Some days, it’s amusing to see .mil addresses…

mil_cs-server.jpg It’s really amusing to read server logs. But it’s more amusing when you see a zombie bot hack that comes from supposedly secure networks. At least you would think it would be secure.
In any case, if you take a look at the screenshot, one of the servers I take care of was hit by the ip 147.83.50.219 and it looked like multiple attempts via ssh. If you’ve never looked at server logs before, all this says is that it was going through dictionary attacks for some of the main accounts to look for holes. But what’s interesting about 147.83.50.219 is that it was owned by the Department of Defense.
Now we all know that they probably just hand out CAC cards and some poor soul was clicking on things they shouldn’t have and got infected. But what’s interesting is that to have ssh access, that means that it’s not a locked down network. This means that if you have a card, they automatically give you enough access to clear a good number of ports that most people probably never need. Even my current corporate network only allows certain types of access when roaming outside of the local network (port 80) and ssh isn’t one of them. Doesn’t give you warm fuzzies about DoD’s networks does it?
I’ll also disclaimer that this isn’t a regular occurrence nor is it unique by any means since these types of attacks happen all the time due to botnets, but what puts the fear in any IT professional is when you realize that one of the networks that might have some pretty serious information has been compromised by a botnet. It’s another reason why you don’t allow personal machines on networks and have remote scans based on IP traffic. If you own the routers, you can sniff the network at that point to trace back any sort of traffic that might be a compromised machine and take care of the problem.
An amusing start of the day.