Corporations now hacking people?

From: Adam Jimerson 
------------------------------------------------------
I just got an interesting email from my server running fail2ban it seems
that someone from 210.63.39.81 was trying to get into my system via SSH and
got banned,
they didn't get very far trying to use the "admin", "nobody", and "root" (I
have SSH as root disabled in my configurations).  The whois for the IP
returns this:

% [whois.apnic.net node-2]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:      210.63.0.0 - 210.63.63.255
netname:      SYSNET
descr:        Systex Corporation SYSNET Business Department
country:      TW
admin-c:      DC45-AP
tech-c:       DC45-AP
mnt-by:       MAINT-TW-TWNIC
changed:      snw@www.edu.tw 19980914
changed:      hm-changed@apnic.net 20021219
status:       ALLOCATED PORTABLE
source:       APNIC

person:       Dar Chen
address:      12F, 51, Sec. 2, Chung Ching South Rd.,
address:      Taipei, Taiwan
country:      TW
phone:        +886-2-23968538
fax-no:       +886-2-23968538
e-mail:       ardar@mail.sysnet.net.tw
nic-hdl:      DC45-AP
mnt-by:       MAINT-TW-TWNIC
changed:      snw@www.edu.tw 19980912
source:       APNIC

inetnum:        210.63.39.0 - 210.63.39.255
netname:        SSCL-NET
descr:          SUN SECURITIES CO.,LTD
descr:          Taipei Taiwan
country:        TW
admin-c:        MW11-TW
tech-c:         MW11-TW
mnt-by:         MAINT-TW-TWNIC
remarks:        This information has been partially mirrored by APNIC from
remarks:        TWNIC. To obtain more specific information, please use the
remarks:        TWNIC whois server at whois.twnic.net.
changed:        stevet@sysnet.net.tw 19980728
status:         ASSIGNED NON-PORTABLE
source:         TWNIC

person:         MADELINE WU
address:        SUN SECURITIES CO.,LTD
address:        Taipei Taiwan
e-mail:         madeline@ms1.hinet.net
nic-hdl:        MW11-TW
changed:        hostmaster@twnic.net.tw19991009
source:         TWNIC

has anyone else seen this in their logs?

=============================================================== From: Lynn Dixon ------------------------------------------------------ Probably a machine in their network that has been infected with a bot. more than likely it was someone looking at porn at work, and picked up the bug on some shady site. heh.

=============================================================== From: Stephen Kraus ------------------------------------------------------ I say we set up a honeypot, put it on the DMZ, and let her fly!

=============================================================== From: Adam Jimerson ------------------------------------------------------ The whole honeypot idea has always interested me

=============================================================== From: Stephen Kraus ------------------------------------------------------ Download an Auditor Live CD, burn it, find a spare machine, boot, assign static IP, place in DMZ, and startup any of their popular honeypot programs included. I'd recommend simulating a machine running Windows Server 2003, seems to get the most hits

=============================================================== From: Mike Harrison ------------------------------------------------------ if you put it inside the DMZ.. You have let a fox partially into the henhouse. Better to just put it on a disposable box on a public IP -outside- of your net.

=============================================================== From: Adam Jimerson ------------------------------------------------------ Yea I agree and one of the things that has keep me from doing it

=============================================================== From: Stephen Kraus ------------------------------------------------------ DMZ is exposed to the internet, granted its TOO exposed, and scares away non-automated attackers.

=============================================================== From: Mike Harrison ------------------------------------------------------ Adam, we have some comcast IP's to play with and a spare router... we can physically isolate it from our real network. :) Call it a learning opportunity. ;) *Once upon a time I setup some honeypots and real servers for sans.org (thanks to an intro from Eric Wolf to Johanes Ulrich of dshield.org) and learned a lot. I'll suggest you need TWO boxes, one in promiscous mode capturing all traffic in and out, but on a non-routable IP. It can even be the firewall if it is setup carefully.

=============================================================== From: Rod-Lists ------------------------------------------------------ this specic no but I always get wierd crap from the far east.Taiwan has started showing up in my logs lately as well as Cali IP's leased to chinese sounding names.It is the Dragon dude. ----- Original Message ----- From: Adam Jimerson To: CHUGALUG Sent: Tue, 18 Oct 2011 21:22:07 -0400 (EDT) Subject: [Chugalug] Corporations now hacking people? I just got an interesting email from my server running fail2ban it seems that someone from 210.63.39.81 was trying to get into my system via SSH and got banned, they didn't get very far trying to use the "admin", "nobody", and "root" (I have SSH as root disabled in my configurations). The whois for the IP returns this: % [whois.apnic.net node-2] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 210.63.0.0 - 210.63.63.255 netname: SYSNET descr: Systex Corporation SYSNET Business Department country: TW admin-c: DC45-AP tech-c: DC45-AP mnt-by: MAINT-TW-TWNIC changed: snw@www.edu.tw 19980914 changed: hm-changed@apnic.net 20021219 status: ALLOCATED PORTABLE source: APNIC person: Dar Chen address: 12F, 51, Sec. 2, Chung Ching South Rd., address: Taipei, Taiwan country: TW phone: +886-2-23968538 fax-no: +886-2-23968538 e-mail: ardar@mail.sysnet.net.tw nic-hdl: DC45-AP mnt-by: MAINT-TW-TWNIC changed: snw@www.edu.tw 19980912 source: APNIC inetnum: 210.63.39.0 - 210.63.39.255 netname: SSCL-NET descr: SUN SECURITIES CO.,LTD descr: Taipei Taiwan country: TW admin-c: MW11-TW tech-c: MW11-TW mnt-by: MAINT-TW-TWNIC remarks: This information has been partially mirrored by APNIC from remarks: TWNIC. To obtain more specific information, please use the remarks: TWNIC whois server at whois.twnic.net. changed: stevet@sysnet.net.tw 19980728 status: ASSIGNED NON-PORTABLE source: TWNIC person: MADELINE WU address: SUN SECURITIES CO.,LTD address: Taipei Taiwan e-mail: madeline@ms1.hinet.net nic-hdl: MW11-TW changed: hostmaster@twnic.net.tw19991009 source: TWNIC has anyone else seen this in their logs?

=============================================================== From: Ashley Wilson ------------------------------------------------------ http://www.computerworld.com/s/article/9220969/Duqu

=============================================================== From: Christopher Rimondi ------------------------------------------------------ I will be downer here but you should be careful what you do with honeypots. If it really does get pwnd and starts to host illegal content or attack other machines you might get a visit from LE.

=============================================================== From: Erik Hanson ------------------------------------------------------ Honeypots (or honeynets) are systems (or networks) configured to appear enticing to anyone scanning them. Usually handled by an application like honeyd or nepenthes, they often log in greater detail the traffic to the ports they have opened, and safely collect uploaded files.