On 2019-04-29 7:58 a.m., Michael Rathbun via mailop wrote:
On Mon, 29 Apr 2019 07:26:23 -0700, Michael Peddemors via mailop
<[email protected]> wrote:
PS, pgHammer went quiet yesterday.. either someone caught/killed his C&C
server, or the actor realized that there was too much attention on the
activity. That doesn't mean those servers listed should not still be
taken down, as they are still compromised.. Seems he has one server that
is still running, he might have lost control of that one.. or just
testing ..
My provider had me offline for 34 hours starting Friday morning. When things
came back up on Saturday evening, the nine-second "EHLO server{dot}com"
onslaught had abated. Now there is a lower-volume "EHLO ADMIN" effort that
seems to have ramped up significantly in that interval.
Yesterday saw 517 connection attempts for ADMIN, which is about 10% of the
volume for the other in its waning days.
There have been only 9 IPs involved, the vast majority of the attempts coming
from 78.142.19.95.
mdr
Yes, we know that actor.. Compromised windows machines, looks like a
remote desktop exploit..
But currently the Ubiquiti Router compromises, and the Mikrotek, and the
other routers, probably part of that Hajime botnet compromise from
March, that is leading the pack..
Ubiquiti Routers engaged in Brute Force attacks.. about 14,000 IP(s)
reported over night..
Not sure how to ever take down those botnets, when we have so much
trouble with just a few static servers..
Still about 750 old CutWail compromises, and 94 IP(s) in the new CutWail
variant..
But yes, that ADMIN one is a little more aggressive per IP in volume,
but our Dynamic Rule Engine catches those and dumps them into the
penaltybox pretty quick.
But if anyone knows the magic bullet to stop all the compromised IoT
devices (and there will be millions more soon, now that the P2P
compromise is public) by all means, let us know..
Which is why we are simply enhancing all legacy email authentication, it
helps stop all the brute force attacks, and makes them easier to see..
But still, the sheer volume of those attacks can only be stopped at the
source.. it isn't like we can stop accepting legitimate connections from
world at large...
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
[email protected]
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
