[Dshield] CONSTANT 445/tcp scans from a node

Deb Hale haled at pionet.net
Wed Jun 25 13:03:36 GMT 2003

Matt,  This is the info from Dshield.  Was this the company you talked to
before? If it is - what was the email address they gave you to report to?
If it is different that abuse at rogers.com I can update the information.
According to the info on this ip there have been over 20,000 - 445 reports
and it doesn't indicate that an abuse has been sent on this IP.  I see 445
scans from Roger's Cable ip's frequently. If you get any info from them
about these scans I would appreciate it if you would let me know.  Thanks,

CustName:   Rogers Cable Inc. Glph
Address:    1 Mount Pleasant Road
City:       Toronto
StateProv:  ON
PostalCode: M4Y-2Y5
Country:    CA
RegDate:    2003-04-24
Updated:    2003-04-24

NetRange: - 
NetName:    ON-ROG-9-GLPH-4
NetHandle:  NET-24-102-141-0-1
Parent:     NET-24-100-0-0-1
NetType:    Reassigned
RegDate:    2003-04-24
Updated:    2003-04-24

TechHandle: AD30-ARIN
TechName:   Taylor, Phillip 
TechPhone:  +1-416-935-4729
TechEmail:  abuse at rogers.com 

Deborah F Hale
Certified Business Continuity Professional/Computer Security Specialist
BCP Enterprise, Inc
Telephone: (712) 252-0361

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Matthew Harrell
Sent: Wednesday, June 25, 2003 7:11 AM
To: Dshield Mailing List
Subject: [Dshield] CONSTANT 445/tcp scans from a node

We have been receiving a barrage of 445/tcp scans fro  It's
been going on for three days now.  The computer scans our entire external
subnet for hours.  Then the activity will stop for a while, and start up
again a couple hours later.  I'm also pretty sure this is the same node that
was doing this to us a week or two ago.  At that time, not only did Dshield
send the automated abuse e-mail, but I also called his ISP.  I was told to
send e-mail to a particular address (which, if I remember correctly, was
different than the one Dshield sent to).  I got no reply, but the scans
stopped shortly after sending the e-mail.

When the scans started up again, dshield sent another abuse e-mail with no
response.  I'll try sending another myself like I did before--maybe the IP
address is slightly different.  It's frustrating that there's really nothing
else I can do about this.  We're not vulnerable to this, but it sure is
clogging up my Snort logs!  Has anyone else experienced such repetitive
445/tcp scans from one node over the course of days?

Matt Harrell
Plexus Systems
mhar at plex.com 
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list