[Full-disclosure] Brain dead SSH scans from Italy
Well, I'm stumped. I mean, really stumped.
I've had a host scanning my network for the past three days, and it
initially looked like one of the automated scans we've all become so
familiar with (unfortunately). Naturally, the automatic defense was
engaged, and I thought that would be the end of it. Nope.
It continues to send SYN packets, and although it's dropped off in attacks
to the other machines, it still pounds at the doors of two of them. Those
two machines have a couple of things in common: they are both running BIND
9, and are both OpenBSD {mumble}.
I've sent email off to the RIPE contacts for the IP (195.250.227.226), and
to the WHOIS contacts for the domain (ocem.com), and to [EMAIL PROTECTED] as
well. Nothing. If I take off the null routing on either of those machines,
it immediately starts hammering at them, with no signs of cessation. I have
considered just letting it finish, but I'm more concerned that there's a
new variant on this moronic scan that doesn't know when to quit. I suspect
that the continuation is because they are DNS servers, since I took the
blocking off of one of the other machines also running OpenBSD, and the
scanning did not resume (although I had expected it to).
I'm at a loss. If anyone knows Italian (I don't), and can contact one of:
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
or anyone at ocem.com, please, let them know that the machine is
compromised, and that they need to take it off line, and clean it up.
TIA and all that.
--
There are two ways, my friend, that you can be rich in life.
One is to make a lot of money and the other is to have few needs.
William Sloane Coffin, Letters to a Young Doubter
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Brain dead SSH scans from Italy
On Fri, 2005-10-28 at 08:15 -0700, Etaoin Shrdlu wrote: Well, I'm stumped. I mean, really stumped. I've had a host scanning my network for the past three days, and it initially looked like one of the automated scans we've all become so familiar with (unfortunately). Naturally, the automatic defense was engaged, and I thought that would be the end of it. Nope. [..snipped..] I'm at a loss. If anyone knows Italian (I don't), and can contact one of: [..snipped..] Try this site: http://babelfish.altavista.com/babelfish/ which can translate English to Italian. You might want to cc the abuse address for their upstream too. Regards, J -- Jeff MacDonald Zoid Technologies GPG Fingerprint: 0831 879E B6B4 C4CC D3C9 419F B12D E3CE B927 04B2 signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Brain dead SSH scans from Italy
Etaoin Shrdlu wrote: Well, I'm stumped. I mean, really stumped. I've had a host scanning my network for the past three days... I'm at a loss. If anyone knows Italian (I don't), and can contact one of: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] or anyone at ocem.com, please, let them know that the machine is compromised, and that they need to take it off line, and clean it up. Thanks to whomever finally got through, however you did it. I had actually allowed one host to start responding, and it had gotten to the part I always least understand, i.e. the tries for root's password. I mean, really, are there that many hosts out there with root accounts that can be guessed with an automated password guesser? Anyway, it suddenly stopped, and stopped attempting the other machine(s) as well. Whew. Thanks again. -- There are two ways, my friend, that you can be rich in life. One is to make a lot of money and the other is to have few needs. William Sloane Coffin, Letters to a Young Doubter ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Brain dead SSH scans from Italy
On Fri, 28 Oct 2005 13:14:31 PDT, Etaoin Shrdlu said: always least understand, i.e. the tries for root's password. I mean, really, are there that many hosts out there with root accounts that can be guessed with an automated password guesser? You're new here, aren't you? :) pgpzksyA7Oqna.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Brain dead SSH scans from Italy
Etaoin Shrdlu wrote:
Well, I'm stumped. I mean, really stumped.
I've had a host scanning my network for the past three days, and it
initially looked like one of the automated scans we've all become so
familiar with (unfortunately). Naturally, the automatic defense was
engaged, and I thought that would be the end of it. Nope.
It continues to send SYN packets, and although it's dropped off in attacks
to the other machines, it still pounds at the doors of two of them. Those
two machines have a couple of things in common: they are both running BIND
9, and are both OpenBSD {mumble}.
I've sent email off to the RIPE contacts for the IP (195.250.227.226), and
to the WHOIS contacts for the domain (ocem.com), and to [EMAIL PROTECTED] as
well. Nothing. If I take off the null routing on either of those machines,
it immediately starts hammering at them, with no signs of cessation. I have
considered just letting it finish, but I'm more concerned that there's a
new variant on this moronic scan that doesn't know when to quit. I suspect
that the continuation is because they are DNS servers, since I took the
blocking off of one of the other machines also running OpenBSD, and the
scanning did not resume (although I had expected it to).
I'm at a loss. If anyone knows Italian (I don't), and can contact one of:
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
or anyone at ocem.com, please, let them know that the machine is
compromised, and that they need to take it off line, and clean it up.
TIA and all that.
--
There are two ways, my friend, that you can be rich in life.
One is to make a lot of money and the other is to have few needs.
William Sloane Coffin, Letters to a Young Doubter
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
I'm italian, if you want, send to me the text of the email for:
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
and I will take care myself of the translation.
Regards
Vania
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Brain dead SSH scans from Italy
Etaoin Shrdlu wrote: snip Thanks to whomever finally got through, however you did it. I had actually allowed one host to start responding, and it had gotten to the part I always least understand, i.e. the tries for root's password. I mean, really, are there that many hosts out there with root accounts that can be guessed with an automated password guesser? ... Define that many... It's not about the total number -- it's simply about the fact that there really are some, and we know that here some == quite a few more than one. Better to think of it in terms of a proportion though, then allow that the law of large numbers kicks in _on both the attackers' and victims' sides of the equation_. If the potential attackers can run their probes from a botnet then they reduce their own workload significantly are not even risking discovery or any real loss if they tracked/shut-down as it is all but guaranteed that all they will lose is a bot or two in the odd case where someone will care enough to try to track down the attacker. And if the available victims are, say 0.00015% of all machines, scanning a few million machines gets you plenty more new victims. And that's not even considering that some machines may be more worthwhile cracking than others... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
