headers
James Lay | 9 Jul 04:05

New round of SSH scan IP's

Fresh IP’s from when they started, about 2 hours ago.  If you see one that’s yours, something is amiss on your network.

117.21.127.181
12.107.136.162
12.206.87.124
12.26.44.155
12.47.156.114
121.119.189.13
122.255.3.35
122.255.3.36
124.149.3.50
128.39.153.241
131.118.254.90
140.109.55.52
140.109.55.63
143.107.160.252
145.253.179.229
145.253.94.20
147.135.0.18
149.132.97.53
150.140.139.200
157.158.178.128
164.67.57.171
165.145.214.160
165.166.14.123
168.243.151.152
169.244.64.116
189.43.21.244
190.128.91.50
190.144.131.94
190.210.29.149
190.34.164.139
190.78.133.41
190.84.225.68
192.208.144.88
193.126.203.155
193.226.122.94
193.227.253.35
194.112.138.122
194.12.246.106
194.54.177.41
194.63.135.235
195.43.6.6
196.211.8.90
199.185.48.98
199.246.2.116
200.118.115.96
200.118.119.48
200.123.149.177
200.123.181.213
200.127.112.176
200.14.41.66
200.157.176.13
200.182.169.82
200.196.50.62
200.212.252.92
200.216.66.186
200.26.138.122
200.51.42.234
200.62.177.94
200.76.176.37
200.87.27.249
201.147.111.99
201.155.69.6
201.2.56.34
201.211.231.217
201.216.216.185
201.221.146.73
201.234.172.197
202.152.15.151
202.91.136.229
203.122.50.104
203.197.128.202
203.32.87.174
203.92.62.162
206.170.79.57
209.128.104.88
209.183.130.19
209.203.56.150
209.252.100.59
209.91.168.2
210.124.36.46
211.137.251.134
211.33.57.138
212.112.227.77
212.14.40.1
212.185.23.10
212.219.103.85
212.239.212.25
212.244.61.195
212.41.231.164
212.63.37.26
212.80.167.180
212.80.245.106
213.113.108.95
213.131.63.138
213.136.107.62
213.181.207.122
213.203.94.124
213.96.219.200
216.185.75.98
216.30.179.173
216.98.241.106
217.133.215.194
217.223.195.11
217.29.152.71
217.7.233.155
218.1.73.193
218.200.225.22
218.206.203.91
218.214.37.15
218.80.215.197
219.76.222.27
220.132.92.53
220.227.60.4
24.21.122.21
24.249.18.233
24.249.253.28
24.62.45.180
24.97.252.117
41.177.17.36
41.242.159.78
58.18.164.139
58.26.48.162
59.145.225.3
59.41.59.58
61.131.47.24
61.132.139.35
61.135.234.7
61.144.162.9
61.30.43.91
62.194.170.241
62.205.186.130
62.220.27.50
62.233.174.21
62.245.135.102
62.75.252.223
62.77.227.149
62.8.210.202
63.239.43.58
63.241.250.189
63.254.161.81
64.139.253.100
64.30.9.134
65.111.169.130
66.219.47.215
66.240.195.20
66.255.5.217
66.46.163.22
67.103.112.92
67.152.2.17
67.202.28.27
67.59.90.95
68.115.118.114
68.115.233.140
68.236.182.110
69.159.224.208
69.67.52.46
70.167.18.201
70.167.245.233
71.118.8.244
71.176.227.23
71.192.92.50
71.244.86.168
71.43.58.29
72.36.198.170
74.218.172.158
74.254.73.229
74.66.241.50
74.8.196.62
75.146.101.28
76.227.203.164
76.230.26.10
76.29.200.188
79.28.5.19
80.13.19.119
80.152.229.51
80.189.254.106
80.190.243.113
80.207.171.46
80.237.154.115
80.251.132.5
80.37.93.94
80.48.238.112
81.137.224.38
81.140.37.133
81.174.59.212
81.208.90.109
81.223.220.141
81.246.26.179
81.33.20.215
82.10.188.96
82.104.187.194
82.115.78.87
82.119.244.205
82.90.157.218
83.12.24.130
83.151.14.162
83.17.119.11
83.17.26.90
83.206.244.173
83.215.59.125
83.246.137.133
83.3.182.235
84.253.190.98
84.88.154.218
84.92.176.223
85.114.137.11
85.18.102.76
86.63.0.12
87.106.14.147
87.106.14.168
87.106.9.52
87.139.79.221
87.234.51.187
87.54.9.250
87.65.39.52
88.191.13.147
88.196.54.98
89.110.148.249
89.133.217.130
89.96.55.15
91.113.242.26
91.121.83.117
92.104.254.121
93.125.2.47
96.4.125.20

James 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply |
headers
A.L.M.Buxey | 9 Jul 10:29

Re: New round of SSH scan IP's

hi,

James, last time I checked there were several online resources
where such scans can be submitted - and those people that
use those resources are able to take action - eg get alerts
about systems on your own nets etc - whilst an email to this
list is informative, its not quite the best way, human resource-wise,
to get on top of these damn scanners :-|

alan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply |
headers
Peter van den Heuvel | 9 Jul 11:20

Re: New round of SSH scan IP's

> its not quite the best way, human resource-wise,
> to get on top of these damn scanners :-|
We've replaced the allow ssh access to all with an allow on a need
basis. So most national IP-ranges, several foreign ones and some static
IPs are allowed. All the rest is bumped. We have no customers in China,
Korea, Russia, etc. It sure cut down on the number of scans we see.

We'll probably add rate limitation on top.

Client certificates would cut it down completely, but is more expensive
to implement. It would also require everybody to always carry a USB (or
something) with their cert.

--

-- 
Thanks, Peter

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply |
headers
James Lay | 9 Jul 15:07

Re: New round of SSH scan IP's


On 7/9/08 3:20 AM, "Peter van den Heuvel" <peter <at> txnt.net> wrote:

>> its not quite the best way, human resource-wise,
>> to get on top of these damn scanners :-|
> We've replaced the allow ssh access to all with an allow on a need
> basis. So most national IP-ranges, several foreign ones and some static
> IPs are allowed. All the rest is bumped. We have no customers in China,
> Korea, Russia, etc. It sure cut down on the number of scans we see.
> 
> We'll probably add rate limitation on top.
> 
> Client certificates would cut it down completely, but is more expensive
> to implement. It would also require everybody to always carry a USB (or
> something) with their cert.

I have a homebrew setup...using snort and syslog and an app called wots it
adds a firewall rule the first time something naughty happens.  It's bee
pretty effective all in all.  Last time I posted a list of IP's I had a net
admin contact me wanting more info since one of the IP's was one under his
responsibility.  Glad I could assist :D

James

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply |
headers
"Knud Erik =?iso-8859-1?q?H=F8jgaard=22?= | 9 Jul 20:17

Re: New round of SSH scan IP's

On 7/9/08, James Lay <jlay <at> slave-tothe-box.net> wrote:

> I have a homebrew setup...using snort and syslog and an app called wots it
>  adds a firewall rule the first time something naughty happens.  It's bee
>  pretty effective all in all.  Last time I posted a list of IP's I had a net
>  admin contact me wanting more info since one of the IP's was one under his
>  responsibility.  Glad I could assist :D

Oh wow, that is amazing. Learn whois, contact the respective abuse
handlers, let the rest of us be in peace. Better yet, show us your app
and tell us your ip so we can laugh and most likely lock you out of
your box.
--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply |
headers
Michael Holstein | 9 Jul 22:32

Re: New round of SSH scan IP's


> Oh wow, that is amazing. Learn whois, contact the respective abuse
> handlers, let the rest of us be in peace. Better yet, show us your app
> and tell us your ip so we can laugh and most likely lock you out of
>   

Net::Abuse::Utils

http://search.cpan.org/~mikegrb/Net-Abuse-Utils-0.09/lib/Net/Abuse/Utils.pm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply |
headers
mutiny | 9 Jul 05:28

Re: New round of SSH scan IP's

Banned, along with you for not noticing that nobody gives fuck.

James Lay wrote:
> Fresh IP’s from when they started, about 2 hours ago.  If you see one 
> that’s yours, something is amiss on your network.
>
> 117.21.127.181
> 12.107.136.162
> 12.206.87.124
> 12.26.44.155
> 12.47.156.114
> 121.119.189.13
> 122.255.3.35
> 122.255.3.36
> 124.149.3.50
> 128.39.153.241
> 131.118.254.90
> 140.109.55.52
> 140.109.55.63
> 143.107.160.252
> 145.253.179.229
> 145.253.94.20
> 147.135.0.18
> 149.132.97.53
> 150.140.139.200
> 157.158.178.128
> 164.67.57.171
> 165.145.214.160
> 165.166.14.123
> 168.243.151.152
> 169.244.64.116
> 189.43.21.244
> 190.128.91.50
> 190.144.131.94
> 190.210.29.149
> 190.34.164.139
> 190.78.133.41
> 190.84.225.68
> 192.208.144.88
> 193.126.203.155
> 193.226.122.94
> 193.227.253.35
> 194.112.138.122
> 194.12.246.106
> 194.54.177.41
> 194.63.135.235
> 195.43.6.6
> 196.211.8.90
> 199.185.48.98
> 199.246.2.116
> 200.118.115.96
> 200.118.119.48
> 200.123.149.177
> 200.123.181.213
> 200.127.112.176
> 200.14.41.66
> 200.157.176.13
> 200.182.169.82
> 200.196.50.62
> 200.212.252.92
> 200.216.66.186
> 200.26.138.122
> 200.51.42.234
> 200.62.177.94
> 200.76.176.37
> 200.87.27.249
> 201.147.111.99
> 201.155.69.6
> 201.2.56.34
> 201.211.231.217
> 201.216.216.185
> 201.221.146.73
> 201.234.172.197
> 202.152.15.151
> 202.91.136.229
> 203.122.50.104
> 203.197.128.202
> 203.32.87.174
> 203.92.62.162
> 206.170.79.57
> 209.128.104.88
> 209.183.130.19
> 209.203.56.150
> 209.252.100.59
> 209.91.168.2
> 210.124.36.46
> 211.137.251.134
> 211.33.57.138
> 212.112.227.77
> 212.14.40.1
> 212.185.23.10
> 212.219.103.85
> 212.239.212.25
> 212.244.61.195
> 212.41.231.164
> 212.63.37.26
> 212.80.167.180
> 212.80.245.106
> 213.113.108.95
> 213.131.63.138
> 213.136.107.62
> 213.181.207.122
> 213.203.94.124
> 213.96.219.200
> 216.185.75.98
> 216.30.179.173
> 216.98.241.106
> 217.133.215.194
> 217.223.195.11
> 217.29.152.71
> 217.7.233.155
> 218.1.73.193
> 218.200.225.22
> 218.206.203.91
> 218.214.37.15
> 218.80.215.197
> 219.76.222.27
> 220.132.92.53
> 220.227.60.4
> 24.21.122.21
> 24.249.18.233
> 24.249.253.28
> 24.62.45.180
> 24.97.252.117
> 41.177.17.36
> 41.242.159.78
> 58.18.164.139
> 58.26.48.162
> 59.145.225.3
> 59.41.59.58
> 61.131.47.24
> 61.132.139.35
> 61.135.234.7
> 61.144.162.9
> 61.30.43.91
> 62.194.170.241
> 62.205.186.130
> 62.220.27.50
> 62.233.174.21
> 62.245.135.102
> 62.75.252.223
> 62.77.227.149
> 62.8.210.202
> 63.239.43.58
> 63.241.250.189
> 63.254.161.81
> 64.139.253.100
> 64.30.9.134
> 65.111.169.130
> 66.219.47.215
> 66.240.195.20
> 66.255.5.217
> 66.46.163.22
> 67.103.112.92
> 67.152.2.17
> 67.202.28.27
> 67.59.90.95
> 68.115.118.114
> 68.115.233.140
> 68.236.182.110
> 69.159.224.208
> 69.67.52.46
> 70.167.18.201
> 70.167.245.233
> 71.118.8.244
> 71.176.227.23
> 71.192.92.50
> 71.244.86.168
> 71.43.58.29
> 72.36.198.170
> 74.218.172.158
> 74.254.73.229
> 74.66.241.50
> 74.8.196.62
> 75.146.101.28
> 76.227.203.164
> 76.230.26.10
> 76.29.200.188
> 79.28.5.19
> 80.13.19.119
> 80.152.229.51
> 80.189.254.106
> 80.190.243.113
> 80.207.171.46
> 80.237.154.115
> 80.251.132.5
> 80.37.93.94
> 80.48.238.112
> 81.137.224.38
> 81.140.37.133
> 81.174.59.212
> 81.208.90.109
> 81.223.220.141
> 81.246.26.179
> 81.33.20.215
> 82.10.188.96
> 82.104.187.194
> 82.115.78.87
> 82.119.244.205
> 82.90.157.218
> 83.12.24.130
> 83.151.14.162
> 83.17.119.11
> 83.17.26.90
> 83.206.244.173
> 83.215.59.125
> 83.246.137.133
> 83.3.182.235
> 84.253.190.98
> 84.88.154.218
> 84.92.176.223
> 85.114.137.11
> 85.18.102.76
> 86.63.0.12
> 87.106.14.147
> 87.106.14.168
> 87.106.9.52
> 87.139.79.221
> 87.234.51.187
> 87.54.9.250
> 87.65.39.52
> 88.191.13.147
> 88.196.54.98
> 89.110.148.249
> 89.133.217.130
> 89.96.55.15
> 91.113.242.26
> 91.121.83.117
> 92.104.254.121
> 93.125.2.47
> 96.4.125.20
>
> James
> ------------------------------------------------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply |

Gmane