[unisog] FW: Cleaning up those networks

Palmer, Dave dave.palmer at Vanderbilt.Edu
Thu Feb 22 01:22:59 GMT 2007

Any one know who this person is or what University/business he/she is
with?  I am rather suspicious of someone who's web site name is "I break
things", and web site offerings include tools listed as "a proof of
concept backdoor", "theoretical Denial of Service tool...", and "SIP PBX
voicemail poisoning tool."

... Dave Palmer  (dave.palmer at vanderbilt.edu)
    Vanderbilt University - Information Technology Services
    143 Hill Center
    P.D. 34 - Peabody           Phone: 615-343-1604
    Nashville, TN  37203        Fax:     615-343-1605


-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Michael Holstein
Sent: Tuesday, February 20, 2007 1:10 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Cleaning up those networks

Brings up an interesting point .. there's been talk over on NANOG about 
creating a BGP feed for misbehaving hosts/nets so they could be 
automagically blackholed on a border router.

Is anyone doing this (internally), and if so, how?

I'd love to see a public route-server for that info, but suspect it'd 
get sued out of existence like some of the dnsBLs for spam.


J. Oquendo wrote:
> Greetings all. For those who I've dealt with before many thanks on the

> help you'd given. For the past three months I've been compiling 
> information from hosts that have been brute force ssh attacking
> that are running a program I have written called "Shapener". 
> (http://www.infiltrated.net/scripts/sharpener) I have sorted out the 
> information and traced back those IP address that fall under 
> Academialand and have compiled the following list of Universities
> have possible compromised machines.
> Rather than post those address (to avoid having misguided individuals 
> who may be on this list), I am posting the Universities in hopes 
> admins/engineers of these institutions will contact me back for the 
> information on the host that is attacking, along with the date and 
> timestamps of the attacks. My hopes are to minimize intrusions,
> spyware, etc., and solely inform other engineers of issues coming out
> their networks. I sincerely hope those contacted will assist. The
> list of attacking IP addresses is in the 47k range with 38 host 
> reporting on a 5 minute basis to a repository I've set up. Here are
> Universities.
> Some folks may have been contacted already so apologies in advance. I 
> will give the Universities 15 business days to respond for those that 
> don't they will continue to be listed as threats and their networks
> be blocked from 38 individual networks 8 of which are /17's. For those

> who respond, I will promptly remove the addresses.
> California State University at Fresno
> Carnegie Mellon University
> Carroll College
> Emory University
> Florida Atlantic University
> Florida Information Resource Network
> Georgia Institute of Technology
> Gonzaga University
> Howard University
> Illinois Institute of Technology
> Indiana University - Purdue University Fort
> Louisiana State University
> Marquette University
> Massachusetts Institute of Technology
> NTT America, Inc.
> New York University
> Ohio State University
> Purdue University
> SUNY College at Fredonia
> San Diego County Office of Education
> San Francisco State University
> Stanford University
> State University of New York at
> Texas A&M University
> The Drexel University Campus
> Universite Laval
> University of California, Los Angeles
> University of Georgia
> University of Illinois
> University of Lethbridge
> University of Massachusetts
> University of Medicine and Dentistry of
> University of Michigan
> University of Missouri-Columbia
> University of Mobile
> University of Oklahoma
> University of Pennsylvania
> University of Puerto Rico
> University of Rhode Island
> University of Texas at Austin
> University of Texas at San Antonio
> University of Virginia
> University of Washington
> University of Wyoming
> Vanderbilt University
> Walla Walla College
> Washington University
> Westnet
> York University
> Respectfully,
> Jesus Oquendo / sil
> ====================================================
> J. Oquendo
> GPG Key http://www.infiltrated.net/sil.key
> The happiness of society is the end of government.
> John Adams
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
unisog mailing list
unisog at lists.dshield.org

More information about the unisog mailing list