[nsp-sec] AS1221 - Telstra Australia
Rob Thomas
robt at cymru.com
Mon Jan 5 14:59:09 EST 2009
Hi, Zane.
> 144.139.107.12, DCOM, 2008-12-31 10:32:58 (1564701)
Bupkes on this one, sorry.
> 203.46.120.238, MS08-067, 2008-12-31 15:31:09 (1563784)
We've seen this one seeking TCP 445 in our Darknets as early as
2008-12-22 17:20:04 UTC. Others have seen it as far back as 2008-12-06
00:41:32 UTC.
> 203.49.139.161, MS08-067, 2008-12-31 20:54:10 (1565021)
Another TCP 445 scanner since at least 2008-12-30 00:07:03 UTC.
> 203.45.58.167, MS08-067, 2008-12-30 19:59:19 (1564405)
Interesting - appears to be a mail server running Windows NT.
timestamp | dns_name | ip
--------------------- ----------------------- ---------------
2009-01-02 22:50:07 | mail.yq4travel.com.au | 203.45.58.167
We also see it scanning for TCP 445 in 2008-12 UTC.
> 203.45.57.86, DCOM, 2009-01-01 06:44:23 (1565153)
Busy TCP 135 scanner since at least 2008-11-30 10:01:51 UTC.
> 203.46.120.238, MS08-067, 2009-01-02 09:23:20 (1563784)
Looking for TCP 445 since at least 2008-12-06 00:41:32 UTC.
> 203.49.139.161, MS08-067, 2009-01-02 09:31:17 (1565021)
Looking for TCP 445 since at least 2008-12-30 00:07:03 UTC.
Looks like one or more botnets to me. A couple of these hosts were
talking to Storm nodes fairly regularly.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");
More information about the nsp-security
mailing list