[nsp-sec] ACK71: coordinated telnet scan of 149.163.0.0
Helmut Springer
delta at hp.com
Tue Feb 12 03:57:03 EST 2008
Hi,
On Mon, Feb 11, 2008 at 05:56:22PM +0000, Greenberg, David A wrote:
> Over the past day, we noticed a coordinated telnet sweep of part
> of our address space (149.163.0.0). It seems like each source IP
> would scan a section, then an hour or so later, a different IP
> would pick up where the last left off. Below is the list of
> sources with a UTC timestamp.
>
> Thanks,
> David Greenberg - AS87
>
> AS | IP | Info | AS Name
> 71 | 15.235.211.254 | 2008-02-11 09:32:26 UTC | HP-INTERNET-AS Hewlett-Packard Company
Having CSIRT looking into it...but that looks like an internal IP
not able to send packets to the internet.
You only got SYN from there, never a completed handshake? Any guess
if that could have been decoys, or somthing else with spoofed source
IP?
Thanks,
helmut
--
helmut springer HP Services
email: delta at hp.com
phone: +49.7031.14.4240 EMEA Escalation Manager
More information about the nsp-security
mailing list