[unisog] Cleaning up those networks

Brian Allen ballen at wustl.edu
Tue Feb 20 18:38:24 GMT 2007


I'll take a look and see what you have.

You might want to contact REN-ISAC because they notify universities all
the time when they have infected machines.  They could get this info out
in a hurry to all the correct people.

Thanks,
Brian Allen
Network Security Analyst
Washington University

> -----Original Message-----
> From: unisog-bounces at lists.dshield.org [mailto:unisog-
> bounces at lists.dshield.org] On Behalf Of J. Oquendo
> Sent: Tuesday, February 20, 2007 11:50 AM
> To: unisog at lists.dshield.org
> Subject: [unisog] Cleaning up those networks
> 
> Greetings all. For those who I've dealt with before many thanks on the
> help you'd given. For the past three months I've been compiling
> information from hosts that have been brute force ssh attacking
servers
> that are running a program I have written called "Shapener".
> (http://www.infiltrated.net/scripts/sharpener) I have sorted out the
> information and traced back those IP address that fall under
> Academialand and have compiled the following list of Universities
which
> have possible compromised machines.
> 
> Rather than post those address (to avoid having misguided individuals
> who may be on this list), I am posting the Universities in hopes
> admins/engineers of these institutions will contact me back for the
> information on the host that is attacking, along with the date and
> timestamps of the attacks. My hopes are to minimize intrusions,
malware,
> spyware, etc., and solely inform other engineers of issues coming out
of
> their networks. I sincerely hope those contacted will assist. The
entire
> list of attacking IP addresses is in the 47k range with 38 host
> reporting on a 5 minute basis to a repository I've set up. Here are
the
> Universities.
> 
> Some folks may have been contacted already so apologies in advance. I
> will give the Universities 15 business days to respond for those that
> don't they will continue to be listed as threats and their networks
will
> be blocked from 38 individual networks 8 of which are /17's. For those
> who respond, I will promptly remove the addresses.
> 
> California State University at Fresno
> Carnegie Mellon University
> Carroll College
> Emory University
> Florida Atlantic University
> Florida Information Resource Network
> Georgia Institute of Technology
> Gonzaga University
> Howard University
> Illinois Institute of Technology
> Indiana University - Purdue University Fort
> Louisiana State University
> Marquette University
> Massachusetts Institute of Technology
> NTT America, Inc.
> New York University
> Ohio State University
> Purdue University
> SUNY College at Fredonia
> San Diego County Office of Education
> San Francisco State University
> Stanford University
> State University of New York at
> Texas A&M University
> The Drexel University Campus
> Universite Laval
> University of California, Los Angeles
> University of Georgia
> University of Illinois
> University of Lethbridge
> University of Massachusetts
> University of Medicine and Dentistry of
> University of Michigan
> University of Missouri-Columbia
> University of Mobile
> University of Oklahoma
> University of Pennsylvania
> University of Puerto Rico
> University of Rhode Island
> University of Texas at Austin
> University of Texas at San Antonio
> University of Virginia
> University of Washington
> University of Wyoming
> Vanderbilt University
> Walla Walla College
> Washington University
> Westnet
> York University
> 
> 
> Respectfully,
> Jesus Oquendo / sil
> 
> ====================================================
> J. Oquendo
> GPG Key http://www.infiltrated.net/sil.key
> The happiness of society is the end of government.
> John Adams



More information about the unisog mailing list