Bill Sconce wrote:
On Wed, 14 Dec 2005 19:57:45 -0500 Ben Scott <[EMAIL PROTECTED]>
wrote:
> ...the fact that a great many of the world's computers are not, in
> fact, under the control of the nominal owner of said computer.
By coincidence, almost as Ben was writing this my firewall machine
was becoming the recipient of an SSH attack.
OK, thousands of attempted logins - that's what a dictionary attack
IS.
But what's interesting is how many addresses the attack came FROM,
and how quickly "the word" gets around when "someone" sees that a
port at some IP address is an SSH port. A "great many of the world's
computers are not, in fact, under the control of the nominal owner
of said computer," Ben says.
Amazingly true. I tried to chase down some of these attacks a year ago.
They came from all over, so obviously it was a botnet. All it would have
taken was one "someone" finding the port. And one "someone" to make
the attack. The botnet would have done the rest. No word would need
to get around.
Most of the ISPs at that time, except for Brasil Telecom, were not
responsive
when I reported the attacks to them a year ago. I wonder if that's improved.
I stopped reporting attacks as it felt like spitting in the wind.
Well, a high school in Korea, sure. A network company in Shanghai,
natch.
But... a bank in Vermont?
Newsbank in Chester VT is not a bank. It compiles information from
periodicals for libraries. I used to know someone who had done work for
them, I think. From their web site:
"Our web-based resources feature content from newspapers, newswires,
business journals, historical and scholarly documents, periodicals and more"
They do provide remote access via the web, but the IP appears to be an
in-house system.
*Verizon*? (heh, heh)
Well, at least one of their customers.
I've received SSH attacks from several of these in the past.
________________________________________________________________________
The attacks came from (I wrote a Python program to extract the IPs
from 7,078 lines of text in the log):
209.59.164.162 "Liquid Web", 4210 Creyts Rd., Lansing MI, US
A web host from which I never got a reply when I reported the attacks to
them.
201.11.221.140 Brasil Telecom S/A - Filial Distrito Federal, Brasilia
I get a fair number of attacks from this Brasilian ISP. They have
responded positively in the past.
Of course, I reported the attacks in Portugese as I used to know who
spoke it.
That might have helped. :-)
204.126.80.26 NewsBank, Inc., 397 Main Street, Chester VT, US
210.97.10.180 Changhowon High School, Icheon Si, GYEONGGI-DO, Korea
The rest are all ISPs. So, infected customers. Monocultures are bad.
(I'm presuming,
reasonably so, I think, that these are all infected Windows systems.)
211.99.64.236 Telecommunication Corporation, CNPC, Haidian District,
Beijing
61.129.117.112 Shanghai Global Network Co., Ltd, 333 North Jiangxi
Rd, Shanghai
70.109.161.147 Verizon Internet Services, 1880 Campus Commons Dr,
Reston VA, US
All I ever got from them was an automated reply with a link to their FAQ
on PPPoE authentication and how to install their client software. Not
too useful
when reporting an attack. :-)
85.214.22.59 Strato Rechenzentrum AG, Pascalstrasse 10, Berlin
--
Dan Jenkins ([EMAIL PROTECTED])
Rastech Inc., Bedford, NH, USA --- 1-603-206-9951
*** Technical Support Excellence for over a quarter century
_______________________________________________
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
