[nsp-sec] anyone got anything for 71.5.250.88
Yiming Gong
yiming.gong at xo.com
Tue May 25 16:52:08 EDT 2010
right, i pull the AS2828 data from dshield daily and noticed this ip was
on the list.
Thanks all for the great input, it is very helpful, being on nsp-sec is
really amazing!
Yiming
On 05/25/2010 03:19 PM, Smith, Donald wrote:
> Lots of 445 scanning reported to dshield.
>
> http://isc.sans.org/ipdetails.html?ip=71.5.250.88
>
>
> (coffee != )& (!coffee == sleep)
> Donald.Smith at qwest.com
> ________________________________________
> From: nsp-security-bounces at puck.nether.net [nsp-security-bounces at puck.nether.net] On Behalf Of Joel Rosenblatt [joel at columbia.edu]
> Sent: Tuesday, May 25, 2010 2:03 PM
> To: Jose Nazario; Yiming Gong
> Cc: nsp-security NSP
> Subject: Re: [nsp-sec] anyone got anything for 71.5.250.88
>
> ----------- nsp-security Confidential --------
>
> I got these from a 2 hour look back
>
> 2010/05/25 14:11:01 71.5.250.88.3563 -> 128.59.3.13.445 6(SYN) 1 48
> 2010/05/25 14:27:49 4.53.80.6 -> 71.5.250.88 ICMP_ECHOREPLY 1 56
> 2010/05/25 14:27:50 71.5.250.88.3608 -> 156.111.42.63.445 6(SYN) 1 48
> 2010/05/25 14:37:30 71.5.250.88.4187 -> 160.39.244.43.445 6(SYN) 2 96
> 2010/05/25 14:40:04 71.5.250.88.1815 -> 160.39.23.10.445 6(SYN) 2 96
> 2010/05/25 15:18:04 71.5.250.88.3189 -> 156.111.201.26.445 6(SYN) 1 48
> 2010/05/25 15:38:27 71.5.250.88.2778 -> 128.59.84.112.445 6(SYN) 1 48
>
> The second one is a little weird .. looks like 71.4.250.88 pinged our gateway router
>
> Joel
>
> --On Tuesday, May 25, 2010 3:43 PM -0400 Jose Nazario<jose at arbor.net> wrote:
>
>
>> ----------- nsp-security Confidential --------
>>
>> On Tue, 25 May 2010, Yiming Gong wrote:
>>
>>
>>> Thanks a lot!
>>>
>>> Mike and Jose, are you guys okay with I sharing the data you provide in the
>>> emails?
>>>
>> you may, indeed.
>>
>>
>>> On 05/25/2010 02:31 PM, Mike Tancsa wrote:
>>>
>>>> At 01:16 PM 5/25/2010, Yiming Gong wrote:
>>>>
>>>>
>>>>> ----------- nsp-security Confidential --------
>>>>>
>>>>> Thanks for looking into it Jose, i have some internal port 445 as
>>>>> well as icmp 3/13 records for this ip, but apparently the ip is
>>>>> using slow scan technique and more evidence is needed.
>>>>>
>>>>> If folks have more stuff, please send them along, thanks.
>>>>>
>>>>>
>>>> From a couple of parts in our network (11647) GMT-400. The ICMP
>>>> messages appear to be due to hosts being not reachable based on the
>>>> scan target.
>>>>
>>>> StartTime Flgs Proto SrcAddr Sport Dir
>>>> DstAddr Dport TotPkts TotBytes State
>>>> 2010-05-19 17:27:4
>>>> Ne tcp 71.5.250.88.2271 -> 198.73.240.105.445
>>>> 2 96 S_
>>>> 2010-05-20 03:56:0
>>>> Ne tcp 71.5.250.88.4752 -> 67.43.133.86.445
>>>> 2 96 S_
>>>> 2010-05-20 09:20:5
>>>> Ne tcp 71.5.250.88.4689 -> 199.85.118.123.445
>>>> 2 96 S_
>>>> 2010-05-20 10:59:0
>>>> Ne tcp 71.5.250.88.2870 -> 64.7.147.39.445
>>>> 2 96 S_
>>>> 2010-05-20 12:14:5
>>>> Ne tcp 71.5.250.88.1653 -> 67.43.139.59.445
>>>> 2 96 S_
>>>> 2010-05-20 12:50:3
>>>> Ne tcp 71.5.250.88.2130 -> 199.85.119.72.445
>>>> 2 96 S_
>>>> 2010-05-20 13:16:5
>>>> Ne tcp 71.5.250.88.2475 -> 67.43.140.63.445
>>>> 2 96 S_
>>>> 2010-05-20 16:30:2
>>>> Ne tcp 71.5.250.88.1111 -> 67.43.129.25.445
>>>> 2 96 S_
>>>> 2010-05-20 19:52:5
>>>> Ne tcp 71.5.250.88.2770 -> 198.73.181.16.445
>>>> 2 96 S_
>>>> 2010-05-20 22:37:0
>>>> Ne tcp 71.5.250.88.2681 -> 198.73.240.23.445
>>>> 2 96 S_
>>>> 2010-05-21 01:13:5
>>>> Ne tcp 71.5.250.88.2520 -> 64.7.147.31.445
>>>> 2 96 S_
>>>> 2010-05-21 04:44:3
>>>> Ne tcp 71.5.250.88.1851 -> 67.43.139.62.445
>>>> 2 96 S_
>>>> 2010-05-21 06:08:0
>>>> Ne tcp 71.5.250.88.4673 -> 67.43.137.27.445
>>>> 2 96 S_
>>>> 2010-05-21 07:15:4
>>>> Ne tcp 71.5.250.88.1723 -> 67.43.140.39.445
>>>> 2 96 S_
>>>> 2010-05-21 08:55:1
>>>> Ne tcp 71.5.250.88.3061 -> 199.71.252.120.445
>>>> 2 96 S_
>>>> 2010-05-21 09:20:2
>>>> Ne tcp 71.5.250.88.4924 -> 199.85.119.47.445
>>>> 2 96 S_
>>>> 2010-05-21 11:57:3
>>>> Ne tcp 71.5.250.88.1540 -> 67.43.133.90.445
>>>> 2 96 S_
>>>> 2010-05-21 16:54:3
>>>> Ne tcp 71.5.250.88.2235 -> 198.73.181.43.445
>>>> 2 96 S_
>>>> 2010-05-22 10:50:0
>>>> Ne tcp 71.5.250.88.2607 -> 64.7.147.98.445
>>>> 2 96 S_
>>>> 2010-05-22 13:36:2
>>>> Ne tcp 71.5.250.88.3221 -> 67.43.133.126.445
>>>> 2 96 S_
>>>> 2010-05-22 18:02:2
>>>> Ne tcp 71.5.250.88.1118 -> 198.73.181.73.445
>>>> 2 96 S_
>>>> 2010-05-22 18:11:5
>>>> Ne tcp 71.5.250.88.1616 -> 64.7.147.20.445
>>>> 2 96 S_
>>>> 2010-05-23 00:17:2
>>>> Ne tcp 71.5.250.88.4342 -> 67.43.139.61.445
>>>> 2 96 S_
>>>> 2010-05-23 01:35:1
>>>> Ne tcp 71.5.250.88.3214 -> 198.73.181.125.445
>>>> 2 96 S_
>>>> 2010-05-23 02:49:3
>>>> Ne tcp 71.5.250.88.2466 -> 198.73.181.28.445
>>>> 2 96 S_
>>>> 2010-05-23 04:35:2
>>>> Ne tcp 71.5.250.88.1322 -> 67.43.136.76.445
>>>> 2 96 S_
>>>> 2010-05-23 12:36:3
>>>> Ne tcp 71.5.250.88.4194 -> 67.43.136.95.445
>>>> 2 96 S_
>>>> 2010-05-23 15:25:3
>>>> Ne tcp 71.5.250.88.2515 -> 64.7.147.39.445
>>>> 2 96 S_
>>>> 2010-05-24 01:17:2
>>>> Ne tcp 71.5.250.88.2924 -> 64.7.134.125.445
>>>> 2 96 S_
>>>> 2010-05-24 02:03:4
>>>> Ne tcp 71.5.250.88.2151 -> 67.43.137.53.445
>>>> 2 96 S_
>>>> 2010-05-24 04:53:0
>>>> Ne tcp 71.5.250.88.1413 -> 67.43.133.63.445
>>>> 2 96 S_
>>>> 2010-05-24 05:57:2
>>>> Ne tcp 71.5.250.88.3105 -> 67.43.140.59.445
>>>> 2 96 S_
>>>> 2010-05-24 17:37:5
>>>> Ne tcp 71.5.250.88.4606 -> 198.73.240.49.445
>>>> 2 96 S_
>>>>
>>>> and
>>>>
>>>> StartTime Flgs Proto SrcAddr Sport Dir
>>>> DstAddr Dport TotPkts TotBytes State
>>>> 2010-05-20 01:47:4 M
>>>> s tcp 71.5.250.88.1826 -> 64.7.128.21.445
>>>> 4 256 S_
>>>> 2010-05-20 02:19:1 e
>>>> s tcp 71.5.250.88.1266 -> 64.7.141.83.445
>>>> 2 124 S_
>>>> 2010-05-20 04:30:0 M
>>>> s tcp 71.5.250.88.1533 -> 206.51.25.42.445
>>>> 4 256 S_
>>>> 2010-05-20 05:37:3 M
>>>> s tcp 71.5.250.88.2125 -> 64.7.140.64.445
>>>> 6 388 S_
>>>> 2010-05-20
>>>> 10:46:3 eTs tcp 71.5.250.88.4135 ->
>>>> 64.7.150.35.445 2 124 S_
>>>> 2010-05-20
>>>> 10:46:3 e icmp 64.7.150.18.11 ->
>>>> 71.5.250.88.0 2 140 TXD
>>>> 2010-05-20 11:14:2 M
>>>> s tcp 71.5.250.88.3621 -> 64.7.135.25.445
>>>> 4 256 S_
>>>> 2010-05-20 12:53:0 M
>>>> s tcp 71.5.250.88.3544 -> 64.7.132.49.445
>>>> 464 29696 S_
>>>> 2010-05-21 01:36:0 M
>>>> s tcp 71.5.250.88.1940 -> 64.7.141.34.445
>>>> 4 256 S_
>>>> 2010-05-21 11:13:4 M
>>>> s tcp 71.5.250.88.3898 -> 64.7.138.1.445
>>>> 8 480 S_RA
>>>> 2010-05-21 18:46:2 e
>>>> s tcp 71.5.250.88.1812 -> 199.71.182.71.445
>>>> 2 124 S_
>>>> 2010-05-21 23:59:0 M
>>>> s tcp 71.5.250.88.3456 -> 64.7.140.84.445
>>>> 6 388 S_
>>>> 2010-05-22 02:36:4 e
>>>> s tcp 71.5.250.88.1592 -> 199.71.182.113.445
>>>> 2 124 S_
>>>> 2010-05-23 00:01:2 M
>>>> s tcp 71.5.250.88.2033 -> 64.7.149.72.445
>>>> 4 256 S_
>>>> 2010-05-23 15:25:5 e
>>>> s tcp 71.5.250.88.3196 -> 199.71.182.5.445
>>>> 2 124 S_
>>>> 2010-05-24 05:52:1 M
>>>> s tcp 71.5.250.88.3942 -> 64.7.138.20.445
>>>> 4 256 S_
>>>> 2010-05-24 06:42:2 M
>>>> s tcp 71.5.250.88.3476 -> 206.51.25.111.445
>>>> 4 256 S_
>>>> 2010-05-24
>>>> 09:35:3 eUs tcp 71.5.250.88.2498 ->
>>>> 64.7.141.61.445 2 124 S_
>>>> 2010-05-24
>>>> 09:35:3 e icmp 64.7.153.8.259 ->
>>>> 71.5.250.88.16391 2 140 URH
>>>> 2010-05-24 13:17:3 e
>>>> s tcp 71.5.250.88.2460 -> 199.71.182.58.445
>>>> 2 124 S_
>>>> 2010-05-24 21:11:2 M
>>>> s tcp 71.5.250.88.2157 -> 64.7.150.96.445
>>>> 6 388 S_
>>>> 2010-05-25 03:31:5 M
>>>> s tcp 71.5.250.88.1731 -> 206.51.25.96.445
>>>> 4 256 S_
>>>> 2010-05-25 09:58:2 M
>>>> s tcp 71.5.250.88.2276 -> 64.7.138.85.445
>>>> 4 256 S_
>>>> 2010-05-25 11:34:5 M
>>>> s tcp 71.5.250.88.1281 -> 64.7.149.74.445
>>>> 6 388 S_
>>>>
>>>> ---Mike
>>>>
>>>>
>>>>
>>>>> Yiming
>>>>>
>>>>> On 05/25/2010 12:11 PM, jose nazario wrote:
>>>>>
>>>>>
>>>>>> On May 25, 2010, at 1:08 PM, Yiming Gong wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Anyone has anything for ip 71.5.250.88? We are having some
>>>>>>> interesting conversation with the customer behind it and we need
>>>>>>> some more evidence, thanks
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> via ATLAS some TCP/445 scan activity.
>>>>>>
>>>>>> scan [{u'src': u'71.5.250.88', u'dport': u'445', u'proto': u'6',
>>>>>> u'cc': u'US', u'bytes': u'288', u'start': u'1274222400', u'pkts':
>>>>>> u'6', u'asn': u'2828'}, {u'src': u'71.5.250.88', u'dport': u'445',
>>>>>> u'proto': u'6', u'cc': u'US', u'bytes': u'336', u'start':
>>>>>> u'1274279700', u'pkts': u'7', u'asn': u'2828'}, {u'src':
>>>>>> u'71.5.250.88', u'dport': u'445', u'proto': u'6', u'cc': u'US',
>>>>>> u'bytes': u'288', u'start': u'1274334000', u'pkts': u'6', u'asn':
>>>>>> u'2828'}]
>>>>>>
>>>>>> _____________________________
>>>>>> jose nazario, ph.d. jose at arbor.net
>>>>>> sr. manager of security research, arbor networks
>>>>>> http://asert.arbor.net/
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> nsp-security mailing list
>>>>> nsp-security at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>>>
>>>>> Please do not Forward, CC, or BCC this E-mail outside of the
>>>>> nsp-security
>>>>> community. Confidentiality is essential for effective Internet
>>>>> security counter-measures.
>>>>> _______________________________________________
>>>>>
>>>>>
>>>> --------------------------------------------------------------------
>>>> Mike Tancsa, tel +1 519 651 3400
>>>> Sentex Communications, mike at sentex.net
>>>> Providing Internet since 1994 www.sentex.net
>>>> Cambridge, Ontario Canada www.sentex.net/mike
>>>>
>>>>
>>>>
>>>>
>>>
>> --
>> -------------------------------------------------------------
>> jose nazario, ph.d.<jose at arbor.net>
>> manager of security research arbor networks
>> v: (734) 821 1427 http://asert.arbor.net/
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
>>
>>
>
>
> Joel Rosenblatt, Manager Network& Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
> This communication is the property of Qwest and may contain confidential or
> privileged information. Unauthorized use of this communication is strictly
> prohibited and may be unlawful. If you have received this communication
> in error, please immediately notify the sender by reply e-mail and destroy
> all copies of the communication and any attachments.
>
>
More information about the nsp-security
mailing list