Page 14 - index
P. 14
leave one with the impression that this was merely a Linux system with only SSH open - as was
seen when it was scanned by another researcher on August 14th.This appears to be an older
and not updated Linux system, considering OpenSSH 5.3 was released on October 1, 2009.
th
The IP in question had been submitted forty-three times to URLQuery since June 17 , 2014,
with many instances showing IDS hits for being on the DShield Block Listed Source
group. DShield shows similar activity starting around the same time in mid-June of 2014. The IP
is also listed on ips.backscatterer.org as well as on blockedservers.com and badips.com.
This is not the first time our researchers have found a system with no public facing resources or
protocols that was scanning the rest of the Internet in a systematic fashion - nor will this be the
last. There are few barriers to prevent an individual or organization from setting up a system and
using open source toolsets to systematically scan and attack the rest of the Internet, as long as
they have an "understanding" hosting provider.
Considering the sudden increase activity has been ongoing since mid-June, it is a good
assumption that the Hengyang node network of Hunan Telecom on ASN 4134 for China
Telecom is being quite lenient about this customer's activities.
Following our first examination of this malicious IP, Norse DarkWolf Labs noted that
218.77.79.43 continued to hold the top spot for malicious activity, with over 66,550 events
between August 26 and September 2.
Though the total events observed during this period reflected a slight decrease in observed
activity from the previous week, this IP was most certainly continuing to target multiple ports and
protocols, as it had been doing over the last few months.
Figure Four (4) focuses on the destination port timeline and frequency, showing the intervals of
activity targeting the respective ports and protocols over this second sample period:
I25B /1B>9>7C &171J9>5 M +5@D5=25B 49D9?>
?@IB978D K I25B 565>C5 &171J9>5 << B978DC B5C5BF54 G?B<4G945
