[nsp-sec] Merak Mail server, TCP/32000 scanning
Rob Thomas
robt at cymru.com
Tue Sep 16 18:14:25 EDT 2008
Hey, Chris.
We're not seeing a lot of this activity in our Darknets. We've logged
25 distinct sources in 2008-09, 50 distinct sources in 2008-08, and 62
distinct sources in 2008-07.
Here is what we see to/from TCP 32000:
Date UTC Flow count
2008-09-12 150,616
2008-09-13 170,405
2008-09-14 149,550
2008-09-15 163,090
2008-09-16 133,990 (thus far)
> AS | IP | AS Name
> 24101 | 129.180.224.250 | UNE-AS-AP University of New England
It appears this host has been scanning for TCP 32000 at least since
2008-07-02 04:00:24 UTC.
> AS | IP | AS Name
> 5486 | 213.8.116.213 | SMILE-ASN Euronet Digital Communications,
> (1992) LTD, Israel
It appears that this host has been scanning for TCP 32000 at least since
2008-07-24 13:27:25 UTC.
> AS | IP | AS Name
> 29255 | 212.24.224.148 | ZAJIL-AS ZAJIL Autonomous Number in Saudi
> Arabia
It appears that this host has been scanning for TCP 32000 at least since
2008-07-24 04:06:34 UTC.
It appears that this host has been a warez dump since at least
2008-05-09 20:03:44, though that might not be related to the TCP 32000
scanning activity.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");
More information about the nsp-security
mailing list