[Dshield] CONSTANT 445/tcp scans from a node

Deb Hale haled at pionet.net
Wed Jun 25 13:03:36 GMT 2003


Matt,  This is the info from Dshield.  Was this the company you talked to
before? If it is - what was the email address they gave you to report to?
If it is different that abuse at rogers.com I can update the information.
According to the info on this ip there have been over 20,000 - 445 reports
and it doesn't indicate that an abuse has been sent on this IP.  I see 445
scans from Roger's Cable ip's frequently. If you get any info from them
about these scans I would appreciate it if you would let me know.  Thanks,
Deb  

CustName:   Rogers Cable Inc. Glph
Address:    1 Mount Pleasant Road
City:       Toronto
StateProv:  ON
PostalCode: M4Y-2Y5
Country:    CA
RegDate:    2003-04-24
Updated:    2003-04-24

NetRange:   24.102.141.0 - 24.102.141.127 
CIDR:       24.102.141.0/25 
NetName:    ON-ROG-9-GLPH-4
NetHandle:  NET-24-102-141-0-1
Parent:     NET-24-100-0-0-1
NetType:    Reassigned
Comment:    
RegDate:    2003-04-24
Updated:    2003-04-24

TechHandle: AD30-ARIN
TechName:   Taylor, Phillip 
TechPhone:  +1-416-935-4729
TechEmail:  abuse at rogers.com 

Deborah F Hale
Certified Business Continuity Professional/Computer Security Specialist
BCP Enterprise, Inc
Telephone: (712) 252-0361
www.bcpenterprise.com
 


-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Matthew Harrell
Sent: Wednesday, June 25, 2003 7:11 AM
To: Dshield Mailing List
Subject: [Dshield] CONSTANT 445/tcp scans from a node


We have been receiving a barrage of 445/tcp scans fro 24.102.141.32.  It's
been going on for three days now.  The computer scans our entire external
subnet for hours.  Then the activity will stop for a while, and start up
again a couple hours later.  I'm also pretty sure this is the same node that
was doing this to us a week or two ago.  At that time, not only did Dshield
send the automated abuse e-mail, but I also called his ISP.  I was told to
send e-mail to a particular address (which, if I remember correctly, was
different than the one Dshield sent to).  I got no reply, but the scans
stopped shortly after sending the e-mail.

When the scans started up again, dshield sent another abuse e-mail with no
response.  I'll try sending another myself like I did before--maybe the IP
address is slightly different.  It's frustrating that there's really nothing
else I can do about this.  We're not vulnerable to this, but it sure is
clogging up my Snort logs!  Has anyone else experienced such repetitive
445/tcp scans from one node over the course of days?


-----------------
Matt Harrell
Plexus Systems
mhar at plex.com 
_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list






More information about the list mailing list