Sea Change in Attack Vectors

Member for

1 year 6 months
Submitted by AlReaud on Thu, 12/08/2011 - 12:29

NOTE: Updated 11/15/2016

There's been a sea change in the attack vectors coming into the testing server, and some interesting characters.

For approximately two weeks, we've been subject to "IP Agile" attacks. The term "IP Agile" is something borrowed from a piece of high end R&D lab equipment, a Fluke frequency-agile signal generator. The "IP Agile" attackers use numerous IP addresses that repeat only occasionally over a span of hours, evading tools like fail2ban. There also seems to be a specific cycle through countries, China, Brazil, Japan, EU (UK or France),  Taiwan, then repeating, though I don't yet have enough data.

This set of attackers seems to be hitting mail servers and phone branch exchange (PBX) servers mostly. Found a great site at a church in Lafayette, IN that had their website infested. The trick was that you only saw the spam if you had javascripts disabled. Called them up and spoke to a parishioner manning the phones, and followed up with an email.

That attack vector seems to have gone back to the normal one, which is fast hitting the secure shell hoping to evade log analysis applications. The hit rate averages 3 seconds per, and they get five tries.

One of the interesting characters from yesterday was from an IP address identified as belonging to the US DOD. Please don't tell me that attack bots are running out of DOD computers somewhere. I'm not too worried though, as I did participate in that Shredder Challenge and commented on it. But I didn't back-hack too far there, just in case… wink

Today's resolved hackers (ssh or awstats):

  • (contacted these guys, they fixed it within the houryes).
  • (

Add new comment

The content of this field is kept private and will not be shown publicly.

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol type start> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id> <u> <s> <sup> <sub> <hr>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
Enter the characters shown in the image.