Test Center ThreatWatch: Sept. 25
SpamWatch 9/22-9/24
Our mail server gets to rest a bit as mail volumes continued to drop Wednesday. Leaving aside normal fluctuations from weekday and weekend volumes, we've noted a fairly steady decline in total mail volume as there are less blocked connections hitting the servers.
Mail breakdown also shifted closer to the average, as blocked connections dropped to 87.2 percent. The average generally hovers around 86 percent. Spam volumes are up, however, at 12.3 percent. The increase in spam yesterday is over 14.8 percent from the day before.
Servers based in China has been consistently sending messages that are blocked by our filters. Over the three-day period, two IP relays consistently appeared on the Top 10 threat list. While the top 10 relays account for only 11 percent of total blocked connections, it was significant that the Chinese relays sent over 45 percent of that volume. The volume drops to 40 percent over a seven-day period.
Two new relays also made the list, a known offender from Moscow and from Turkey. All four of these addresses were found in SPAMCOP, XBL, CBL, and SORBS.
According to eSoft's ThreatCenter, China has been a source of intrusion attempts and spam over the past few days. Russia and Turkey were ranked third and fourth in spam volumes. This is consistent with our observations.
The rest of the world took a day off yesterday, as the biggest spam relays were all based in the United States. Two of them didn't travel too far: Mineola, N.Y. in fact. It appears that a California-based hosting provider has a data center out in Mineola, and two of their servers were hitting our mail servers. It also looked like one of the servers hosted by a Chicago-based colocation provider was either misconfigured or compromised.
Are attackers targeting colo- and hosted servers? Or are providers not configuring customer servers properly? Test Center will be keeping an eye on this to see if there is a trend.
AttackWatch 9/24-9/25
Over the past 24 hours, over a quarter of the attacks trapped in our honeynet were IIS-related. Along with the attempts to redirect the IIS Proxy, there was a new type of attack: IIS Resets. The single attacker, an Optimum Online user, attempted to repeatedly reset the IIS Web server remotely in hopes of crashing it over a seven-hour period yesterday afternoon.
Attackers targeted our SQL Server installation on ports 1433 and 1434 starting from late afternoon yesterday and continuing untill 10:30 this morning. Thirty percent of the attacks came from a single IP address based in, where else? China, in the space of one minute. Twelve other IP addresses also made attempts. In short, 70 percent of the SQL Server attacks originated from China in the last 24 hours.
Curiously, there were two attempts from two distinct IP addresses associated with Austin, Texas-based Trilogy, a technology solutions company.
There were attempts to gain shell access using telnet and ssh, as well, from IP addresses originating in Greece, United Kingdom, Pakistan, and Italy. Other interesting attempts include trying to open a remote desktop session from Russia and a terminal services session from India.