Hello, We detected several probes (portscans) to a lot of hosts/networks coming from 63.170.232.2. These portscans had SYN+FIN (Stealth) flags, origin port 21, destination port 21. And after find a "21" port open, it tried to connect to, but it was trapped by a honeypot. As I said above... we got the same action in several hosts/networks. Anyone here got something like this? check these details: ######################## Snort #(3 - 7573) [2001-05-20 14:54:41] SCAN synscan portscan IPv4: 63.170.232.2 -> 200.xxx.xxx.xxx hlen=5 TOS=32 dlen=40 ID=39426 flags=0 offset=0 TTL=26 chksum=15737 TCP: port=21 -> dport: 21 flags=******SF seq=1511872466 ack=1763444313 off=5 res=0 win=1028 urp=0 chksum=49433 Payload: none ######################## # host 63.170.232.2 2.232.170.63.IN-ADDR.ARPA domain name pointer 007sitehosting.com 2.232.170.63.IN-ADDR.ARPA domain name pointer agonvote.net 2.232.170.63.IN-ADDR.ARPA domain name pointer ns2.dnssrv.net ######################## ######################## # whois 63.170.232.2 Sprint (NETBLK-SPRN-BLKS) SPRN-BLKS 63.160.0.0 - 63.175.255.255 TECNICO (NETBLK-FON-106816512052742) FON-106816512052742 63.170.232.0 - 63.170.232.255 ######################## ######################## Sam Spade Address Digger Results (Version 3.1beta) Let's go! Official name: 007sitehosting.com (Aliases: agonvote.net ns2.dnssrv.net) Addresses: 63.170.232.2 Possible forgery - 007sitehosting.com is claiming to be 63.170.232.2, but 63.170.232.2 isn't a valid address for 007sitehosting.com -------------------------------------------------------------------------------- Whois for 007sitehosting.com .com is the global domain of USA & International Commercial (Whois queries for .com domains can be performed at http://rs.internic.net/cgi-bin/whois) whois -h whois.crsnic.net 007sitehosting.com Redirecting to BULKREGISTER.COM, INC. SiteJini LLC 1822 Northern viola lane Rochester, MN 55906 US Domain Name: 007SITEHOSTING.COM Administrative Contact: Brent Buss salesat_private SiteJini LLC 1822 Northern viola lane Rochester, MN 55906 US Phone- 507-289-3373 Fax- Technical Contact: Scott Litke adminat_private SiteGenie, LLC 1142 9 1/2 Ave SE Rochester, Minnesota 55904 US Phone- 507-252-1290 Fax- 507-292-0883 Record updated on 2000-04-29 00:00:00. Record created on 2000-04-29. Record expires on 2002-04-29. Database last updated on 2001-05-19 21:59:53 EST. Domain servers in listed order: NS2.DNSSRV.NET 63.170.232.2 NS1.DNSSRV.NET 64.208.151.1 ######################## Best Regards ________________________________ Fabio Bastiglia Oliva - Diretor fbolivaat_private Safe Networks Informática LTDA. http://www.safenetworks.com "Você acha que está seguro? Nós achamos que não! Visite-nos antes que você vire estatística! Safe Networks Security Solutions"
This archive was generated by hypermail 2b30 : Tue May 22 2001 - 08:00:37 PDT