[nsp-sec] packet love to 212.71.192.52 ?
Rob Thomas
robt at cymru.com
Fri Jun 10 19:07:30 EDT 2011
Hi, Kurt.
>> Can you please look for packets to 212.71.192.52 and try to
>> backtrack the source ?
Sorry to hear about the attack!
> Here are some sources from approx. 23:30 CEST.
>
> 164.58.71.12
> 77.104.226.30
> 61.215.120.40
> 140.120.52.137
> 129.94.205.176
> 82.98.78.217
> 83.169.5.220
> 195.225.198.219
> 202.231.189.131
> 190.58.142.105
> 85.8.130.61
> 210.44.48.95
> 195.22.11.205
It appears that many of the IP addresses above are Linux boxes. They
appear to be a mix of mail, DNS, and web servers.
What was the attack type, protocol, etc.? Any chance these attacking IP
addresses were spoofed?
At least four of these IP addresses have been connected to TCP 6667 or
TCP 7000 on 65.61.136.17 as recently as 2011-06-07 20:22:13 UTC. That
seems an interesting coincidence. :)
65.61.136.17 is gamma.sat2.rackspace.com
AS | IP | BGP Prefix | CC | Registry |
Allocated | AS Name
10532 | 65.61.136.17 | 65.61.128.0/18 | US | arin |
2002-11-01 | RACKSPACE - Rackspace Hosting
65.61.136.17, possibly a Debian Linux box, is not presently responding,
so perhaps it's unrelated or the fine folks at Rackspace have already
investigated and squashed it. I can't be certain it's a causal linkage.
Have a great weekend, and I'll see some of you in Vienna!
Thanks,
Rob.
--
Rob Thomas
Team Cymru
https://www.team-cymru.org/
"Say little and do much." M Avot 1:15
More information about the nsp-security
mailing list