[nsp-sec] infected or malevalent host @ premianet.com
Jon Lewis
jlewis at lewis.org
Sun Feb 24 18:43:06 EST 2013
I got paged this afternoon about high CPU load on one of our internet
gateways. I tracked it down to 72.18.202.189 apparently scanning our
entire network for tcp/1433 (mssql?). It started slowly at 1:02pm EST,
but the scanning PPS ramped up over time. By 2:50pm, it had become
noticeable in that our sampled netflow collection data volume went from
normal (about 3-5MB/5min interval) to 16MB, 20MB, 60MB, 100MB in 5 minute
steps, and remained at 100MB/5min for an hour until I null routed
72.18.202.189.
If anyone has a contact at premianet.com, you might ping them about this.
Anyone else might check their flows to see if you're seeing similar (or
worse) activity from this host. It appears to be a Windows based web/mail
server. My guess is, it's infected/compromised.
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the nsp-security
mailing list