Overblog
Editer l'article Suivre ce blog Administration + Créer mon blog
1 novembre 2011 2 01 /11 /novembre /2011 21:27

I just found out that one of my NIPS' reports seems pretty clear regarding the daily top alerts:

alert_NIPS_65.98.36.50.JPG

 

For those who forgot to secure a lil bit their (open)SSH server, time's running...

What about that IP address 65.98.36.50? Well, it is the reverse DNS pointer of http://argi9cure.com/.

Just have a look at it: CentOS default webpage! :( And above all, Apache 2.2.3, most likely obsolete.

 

Quite interesting, what (McAfee) TrustedSource says about it:

 

trustedsource.org_65.98.36.50.JPG

 

So, not only massive SSH sessions attempts are being launched from that server, but its mail volume (as a sender) has drastically changed, and got 500% bigger!

Another compromised server being used to stealthily spam, uh?

Furthermore, this IP address has also been reported in the DShield's stats: 

http://www.dshield.org/ipinfo.html?ip=65.98.36.50&update=yes

This once again shows the relevance of IP's reputation based filtering.

 

Partager cet article

Repost0

commentaires