[nsp-sec] Constant scanning from the same /24 in AS4837
Chris Morrow
morrowc at ops-netman.net
Wed Oct 1 21:25:42 EDT 2008
On Tue, 30 Sep 2008, Chris Morrow wrote:
>
>
> On Tue, 30 Sep 2008, Gong, Yiming wrote:
>
>> Actually most hosts behind this subnet started to scan port 1026 and
>> 1027 ever since July this year, the following shows the statistic number
>> from my small darknet.
>>
>> And you can see the IPs are sequential, from 195 to 211, and then from
>> 227 to 235.
>>
>
> are you seeing these from the interface in front of this subnet? or is this
> just 'my darknet too got scanned' ?
>
> I ask, because most often this really is spoofed though I never did figure
> out why they spoof chinese sources when they do messenger spams...
so, to close the loop some on this... (or try to)
<http://docs.as701.net/tmp/china-spoofed-udp.txt>
lookie! yer copmuter's broadcasting an ip address, or some such nonsense
:( but yea, lookie messenger spams! From my box's vantage point I can't
tell if it's spoofed, but 99% chance (based on past experience) it's
spoofed.
wee!
-chris
More information about the nsp-security
mailing list