[nsp-sec] Constant scanning from the same /24 in AS4837
Yiming Gong
yiming.gong at xo.com
Thu Oct 2 11:06:10 EDT 2008
It is interesting to see the content in the spam message,
Blahblahblah.. Compromised registry files can lead to the
following:\n\n1. Complete access of your PC by hackers\n2...blahblah
It is all about security. :)
Regards,
Yiming
> -----Original Message-----
> From: Chris Morrow [mailto:morrowc at ops-netman.net]
> Sent: Wednesday, October 01, 2008 8:26 PM
> To: Gong, Yiming
> Cc: Daniel Adinolfi; nsp-security NSP
> Subject: RE: [nsp-sec] Constant scanning from the same /24 in AS4837
>
>
>
> On Tue, 30 Sep 2008, Chris Morrow wrote:
>
> >
> >
> > On Tue, 30 Sep 2008, Gong, Yiming wrote:
> >
> >> Actually most hosts behind this subnet started to scan
> port 1026 and
> >> 1027 ever since July this year, the following shows the
> statistic number
> >> from my small darknet.
> >>
> >> And you can see the IPs are sequential, from 195 to 211,
> and then from
> >> 227 to 235.
> >>
> >
> > are you seeing these from the interface in front of this
> subnet? or is this
> > just 'my darknet too got scanned' ?
> >
> > I ask, because most often this really is spoofed though I
> never did figure
> > out why they spoof chinese sources when they do messenger spams...
>
> so, to close the loop some on this... (or try to)
>
> <http://docs.as701.net/tmp/china-spoofed-udp.txt>
>
> lookie! yer copmuter's broadcasting an ip address, or some
> such nonsense
> :( but yea, lookie messenger spams! From my box's vantage
> point I can't
> tell if it's spoofed, but 99% chance (based on past experience) it's
> spoofed.
>
> wee!
>
> -chris
>
More information about the nsp-security
mailing list