FAQ: Are you performing any logins, on IRC connections to the botnets?

One of the frequent questions I got at DerbyCon 2015 ( https://www.derbycon.com/ ) was: “Are you performing anu logins, on IRC connections to the botnets?”

Well, A) I don’t have time to, and B) it’s against our Acceptable Use Policy.

Section 1.2.3 of the Marist Security Manual ( http://security.marist.edu/aup.pdf ) says, in sentence 8…

8. All individuals using Marist’s technical resources will not attempt to gain unauthorized access to system both on and off campus.

Now if somebody else wants to, I can’t stop them 🙂

>>>>>>>Ericw

Level 3 is actively blocking sshPsycho (yippee)

I have an interesting chart at http://longtail.it.marist.edu/honey/graphics_all.shtml which shows sshPsycho-2 is only attacking ONE of my eduational honeypots (edu_c, and it’s mostly red) My cloud providers are also getting slammed from them.

Either
A) They are only interested in edu_c and my cloud provider, or
B) Somebody is blocking them.

I just confirmed this with somebody else who is running a honeypot for LongTail. Level 3 Communications ( http://www.level3.com/en/ ) appears to be, in fact, actively blocking sshPsycho-2 from their backbone. (See this Wall Street Journal article –> http://www.wsj.com/articles/level-3-tries-to-waylay-hackers-1432891803 ).

edu_c can ping an sshpsycho IP address, as can my clound servers, but none of my other hosts can.

And that explains it (sadly).

EMAIL EXCHANGE BELOW…

—–USER wrote: —–
To: Eric Wedaa
From: USER
Date: 09/30/2015 02:29PM
Subject: Re:

Hi Eric,

No problem, here goes. Does not look like Level3 is involved for us for this connection.

Ping:

ping 43.229.53.80
PING 43.229.53.80 (43.229.53.80) 56(84) bytes of data.
64 bytes from 43.229.53.80: icmp_seq=1 ttl=47 time=111 ms
64 bytes from 43.229.53.80: icmp_seq=2 ttl=47 time=108 ms
64 bytes from 43.229.53.80: icmp_seq=3 ttl=47 time=110 ms
64 bytes from 43.229.53.80: icmp_seq=4 ttl=47 time=109 ms
^C
— 43.229.53.80 ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 108.939/110.215/111.302/0.992 ms

Traceroute:

traceroute 43.229.53.80
traceroute to 43.229.53.80 (43.229.53.80), 30 hops max, 60 byte packets

7 bu-ether22.chcgildt87w-bcr00.tbone.rr.com (107.14.19.34) 98.112 ms 66.109.3.238 (66.109.3.238) 95.719 ms bu-ether12.chcgildt87w-bcr00.tbone.rr.com (66.109.6.25) 90.144 ms
8 so-3-1-0.c0.sjc75.tbone.rr.com (66.109.3.241) 93.545 ms 94.212 ms 66.109.3.243 (66.109.3.243) 96.894 ms
9 bu-ether11.snjucacl67w-bcr00.tbone.rr.com (66.109.6.8) 90.268 ms * 95.834 ms
10 0.ae2.pr0.sjc10.tbone.rr.com (66.109.1.17) 90.144 ms 0.ae0.pr0.sjc10.tbone.rr.com (66.109.6.141) 90.655 ms 90.625 ms
11 66.109.10.214 (66.109.10.214) 93.381 ms 93.374 ms 93.350 ms
12 202.97.50.61 (202.97.50.61) 90.632 ms 90.635 ms 90.628 ms
13 202.97.49.145 (202.97.49.145) 101.313 ms 101.288 ms 101.309 ms
14 203.14.186.2 (203.14.186.2) 92.570 ms 92.587 ms 92.579 ms
15 218.30.44.138 (218.30.44.138) 98.209 ms 218.30.44.130 (218.30.44.130) 106.918 ms 218.30.44.126 (218.30.44.126) 94.337 ms
16 66.102.253.218 (66.102.253.218) 99.676 ms 66.102.253.230 (66.102.253.230) 94.307 ms *
17 43.229.53.80 (43.229.53.80) 111.813 ms 66.102.253.218 (66.102.253.218) 100.458 ms 100.475 ms

—————————————

In your oh so copious spare time, can you run the following commands and send me the results?

ping 43.229.53.80
traceroute 43.229.53.80

I’m trying to verify that time warner isn’t going through Level 3 at all.

When I do it, I can’t ping or traceroute that address, and I see that I am going through Level 3 to get there.

Thanks!

>>>>>Ericw