Several probes from

• Previous message: Arthur Donkers: "Detected Linux LPRng autorooter"
• In reply to: Arthur Donkers: "Detected Linux LPRng autorooter"
• Reply: spaceork: "Re: Several probes from"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,


We detected several probes (portscans) to a lot of hosts/networks
coming from 63.170.232.2.

These portscans had SYN+FIN (Stealth) flags, origin port 21,
destination port 21.

And after find a "21" port open, it tried to connect to, but it was
trapped by a honeypot.

As I said above... we got the same action in several hosts/networks.

Anyone here got something like this?

check these details:

########################
Snort

#(3 - 7573) [2001-05-20 14:54:41] SCAN synscan portscan

IPv4: 63.170.232.2 -> 200.xxx.xxx.xxx
      hlen=5 TOS=32 dlen=40 ID=39426 flags=0 offset=0 TTL=26 chksum=15737
TCP:  port=21 -> dport: 21  flags=******SF seq=1511872466
      ack=1763444313 off=5 res=0 win=1028 urp=0 chksum=49433
Payload: none

########################
# host 63.170.232.2
2.232.170.63.IN-ADDR.ARPA domain name pointer 007sitehosting.com
2.232.170.63.IN-ADDR.ARPA domain name pointer agonvote.net
2.232.170.63.IN-ADDR.ARPA domain name pointer ns2.dnssrv.net
########################

########################
# whois 63.170.232.2
Sprint (NETBLK-SPRN-BLKS) SPRN-BLKS 63.160.0.0 - 63.175.255.255
TECNICO (NETBLK-FON-106816512052742) FON-106816512052742
63.170.232.0 - 63.170.232.255
########################

########################
Sam Spade
Address Digger Results
(Version 3.1beta)

Let's go!
Official name: 007sitehosting.com

(Aliases: agonvote.net ns2.dnssrv.net)

Addresses: 63.170.232.2

Possible forgery - 007sitehosting.com is claiming to be 63.170.232.2,
but 63.170.232.2 isn't a valid address for 007sitehosting.com

--------------------------------------------------------------------------------

Whois for 007sitehosting.com
.com is the global domain of USA & International Commercial

(Whois queries for .com domains can be performed at http://rs.internic.net/cgi-bin/whois)

whois -h whois.crsnic.net 007sitehosting.com

Redirecting to BULKREGISTER.COM, INC.

SiteJini LLC 
   1822 Northern viola lane
   Rochester, MN 55906
   US

   Domain Name: 007SITEHOSTING.COM

   Administrative Contact:
         Brent Buss    salesat_private
        SiteJini LLC
        1822 Northern viola lane
        Rochester, MN 55906
        US
        Phone- 507-289-3373 
        Fax- 
   Technical Contact:
        Scott Litke  adminat_private
        SiteGenie, LLC
        1142 9 1/2 Ave SE
        Rochester, Minnesota 55904
        US
        Phone- 507-252-1290 
        Fax- 507-292-0883

   Record updated on 2000-04-29 00:00:00.
   Record created on 2000-04-29.
   Record expires on 2002-04-29.
   Database last updated on 2001-05-19 21:59:53 EST.

   Domain servers in listed order:

   NS2.DNSSRV.NET                63.170.232.2                  
   NS1.DNSSRV.NET                64.208.151.1                  

########################


Best Regards
________________________________
Fabio Bastiglia Oliva - Diretor
fbolivaat_private

Safe Networks Informática LTDA.
http://www.safenetworks.com

"Você acha que está seguro? Nós achamos que não!
 Visite-nos antes que você vire estatística!
               Safe Networks Security Solutions"

• Next message: Joe Matusiewicz: "Re: Canned scan?"
• Previous message: Arthur Donkers: "Detected Linux LPRng autorooter"
• In reply to: Arthur Donkers: "Detected Linux LPRng autorooter"
• Reply: spaceork: "Re: Several probes from"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 22 2001 - 08:00:37 PDT