[nsp-sec] Constant scanning from the same /24 in AS4837
Chris Morrow
morrowc at ops-netman.net
Tue Sep 30 09:13:58 EDT 2008
On Tue, 30 Sep 2008, Daniel Adinolfi wrote:
> ----------- nsp-security Confidential --------
>
> Folks,
>
> For the last month, we've been seeing udp scans of our networks on ports 1026
> and 1027 from various hosts in the 202.97.238/24 network. A sample from last
> night:
>
> 202.97.238.195 (not registered) : ports : 1026/udp 1027/udp
> 202.97.238.197 (not registered) : ports : 1026/udp 1027/udp
> 202.97.238.199 (not registered) : ports : 1026/udp 1027/udp
> 202.97.238.201 (not registered) : ports : 1026/udp 1027/udp
> 202.97.238.206 (not registered) : ports : 1026/udp 1027/udp
> 202.97.238.207 (not registered) : ports : 1026/udp 1027/udp
> 202.97.238.210 (not registered) : ports : 1026/udp 1027/udp
> 202.97.238.211 (not registered) : ports : 1026/udp 1027/udp
> 202.97.238.226 (not registered) : ports : 1026/udp 1027/udp
> 202.97.238.230 (not registered) : ports : 1026/udp 1027/udp
> 202.97.238.231 (not registered) : ports : 1026/udp 1027/udp
> 202.97.238.233 (not registered) : ports : 1026/udp 1027/udp
> 202.97.238.235 (not registered) : ports : 1026/udp 1027/udp
grab the content, I'd bet it has messenger spam in it :( (pop-up spam
whatever the silly 'send a message to your lan-mate' crap is)
>
> It's not particularly bothersome, but after a month, maybe they want to quit
> it? Does anyone have a contact there who can bop them on the head?
I doubt it's actually coming from there :( most of this is spoofed since
it's udp and one-way is all that matters... grab some full packets if you
can.
-Chris
More information about the nsp-security
mailing list