177.69.238.15
33 views
Skip to first unread message
Shaun
Jan 6, 2013, 4:31:30 PM1/6/13
to iscds...@googlegroups.com
Yikes. This IP attempted to hit my server 1880233 times (yes, that's
nearly TWO MILLION ssh attempts) over the past couple of days. First
blocked in the firewall at Jan 5 01:42:33 for an ssh attempt with
invalid user ROOT, but kept right on trying. Logs are submitting now.
-s
[shaun@shaunc ~]$ whois -h whois.lacnic.net 177.69.238.15
% Joint Whois - whois.lacnic.net
% This server accepts single ASN, IPv4 or IPv6 queries
% Brazilian resource: whois.registro.br
% Copyright (c) Nic.br
% The use of the data below is only permitted as described in
% full by the terms of use (http://registro.br/termo/en.html),
% being prohibited its distribution, comercialization or
% reproduction, in particular, to use it for advertising or
% any similar purpose.
% 2013-01-06 19:26:29 (BRST -02:00)
inetnum: 177.69/16
aut-num: AS16735
abuse-c: CST87
owner: COMPANHIA DE TELECOMUNICACOES DO BRASIL CENTRAL
ownerid: 071.208.516/0001-74
responsible: Cristiano Azevedo Vinaud
country: BR
owner-c: CCRDO
tech-c: CNI15
inetrev: 177.69.128/17
nserver: nspar.ctbc.com.br
nsstat: 20130105 AA
nslastaa: 20130105
nserver: nssar.ctbc.com.br
nsstat: 20130105 AA
nslastaa: 20130105
created: 20110621
changed: 20110629
nic-hdl-br: CCRDO
person: CTBC - Contratos e Registro de Domínios
e-mail: secu...@ctbc.com.br
created: 20070606
changed: 20121025
nic-hdl-br: CNI15
person: CTBC - Núcleo de Aministração de IPs
e-mail: ad...@ctbc.com.br
created: 20060417
changed: 20110608
nic-hdl-br: CST87
person: Computer Security Incident Response Team
e-mail: ab...@ctbc.com.br
created: 20051208
changed: 20111117
% Security and mail abuse issues should also be addressed to
% cert.br, http://www.cert.br/, respectivelly to ce...@cert.br
% and mail-...@cert.br
%
% whois.registro.br accepts only direct match queries. Types
% of queries are: domain (.br), ticket, provider, ID, CIDR
% block, IP and ASN.
nearly TWO MILLION ssh attempts) over the past couple of days. First
blocked in the firewall at Jan 5 01:42:33 for an ssh attempt with
invalid user ROOT, but kept right on trying. Logs are submitting now.
-s
[shaun@shaunc ~]$ whois -h whois.lacnic.net 177.69.238.15
% Joint Whois - whois.lacnic.net
% This server accepts single ASN, IPv4 or IPv6 queries
% Brazilian resource: whois.registro.br
% Copyright (c) Nic.br
% The use of the data below is only permitted as described in
% full by the terms of use (http://registro.br/termo/en.html),
% being prohibited its distribution, comercialization or
% reproduction, in particular, to use it for advertising or
% any similar purpose.
% 2013-01-06 19:26:29 (BRST -02:00)
inetnum: 177.69/16
aut-num: AS16735
abuse-c: CST87
owner: COMPANHIA DE TELECOMUNICACOES DO BRASIL CENTRAL
ownerid: 071.208.516/0001-74
responsible: Cristiano Azevedo Vinaud
country: BR
owner-c: CCRDO
tech-c: CNI15
inetrev: 177.69.128/17
nserver: nspar.ctbc.com.br
nsstat: 20130105 AA
nslastaa: 20130105
nserver: nssar.ctbc.com.br
nsstat: 20130105 AA
nslastaa: 20130105
created: 20110621
changed: 20110629
nic-hdl-br: CCRDO
person: CTBC - Contratos e Registro de Domínios
e-mail: secu...@ctbc.com.br
created: 20070606
changed: 20121025
nic-hdl-br: CNI15
person: CTBC - Núcleo de Aministração de IPs
e-mail: ad...@ctbc.com.br
created: 20060417
changed: 20110608
nic-hdl-br: CST87
person: Computer Security Incident Response Team
e-mail: ab...@ctbc.com.br
created: 20051208
changed: 20111117
% Security and mail abuse issues should also be addressed to
% cert.br, http://www.cert.br/, respectivelly to ce...@cert.br
% and mail-...@cert.br
%
% whois.registro.br accepts only direct match queries. Types
% of queries are: domain (.br), ticket, provider, ID, CIDR
% block, IP and ASN.
Tom Byrnes
Jan 7, 2013, 12:07:32 PM1/7/13
to iscds...@googlegroups.com
You should probably also run Denyhosts, and share data with them. It's a very effective system, for the same reason as DShield, for stopping password cracking attempts.
http://denyhosts.sourceforge.net/
> ab...@cert.br % % whois.registro.br accepts only direct match queries.
> Need IPv6 Training? See http://www.ipv6securitytraining.com . IPv6 Security
> Training
>
> To unsubscribe from this group, send email to
> iscdshield+...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/iscdshield?hl=en
http://denyhosts.sourceforge.net/
> Types % of queries are: domain (.br), ticket, provider, ID, CIDR % block, IP
> and ASN.
>
> --
> and ASN.
>
> Need IPv6 Training? See http://www.ipv6securitytraining.com . IPv6 Security
> Training
>
> To unsubscribe from this group, send email to
> iscdshield+...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/iscdshield?hl=en
Message has been deleted
Tom Byrnes
Jan 7, 2013, 6:49:14 PM1/7/13
to iscds...@googlegroups.com
I added this IP to the ThreatSTOP emergency feed this AM, on the assumption it will wind up in DShield later today.
FYI (shameless plug follows), if you want to automatically update your firewalls with the DShield blocklist, as well as Denyhosts and over 36 other data sources, and have your logs automatically submitted to dshield when you send them up to get reports (we have a DShield mirror that we pipe all logs we receive to), then that's what ThreatSTOP does. We have a free trial, and work on over 80% of the installed base of firewalls.
For DShield submitters, we offer a free (as in beer, you need to submit your logs to us or DShield) "community" account, that includes the DShield list and some other community feeds.
Stay Safe Online!
Tom.
FYI (shameless plug follows), if you want to automatically update your firewalls with the DShield blocklist, as well as Denyhosts and over 36 other data sources, and have your logs automatically submitted to dshield when you send them up to get reports (we have a DShield mirror that we pipe all logs we receive to), then that's what ThreatSTOP does. We have a free trial, and work on over 80% of the installed base of firewalls.
For DShield submitters, we offer a free (as in beer, you need to submit your logs to us or DShield) "community" account, that includes the DShield list and some other community feeds.
Stay Safe Online!
Tom.
Reply all
Reply to author
Forward
0 new messages