[nsp-sec] Report of successful WINS (ms09-039) compromise
Rob Thomas
robt at cymru.com
Mon Aug 17 17:10:41 EDT 2009
Hey, Gabe.
Thanks for the heads-up!
> 221.214.82.183
We see 221.214.82.183 begin scans for TCP 42 on or about 2009-08-15
09:57:48 UTC. Those scans continue.
Expanding the query to 221.214.82.0/24, we also see TCP 42 scans from:
221.214.82.186 on 2009-08-12 17:07:29 UTC
221.214.82.185 on 2009-08-16 07:09:40 UTC
221.214.82.186 on 2009-08-17 14:11:58 UTC
The source port seems to be a consistent TCP 6000. That might help
those of you making flow queries.
221.214.82.178 was the source of an ICMP echo scan on 2009-08-05
08:57:33 UTC.
The 221.214.82.0/24 prefix includes a fair number of
Conficker-compromised hosts.
221.214.82.0/24 appears to be mostly Windows boxes.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
https://www.team-cymru.org/
ASSERT(coffee != empty);
More information about the nsp-security
mailing list