5| 205| A |2019/09/17T22:33:11.192| 240.023|2019/09/17T22:37:11.215| Border|
212.73.150.63| 128.97.000.002|51855| 443| 6| 2| 81| R A |2019/09/17T22:38:11.216| 60.044|2019/09/17T22:39:11.260| Border|
212.73.150.63| 128.97.000.002|64686| 443| 6| 12| 1932|FS PA EC|2019/09/20T03:15:01.587| 1.239|2019/09/20T03:15:02.826| Border|
128.97.000.002| 212.73.150.63| 443|64686| 6| 14| 8293| S PA |2019/09/20T03:15:01.588| 1.238|2019/09/20T03:15:02.826| Border|
128.97.000.002| 212.73.150.63| 443|64687| 6| 8| 1663|FS PA |2019/09/20T03:15:02.667| 0.899|2019/09/20T03:15:03.566| Border|
212.73.150.63| 128.97.000.002|64687| 443| 6| 6| 1099| PA |2019/09/20T03:15:02.831| 0.735|2019/09/20T03:15:03.566| Border|
212.73.150.63| 128.97.000.002|64688| 443| 6| 10| 1884|FS PA EC|2019/09/20T03:15:03.570| 1.067|2019/09/20T03:15:04.637| Border|
128.97.000.002| 212.73.150.63| 443|64688| 6| 13| 5209|FS PA |2019/09/20T03:15:03.571| 1.066|2019/09/20T03:15:04.637| Border|
212.73.150.63| 128.97.000.002|64689| 443| 6| 11| 1512| S PA EC|2019/09/20T03:15:04.573| 240.955|2019/09/20T03:19:05.528| Border|
128.97.000.002| 212.73.150.63| 443|64689| 6| 8| 3773| S PA |2019/09/20T03:15:04.574| 240.954|2019/09/20T03:19:05.528| Border|
212.73.150.63| 128.97.000.002|64689| 443| 6| 3| 123| A |2019/09/20T03:20:05.539| 120.009|2019/09/20T03:22:05.548| Border|
212.73.150.63| 128.97.000.002|64689| 443| 6| 3| 122| R A |2019/09/20T03:24:05.568| 120.020|2019/09/20T03:26:05.588| Border|
-------------- next part --------------
Date| Records| Bytes| Packets|
2019/08/31T08:00:00| 4.00| 608.00| 12.00|
2019/09/01T05:00:00| 2.00| 304.00| 6.00|
2019/09/01T07:00:00| 2.00| 304.00| 6.00|
2019/09/01T10:00:00| 2.00| 304.00| 6.00|
2019/09/09T08:00:00| 8.00| 32517.00| 101.00|
2019/09/10T03:00:00| 8.73| 23984.80| 77.63|
2019/09/10T04:00:00| 1.27| 137.20| 3.37|
2019/09/10T08:00:00| 8.00| 30975.00| 95.00|
2019/09/11T04:00:00| 10.00| 15520.00| 84.00|
2019/09/12T11:00:00| 8.00| 13326.00| 74.00|
2019/09/17T04:00:00| 8.00| 33640.00| 101.00|
2019/09/17T22:00:00| 10.00| 26583.00| 92.00|
2019/09/18T02:00:00| 8.00| 33386.00| 96.00|
2019/09/19T09:00:00| 8.00| 31373.00| 100.00|
2019/09/20T03:00:00| 10.00| 25610.00| 88.00|
2019/09/20T07:00:00| 12.00| 42923.00| 138.00|
More information about the nsp-security
mailing list