[nsp-sec] anyone got anything for 71.5.250.88
Smith, Donald
Donald.Smith at qwest.com
Tue May 25 16:19:58 EDT 2010
Lots of 445 scanning reported to dshield.
http://isc.sans.org/ipdetails.html?ip=71.5.250.88
(coffee != ) & (!coffee == sleep)
Donald.Smith at qwest.com
________________________________________
From: nsp-security-bounces at puck.nether.net [nsp-security-bounces at puck.nether.net] On Behalf Of Joel Rosenblatt [joel at columbia.edu]
Sent: Tuesday, May 25, 2010 2:03 PM
To: Jose Nazario; Yiming Gong
Cc: nsp-security NSP
Subject: Re: [nsp-sec] anyone got anything for 71.5.250.88
----------- nsp-security Confidential --------
I got these from a 2 hour look back
2010/05/25 14:11:01 71.5.250.88.3563 -> 128.59.3.13.445 6(SYN) 1 48
2010/05/25 14:27:49 4.53.80.6 -> 71.5.250.88 ICMP_ECHOREPLY 1 56
2010/05/25 14:27:50 71.5.250.88.3608 -> 156.111.42.63.445 6(SYN) 1 48
2010/05/25 14:37:30 71.5.250.88.4187 -> 160.39.244.43.445 6(SYN) 2 96
2010/05/25 14:40:04 71.5.250.88.1815 -> 160.39.23.10.445 6(SYN) 2 96
2010/05/25 15:18:04 71.5.250.88.3189 -> 156.111.201.26.445 6(SYN) 1 48
2010/05/25 15:38:27 71.5.250.88.2778 -> 128.59.84.112.445 6(SYN) 1 48
The second one is a little weird .. looks like 71.4.250.88 pinged our gateway router
Joel
--On Tuesday, May 25, 2010 3:43 PM -0400 Jose Nazario <jose at arbor.net> wrote:
> ----------- nsp-security Confidential --------
>
> On Tue, 25 May 2010, Yiming Gong wrote:
>
>> Thanks a lot!
>>
>> Mike and Jose, are you guys okay with I sharing the data you provide in the
>> emails?
>
> you may, indeed.
>
>> On 05/25/2010 02:31 PM, Mike Tancsa wrote:
>>> At 01:16 PM 5/25/2010, Yiming Gong wrote:
>>>
>>> > ----------- nsp-security Confidential --------
>>> >
>>> > Thanks for looking into it Jose, i have some internal port 445 as
>>> > well as icmp 3/13 records for this ip, but apparently the ip is
>>> > using slow scan technique and more evidence is needed.
>>> >
>>> > If folks have more stuff, please send them along, thanks.
>>> >
>>> From a couple of parts in our network (11647) GMT-400. The ICMP
>>> messages appear to be due to hosts being not reachable based on the
>>> scan target.
>>>
>>> StartTime Flgs Proto SrcAddr Sport Dir
>>> DstAddr Dport TotPkts TotBytes State
>>> 2010-05-19 17:27:4
>>> Ne tcp 71.5.250.88.2271 -> 198.73.240.105.445
>>> 2 96 S_
>>> 2010-05-20 03:56:0
>>> Ne tcp 71.5.250.88.4752 -> 67.43.133.86.445
>>> 2 96 S_
>>> 2010-05-20 09:20:5
>>> Ne tcp 71.5.250.88.4689 -> 199.85.118.123.445
>>> 2 96 S_
>>> 2010-05-20 10:59:0
>>> Ne tcp 71.5.250.88.2870 -> 64.7.147.39.445
>>> 2 96 S_
>>> 2010-05-20 12:14:5
>>> Ne tcp 71.5.250.88.1653 -> 67.43.139.59.445
>>> 2 96 S_
>>> 2010-05-20 12:50:3
>>> Ne tcp 71.5.250.88.2130 -> 199.85.119.72.445
>>> 2 96 S_
>>> 2010-05-20 13:16:5
>>> Ne tcp 71.5.250.88.2475 -> 67.43.140.63.445
>>> 2 96 S_
>>> 2010-05-20 16:30:2
>>> Ne tcp 71.5.250.88.1111 -> 67.43.129.25.445
>>> 2 96 S_
>>> 2010-05-20 19:52:5
>>> Ne tcp 71.5.250.88.2770 -> 198.73.181.16.445
>>> 2 96 S_
>>> 2010-05-20 22:37:0
>>> Ne tcp 71.5.250.88.2681 -> 198.73.240.23.445
>>> 2 96 S_
>>> 2010-05-21 01:13:5
>>> Ne tcp 71.5.250.88.2520 -> 64.7.147.31.445
>>> 2 96 S_
>>> 2010-05-21 04:44:3
>>> Ne tcp 71.5.250.88.1851 -> 67.43.139.62.445
>>> 2 96 S_
>>> 2010-05-21 06:08:0
>>> Ne tcp 71.5.250.88.4673 -> 67.43.137.27.445
>>> 2 96 S_
>>> 2010-05-21 07:15:4
>>> Ne tcp 71.5.250.88.1723 -> 67.43.140.39.445
>>> 2 96 S_
>>> 2010-05-21 08:55:1
>>> Ne tcp 71.5.250.88.3061 -> 199.71.252.120.445
>>> 2 96 S_
>>> 2010-05-21 09:20:2
>>> Ne tcp 71.5.250.88.4924 -> 199.85.119.47.445
>>> 2 96 S_
>>> 2010-05-21 11:57:3
>>> Ne tcp 71.5.250.88.1540 -> 67.43.133.90.445
>>> 2 96 S_
>>> 2010-05-21 16:54:3
>>> Ne tcp 71.5.250.88.2235 -> 198.73.181.43.445
>>> 2 96 S_
>>> 2010-05-22 10:50:0
>>> Ne tcp 71.5.250.88.2607 -> 64.7.147.98.445
>>> 2 96 S_
>>> 2010-05-22 13:36:2
>>> Ne tcp 71.5.250.88.3221 -> 67.43.133.126.445
>>> 2 96 S_
>>> 2010-05-22 18:02:2
>>> Ne tcp 71.5.250.88.1118 -> 198.73.181.73.445
>>> 2 96 S_
>>> 2010-05-22 18:11:5
>>> Ne tcp 71.5.250.88.1616 -> 64.7.147.20.445
>>> 2 96 S_
>>> 2010-05-23 00:17:2
>>> Ne tcp 71.5.250.88.4342 -> 67.43.139.61.445
>>> 2 96 S_
>>> 2010-05-23 01:35:1
>>> Ne tcp 71.5.250.88.3214 -> 198.73.181.125.445
>>> 2 96 S_
>>> 2010-05-23 02:49:3
>>> Ne tcp 71.5.250.88.2466 -> 198.73.181.28.445
>>> 2 96 S_
>>> 2010-05-23 04:35:2
>>> Ne tcp 71.5.250.88.1322 -> 67.43.136.76.445
>>> 2 96 S_
>>> 2010-05-23 12:36:3
>>> Ne tcp 71.5.250.88.4194 -> 67.43.136.95.445
>>> 2 96 S_
>>> 2010-05-23 15:25:3
>>> Ne tcp 71.5.250.88.2515 -> 64.7.147.39.445
>>> 2 96 S_
>>> 2010-05-24 01:17:2
>>> Ne tcp 71.5.250.88.2924 -> 64.7.134.125.445
>>> 2 96 S_
>>> 2010-05-24 02:03:4
>>> Ne tcp 71.5.250.88.2151 -> 67.43.137.53.445
>>> 2 96 S_
>>> 2010-05-24 04:53:0
>>> Ne tcp 71.5.250.88.1413 -> 67.43.133.63.445
>>> 2 96 S_
>>> 2010-05-24 05:57:2
>>> Ne tcp 71.5.250.88.3105 -> 67.43.140.59.445
>>> 2 96 S_
>>> 2010-05-24 17:37:5
>>> Ne tcp 71.5.250.88.4606 -> 198.73.240.49.445
>>> 2 96 S_
>>>
>>> and
>>>
>>> StartTime Flgs Proto SrcAddr Sport Dir
>>> DstAddr Dport TotPkts TotBytes State
>>> 2010-05-20 01:47:4 M
>>> s tcp 71.5.250.88.1826 -> 64.7.128.21.445
>>> 4 256 S_
>>> 2010-05-20 02:19:1 e
>>> s tcp 71.5.250.88.1266 -> 64.7.141.83.445
>>> 2 124 S_
>>> 2010-05-20 04:30:0 M
>>> s tcp 71.5.250.88.1533 -> 206.51.25.42.445
>>> 4 256 S_
>>> 2010-05-20 05:37:3 M
>>> s tcp 71.5.250.88.2125 -> 64.7.140.64.445
>>> 6 388 S_
>>> 2010-05-20
>>> 10:46:3 eTs tcp 71.5.250.88.4135 ->
>>> 64.7.150.35.445 2 124 S_
>>> 2010-05-20
>>> 10:46:3 e icmp 64.7.150.18.11 ->
>>> 71.5.250.88.0 2 140 TXD
>>> 2010-05-20 11:14:2 M
>>> s tcp 71.5.250.88.3621 -> 64.7.135.25.445
>>> 4 256 S_
>>> 2010-05-20 12:53:0 M
>>> s tcp 71.5.250.88.3544 -> 64.7.132.49.445
>>> 464 29696 S_
>>> 2010-05-21 01:36:0 M
>>> s tcp 71.5.250.88.1940 -> 64.7.141.34.445
>>> 4 256 S_
>>> 2010-05-21 11:13:4 M
>>> s tcp 71.5.250.88.3898 -> 64.7.138.1.445
>>> 8 480 S_RA
>>> 2010-05-21 18:46:2 e
>>> s tcp 71.5.250.88.1812 -> 199.71.182.71.445
>>> 2 124 S_
>>> 2010-05-21 23:59:0 M
>>> s tcp 71.5.250.88.3456 -> 64.7.140.84.445
>>> 6 388 S_
>>> 2010-05-22 02:36:4 e
>>> s tcp 71.5.250.88.1592 -> 199.71.182.113.445
>>> 2 124 S_
>>> 2010-05-23 00:01:2 M
>>> s tcp 71.5.250.88.2033 -> 64.7.149.72.445
>>> 4 256 S_
>>> 2010-05-23 15:25:5 e
>>> s tcp 71.5.250.88.3196 -> 199.71.182.5.445
>>> 2 124 S_
>>> 2010-05-24 05:52:1 M
>>> s tcp 71.5.250.88.3942 -> 64.7.138.20.445
>>> 4 256 S_
>>> 2010-05-24 06:42:2 M
>>> s tcp 71.5.250.88.3476 -> 206.51.25.111.445
>>> 4 256 S_
>>> 2010-05-24
>>> 09:35:3 eUs tcp 71.5.250.88.2498 ->
>>> 64.7.141.61.445 2 124 S_
>>> 2010-05-24
>>> 09:35:3 e icmp 64.7.153.8.259 ->
>>> 71.5.250.88.16391 2 140 URH
>>> 2010-05-24 13:17:3 e
>>> s tcp 71.5.250.88.2460 -> 199.71.182.58.445
>>> 2 124 S_
>>> 2010-05-24 21:11:2 M
>>> s tcp 71.5.250.88.2157 -> 64.7.150.96.445
>>> 6 388 S_
>>> 2010-05-25 03:31:5 M
>>> s tcp 71.5.250.88.1731 -> 206.51.25.96.445
>>> 4 256 S_
>>> 2010-05-25 09:58:2 M
>>> s tcp 71.5.250.88.2276 -> 64.7.138.85.445
>>> 4 256 S_
>>> 2010-05-25 11:34:5 M
>>> s tcp 71.5.250.88.1281 -> 64.7.149.74.445
>>> 6 388 S_
>>>
>>> ---Mike
>>>
>>>
>>> > Yiming
>>> >
>>> > On 05/25/2010 12:11 PM, jose nazario wrote:
>>> >
>>> > > On May 25, 2010, at 1:08 PM, Yiming Gong wrote:
>>> > >
>>> > >
>>> > >
>>> > > > Anyone has anything for ip 71.5.250.88? We are having some
>>> > > > interesting conversation with the customer behind it and we need
>>> > > > some more evidence, thanks
>>> > > >
>>> > > >
>>> > > via ATLAS some TCP/445 scan activity.
>>> > >
>>> > > scan [{u'src': u'71.5.250.88', u'dport': u'445', u'proto': u'6',
>>> > > u'cc': u'US', u'bytes': u'288', u'start': u'1274222400', u'pkts':
>>> > > u'6', u'asn': u'2828'}, {u'src': u'71.5.250.88', u'dport': u'445',
>>> > > u'proto': u'6', u'cc': u'US', u'bytes': u'336', u'start':
>>> > > u'1274279700', u'pkts': u'7', u'asn': u'2828'}, {u'src':
>>> > > u'71.5.250.88', u'dport': u'445', u'proto': u'6', u'cc': u'US',
>>> > > u'bytes': u'288', u'start': u'1274334000', u'pkts': u'6', u'asn':
>>> > > u'2828'}]
>>> > >
>>>>> _____________________________
>>> > > jose nazario, ph.d. jose at arbor.net
>>> > > sr. manager of security research, arbor networks
>>> > > http://asert.arbor.net/
>>> > >
>>> > >
>>> > >
>>> > >
>>> >
>>> >
>>>> _______________________________________________
>>> > nsp-security mailing list
>>> > nsp-security at puck.nether.net
>>> > https://puck.nether.net/mailman/listinfo/nsp-security
>>> >
>>> > Please do not Forward, CC, or BCC this E-mail outside of the
>>> > nsp-security
>>> > community. Confidentiality is essential for effective Internet
>>> > security counter-measures.
>>>> _______________________________________________
>>> >
>>> --------------------------------------------------------------------
>>> Mike Tancsa, tel +1 519 651 3400
>>> Sentex Communications, mike at sentex.net
>>> Providing Internet since 1994 www.sentex.net
>>> Cambridge, Ontario Canada www.sentex.net/mike
>>>
>>>
>>>
>>
>
> --
> -------------------------------------------------------------
> jose nazario, ph.d. <jose at arbor.net>
> manager of security research arbor networks
> v: (734) 821 1427 http://asert.arbor.net/
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list