A LOT OF SSHD BRUTEFORCING FROM ZAIN AND SAFARICOM IP
If havent checked your logs, please do. Alot of guys are bruteforcing using dongles and gaining access to systems. Check http://lists.my.co.ke/pipermail/security/2009-May/000104.html ./Chuks -- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com {FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ http://www.kamongo.co.ke/
Its from safcom!! On Wed, May 6, 2009 at 23:13, chuks Jonia <chuksjonia@gmail.com> wrote:
If havent checked your logs, please do. Alot of guys are bruteforcing using dongles and gaining access to systems. Check http://lists.my.co.ke/pipermail/security/2009-May/000104.html
./Chuks
-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com
{FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ http://www.kamongo.co.ke/ _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks Other services @ http://my.co.ke Other lists ------------- Skunkworks announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science - http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi - http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
yeah the IPs are from Zain and Safcom most likely from dongles. Someone just learned how to do it. On Wed, May 6, 2009 at 11:26 PM, John Macharia <kihahu@gmail.com> wrote:
Its from safcom!!
On Wed, May 6, 2009 at 23:13, chuks Jonia <chuksjonia@gmail.com> wrote:
If havent checked your logs, please do. Alot of guys are bruteforcing using dongles and gaining access to systems. Check http://lists.my.co.ke/pipermail/security/2009-May/000104.html
./Chuks
-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com
{FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ http://www.kamongo.co.ke/ _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks Other services @ http://my.co.ke Other lists ------------- Skunkworks announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science - http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi - http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks Other services @ http://my.co.ke Other lists ------------- Skunkworks announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science - http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi - http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com {FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ http://www.kamongo.co.ke/
On Wed, May 6, 2009 at 11:13 PM, chuks Jonia <chuksjonia@gmail.com> wrote:
If havent checked your logs, please do. Alot of guys are bruteforcing using dongles and gaining access to systems. Check http://lists.my.co.ke/pipermail/security/2009-May/000104.html
./Chuks
Seen this before, was a rootkit running on a poorly secured *nix box that was poorly secured. Usually IRC bots, but could be different. At least was IRC then. The rootkit does the brute force attack and reports back to an IRC channel once it hits another box, then that can be used to relay spam, porn, warez...the works....and oh yes, another brute force attack. BR, S
Steve, these are not IRC bots. I have worked with such. These are coming from direct IPs, am sure these are dongles. IRC bots jump from one Zombie to another depending on the networks that the herder has compromised. ./Chuks On Thu, May 7, 2009 at 12:53 AM, Steve Muchai <smuchai@gmail.com> wrote:
On Wed, May 6, 2009 at 11:13 PM, chuks Jonia <chuksjonia@gmail.com> wrote:
If havent checked your logs, please do. Alot of guys are bruteforcing using dongles and gaining access to systems. Check http://lists.my.co.ke/pipermail/security/2009-May/000104.html
./Chuks
Seen this before, was a rootkit running on a poorly secured *nix box that was poorly secured.
Usually IRC bots, but could be different. At least was IRC then. The rootkit does the brute force attack and reports back to an IRC channel once it hits another box, then that can be used to relay spam, porn, warez...the works....and oh yes, another brute force attack.
BR, S _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks Other services @ http://my.co.ke Other lists ------------- Skunkworks announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science - http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi - http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com {FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ http://www.kamongo.co.ke/
On Thu, May 7, 2009 at 12:57 AM, chuks Jonia <chuksjonia@gmail.com> wrote:
Steve, these are not IRC bots. I have worked with such. These are coming from direct IPs, am sure these are dongles.
IRC bots jump from one Zombie to another depending on the networks that the herder has compromised.
You'll only see one IP, or maybe just a few from a pool which are usually on the same subnet. They use NAT. BR, S
participants (3)
-
chuks Jonia -
John Macharia -
Steve Muchai