[nsp-sec] Increased in HP OV NMM scanning (tcp/2954)
Rob Thomas
robt at cymru.com
Tue Apr 15 20:02:44 EDT 2008
Hi, team.
>> IP | Bytes | Packets | Flows | Earliest Seen | Latest Seen
>> 12.21.167.70| 11068944| 230603|
>
> 12.21.167.70 is also in our alert system.
12.21.167.70 appears to be a Windows 2K box. It's been sourcing scans
for a while.
On 2008-02-01 it was hunting for TCP 3050.
On 2008-03-27 it was hunting for TCP 80.
On 2008-04-10 it was hunting for TCP 2954. We see it begin the TCP 2954
scans on 2008-04-10 at 09:10:05 UTC. It may have stopped on or about
2008-04-11 16:00:49 UTC.
If nothing else this host might be a good barometer for what's coming
next. :)
Thanks,
Rob.
--
Rob Thomas
Team Cymru
The WHO and WHY team
http://www.team-cymru.org/
More information about the nsp-security
mailing list