[nsp-sec] anyone got anything for 71.5.250.88
Jose Nazario
jose at arbor.net
Tue May 25 15:43:38 EDT 2010
On Tue, 25 May 2010, Yiming Gong wrote:
> Thanks a lot!
>
> Mike and Jose, are you guys okay with I sharing the data you provide in the
> emails?
you may, indeed.
> On 05/25/2010 02:31 PM, Mike Tancsa wrote:
>> At 01:16 PM 5/25/2010, Yiming Gong wrote:
>>
>> > ----------- nsp-security Confidential --------
>> >
>> > Thanks for looking into it Jose, i have some internal port 445 as
>> > well as icmp 3/13 records for this ip, but apparently the ip is
>> > using slow scan technique and more evidence is needed.
>> >
>> > If folks have more stuff, please send them along, thanks.
>> >
>> From a couple of parts in our network (11647) GMT-400. The ICMP
>> messages appear to be due to hosts being not reachable based on the
>> scan target.
>>
>> StartTime Flgs Proto SrcAddr Sport Dir
>> DstAddr Dport TotPkts TotBytes State
>> 2010-05-19 17:27:4
>> Ne tcp 71.5.250.88.2271 -> 198.73.240.105.445
>> 2 96 S_
>> 2010-05-20 03:56:0
>> Ne tcp 71.5.250.88.4752 -> 67.43.133.86.445
>> 2 96 S_
>> 2010-05-20 09:20:5
>> Ne tcp 71.5.250.88.4689 -> 199.85.118.123.445
>> 2 96 S_
>> 2010-05-20 10:59:0
>> Ne tcp 71.5.250.88.2870 -> 64.7.147.39.445
>> 2 96 S_
>> 2010-05-20 12:14:5
>> Ne tcp 71.5.250.88.1653 -> 67.43.139.59.445
>> 2 96 S_
>> 2010-05-20 12:50:3
>> Ne tcp 71.5.250.88.2130 -> 199.85.119.72.445
>> 2 96 S_
>> 2010-05-20 13:16:5
>> Ne tcp 71.5.250.88.2475 -> 67.43.140.63.445
>> 2 96 S_
>> 2010-05-20 16:30:2
>> Ne tcp 71.5.250.88.1111 -> 67.43.129.25.445
>> 2 96 S_
>> 2010-05-20 19:52:5
>> Ne tcp 71.5.250.88.2770 -> 198.73.181.16.445
>> 2 96 S_
>> 2010-05-20 22:37:0
>> Ne tcp 71.5.250.88.2681 -> 198.73.240.23.445
>> 2 96 S_
>> 2010-05-21 01:13:5
>> Ne tcp 71.5.250.88.2520 -> 64.7.147.31.445
>> 2 96 S_
>> 2010-05-21 04:44:3
>> Ne tcp 71.5.250.88.1851 -> 67.43.139.62.445
>> 2 96 S_
>> 2010-05-21 06:08:0
>> Ne tcp 71.5.250.88.4673 -> 67.43.137.27.445
>> 2 96 S_
>> 2010-05-21 07:15:4
>> Ne tcp 71.5.250.88.1723 -> 67.43.140.39.445
>> 2 96 S_
>> 2010-05-21 08:55:1
>> Ne tcp 71.5.250.88.3061 -> 199.71.252.120.445
>> 2 96 S_
>> 2010-05-21 09:20:2
>> Ne tcp 71.5.250.88.4924 -> 199.85.119.47.445
>> 2 96 S_
>> 2010-05-21 11:57:3
>> Ne tcp 71.5.250.88.1540 -> 67.43.133.90.445
>> 2 96 S_
>> 2010-05-21 16:54:3
>> Ne tcp 71.5.250.88.2235 -> 198.73.181.43.445
>> 2 96 S_
>> 2010-05-22 10:50:0
>> Ne tcp 71.5.250.88.2607 -> 64.7.147.98.445
>> 2 96 S_
>> 2010-05-22 13:36:2
>> Ne tcp 71.5.250.88.3221 -> 67.43.133.126.445
>> 2 96 S_
>> 2010-05-22 18:02:2
>> Ne tcp 71.5.250.88.1118 -> 198.73.181.73.445
>> 2 96 S_
>> 2010-05-22 18:11:5
>> Ne tcp 71.5.250.88.1616 -> 64.7.147.20.445
>> 2 96 S_
>> 2010-05-23 00:17:2
>> Ne tcp 71.5.250.88.4342 -> 67.43.139.61.445
>> 2 96 S_
>> 2010-05-23 01:35:1
>> Ne tcp 71.5.250.88.3214 -> 198.73.181.125.445
>> 2 96 S_
>> 2010-05-23 02:49:3
>> Ne tcp 71.5.250.88.2466 -> 198.73.181.28.445
>> 2 96 S_
>> 2010-05-23 04:35:2
>> Ne tcp 71.5.250.88.1322 -> 67.43.136.76.445
>> 2 96 S_
>> 2010-05-23 12:36:3
>> Ne tcp 71.5.250.88.4194 -> 67.43.136.95.445
>> 2 96 S_
>> 2010-05-23 15:25:3
>> Ne tcp 71.5.250.88.2515 -> 64.7.147.39.445
>> 2 96 S_
>> 2010-05-24 01:17:2
>> Ne tcp 71.5.250.88.2924 -> 64.7.134.125.445
>> 2 96 S_
>> 2010-05-24 02:03:4
>> Ne tcp 71.5.250.88.2151 -> 67.43.137.53.445
>> 2 96 S_
>> 2010-05-24 04:53:0
>> Ne tcp 71.5.250.88.1413 -> 67.43.133.63.445
>> 2 96 S_
>> 2010-05-24 05:57:2
>> Ne tcp 71.5.250.88.3105 -> 67.43.140.59.445
>> 2 96 S_
>> 2010-05-24 17:37:5
>> Ne tcp 71.5.250.88.4606 -> 198.73.240.49.445
>> 2 96 S_
>>
>> and
>>
>> StartTime Flgs Proto SrcAddr Sport Dir
>> DstAddr Dport TotPkts TotBytes State
>> 2010-05-20 01:47:4 M
>> s tcp 71.5.250.88.1826 -> 64.7.128.21.445
>> 4 256 S_
>> 2010-05-20 02:19:1 e
>> s tcp 71.5.250.88.1266 -> 64.7.141.83.445
>> 2 124 S_
>> 2010-05-20 04:30:0 M
>> s tcp 71.5.250.88.1533 -> 206.51.25.42.445
>> 4 256 S_
>> 2010-05-20 05:37:3 M
>> s tcp 71.5.250.88.2125 -> 64.7.140.64.445
>> 6 388 S_
>> 2010-05-20
>> 10:46:3 eTs tcp 71.5.250.88.4135 ->
>> 64.7.150.35.445 2 124 S_
>> 2010-05-20
>> 10:46:3 e icmp 64.7.150.18.11 ->
>> 71.5.250.88.0 2 140 TXD
>> 2010-05-20 11:14:2 M
>> s tcp 71.5.250.88.3621 -> 64.7.135.25.445
>> 4 256 S_
>> 2010-05-20 12:53:0 M
>> s tcp 71.5.250.88.3544 -> 64.7.132.49.445
>> 464 29696 S_
>> 2010-05-21 01:36:0 M
>> s tcp 71.5.250.88.1940 -> 64.7.141.34.445
>> 4 256 S_
>> 2010-05-21 11:13:4 M
>> s tcp 71.5.250.88.3898 -> 64.7.138.1.445
>> 8 480 S_RA
>> 2010-05-21 18:46:2 e
>> s tcp 71.5.250.88.1812 -> 199.71.182.71.445
>> 2 124 S_
>> 2010-05-21 23:59:0 M
>> s tcp 71.5.250.88.3456 -> 64.7.140.84.445
>> 6 388 S_
>> 2010-05-22 02:36:4 e
>> s tcp 71.5.250.88.1592 -> 199.71.182.113.445
>> 2 124 S_
>> 2010-05-23 00:01:2 M
>> s tcp 71.5.250.88.2033 -> 64.7.149.72.445
>> 4 256 S_
>> 2010-05-23 15:25:5 e
>> s tcp 71.5.250.88.3196 -> 199.71.182.5.445
>> 2 124 S_
>> 2010-05-24 05:52:1 M
>> s tcp 71.5.250.88.3942 -> 64.7.138.20.445
>> 4 256 S_
>> 2010-05-24 06:42:2 M
>> s tcp 71.5.250.88.3476 -> 206.51.25.111.445
>> 4 256 S_
>> 2010-05-24
>> 09:35:3 eUs tcp 71.5.250.88.2498 ->
>> 64.7.141.61.445 2 124 S_
>> 2010-05-24
>> 09:35:3 e icmp 64.7.153.8.259 ->
>> 71.5.250.88.16391 2 140 URH
>> 2010-05-24 13:17:3 e
>> s tcp 71.5.250.88.2460 -> 199.71.182.58.445
>> 2 124 S_
>> 2010-05-24 21:11:2 M
>> s tcp 71.5.250.88.2157 -> 64.7.150.96.445
>> 6 388 S_
>> 2010-05-25 03:31:5 M
>> s tcp 71.5.250.88.1731 -> 206.51.25.96.445
>> 4 256 S_
>> 2010-05-25 09:58:2 M
>> s tcp 71.5.250.88.2276 -> 64.7.138.85.445
>> 4 256 S_
>> 2010-05-25 11:34:5 M
>> s tcp 71.5.250.88.1281 -> 64.7.149.74.445
>> 6 388 S_
>>
>> ---Mike
>>
>>
>> > Yiming
>> >
>> > On 05/25/2010 12:11 PM, jose nazario wrote:
>> >
>> > > On May 25, 2010, at 1:08 PM, Yiming Gong wrote:
>> > >
>> > >
>> > >
>> > > > Anyone has anything for ip 71.5.250.88? We are having some
>> > > > interesting conversation with the customer behind it and we need
>> > > > some more evidence, thanks
>> > > >
>> > > >
>> > > via ATLAS some TCP/445 scan activity.
>> > >
>> > > scan [{u'src': u'71.5.250.88', u'dport': u'445', u'proto': u'6',
>> > > u'cc': u'US', u'bytes': u'288', u'start': u'1274222400', u'pkts':
>> > > u'6', u'asn': u'2828'}, {u'src': u'71.5.250.88', u'dport': u'445',
>> > > u'proto': u'6', u'cc': u'US', u'bytes': u'336', u'start':
>> > > u'1274279700', u'pkts': u'7', u'asn': u'2828'}, {u'src':
>> > > u'71.5.250.88', u'dport': u'445', u'proto': u'6', u'cc': u'US',
>> > > u'bytes': u'288', u'start': u'1274334000', u'pkts': u'6', u'asn':
>> > > u'2828'}]
>> > >
>>>> _____________________________
>> > > jose nazario, ph.d. jose at arbor.net
>> > > sr. manager of security research, arbor networks
>> > > http://asert.arbor.net/
>> > >
>> > >
>> > >
>> > >
>> >
>> >
>>> _______________________________________________
>> > nsp-security mailing list
>> > nsp-security at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/nsp-security
>> >
>> > Please do not Forward, CC, or BCC this E-mail outside of the
>> > nsp-security
>> > community. Confidentiality is essential for effective Internet
>> > security counter-measures.
>>> _______________________________________________
>> >
>> --------------------------------------------------------------------
>> Mike Tancsa, tel +1 519 651 3400
>> Sentex Communications, mike at sentex.net
>> Providing Internet since 1994 www.sentex.net
>> Cambridge, Ontario Canada www.sentex.net/mike
>>
>>
>>
>
--
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
manager of security research arbor networks
v: (734) 821 1427 http://asert.arbor.net/
More information about the nsp-security
mailing list