[nsp-sec] Increased in HP OV NMM scanning (tcp/2954)
Gong, Yiming
yiming.gong at xo.com
Tue Apr 15 16:56:35 EDT 2008
> IP | Bytes | Packets | Flows | Earliest Seen | Latest Seen
> 12.21.167.70| 11068944| 230603|
12.21.167.70 is also in our alert system.
The following list is pulled from our alert table, and before Apr 09, we
never got any scan alert on port 2954.
+-----------------+-------+------+------------+---------------------+---
------------------+
| sip | dport | sum | unique_dst | start |
end |
+-----------------+-------+------+------------+---------------------+---
------------------+
| 166.70.202.136 | 2954 | 4666 | 4666 | 2008-04-09 17:40:01 |
2008-04-15 12:00:02 |
| 12.21.167.70 | 2954 | 217 | 217 | 2008-04-10 01:35:03 |
2008-04-10 01:40:01 |
| 70.102.165.151 | 2954 | 98 | 98 | 2008-04-10 12:35:02 |
2008-04-10 12:35:02 |
| 209.253.26.114 | 2954 | 271 | 271 | 2008-04-11 05:10:01 |
2008-04-11 12:05:02 |
| 69.13.240.92 | 2954 | 435 | 435 | 2008-04-11 05:10:01 |
2008-04-11 07:10:01 |
| 63.145.177.204 | 2954 | 214 | 214 | 2008-04-11 05:20:02 |
2008-04-11 05:20:02 |
| 216.234.237.104 | 2954 | 500 | 500 | 2008-04-11 05:50:01 |
2008-04-11 08:55:01 |
| 209.161.34.130 | 2954 | 255 | 255 | 2008-04-11 12:15:02 |
2008-04-11 12:15:02 |
| 216.55.159.176 | 2954 | 238 | 238 | 2008-04-14 16:05:02 |
2008-04-14 16:10:03 |
| 206.51.225.222 | 2954 | 3997 | 3997 | 2008-04-14 16:45:02 |
2008-04-15 01:20:01 |
| 193.2.216.3 | 2954 | 1375 | 1375 | 2008-04-14 18:35:02 |
2008-04-15 05:25:02 |
| 216.117.199.241 | 2954 | 3470 | 3469 | 2008-04-14 20:00:02 |
2008-04-15 11:40:01 |
| 213.239.205.110 | 2954 | 108 | 108 | 2008-04-14 22:05:02 |
2008-04-14 22:05:02 |
| 210.245.87.79 | 2954 | 832 | 832 | 2008-04-15 01:00:02 |
2008-04-15 01:20:01 |
| 69.13.35.153 | 2954 | 439 | 439 | 2008-04-15 09:35:02 |
2008-04-15 10:00:01 |
| 217.65.20.234 | 2954 | 347 | 347 | 2008-04-15 15:35:02 |
2008-04-15 15:45:02 |
+-----------------+-------+------+------------+---------------------+---
------------------+
Regards,
Yiming
> V/R,
> Matt Swaar
>
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Rob Thomas
> Sent: Tuesday, April 15, 2008 4:18 PM
> To: nsp-security NSP
> Subject: Re: [nsp-sec] Increased in HP OV NMM scanning (tcp/2954)
>
> ----------- nsp-security Confidential --------
>
> Hi, team.
>
> Looking only at TCP SYN flows for TCP 2954, the counts definitely
> increased on 2008-04-10 UTC, with a noticeable increase on 2008-04-06
> UTC. 2008-04-11 UTC was a banner day, it appears.
>
> Date Count
> 2008-04-01 9301
> 2008-04-02 9317
> 2008-04-03 11808
> 2008-04-04 11581
> 2008-04-05 10108
> 2008-04-06 15067
> 2008-04-07 16931
> 2008-04-08 19126
> 2008-04-09 20700
> 2008-04-10 57133
> 2008-04-11 149495
> 2008-04-12 16630
> 2008-04-13 16700
> 2008-04-14 31105
> 2008-04-15 44881
>
> Note that this will include some legitimate HP OV connectivity, of
> course, but the scale is telling.
>
> Thanks,
> Rob.
> --
> Rob Thomas
> Team Cymru
> The WHO and WHY team
> http://www.team-cymru.org/
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security
> counter-measures.
> _______________________________________________
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list