[Dshield] CONSTANT 445/tcp scans from a node

Matthew Harrell mhar at plex.com
Wed Jun 25 13:22:30 GMT 2003


Maybe that is a different ISP--I thought it was coming from the same subnet
before, though.  Anyway, I'm positive that I saw a Fighback e-mail in the
Dshield summary report when this first started up a couple of days ago. 
Strange.  I'll do some e-mailing to see what I can accomplish.  Thanks.


-----------------
Matt Harrell
Plexus Systems
mhar at plex.com 

----- On 6/25/2003 9:17 AM, Deb Hale <haled at pionet.net> wrote: 
>Matt,  This is the info from Dshield.  Was this the company you talked to
> before? If it is - what was the email address they gave you to report to?
> If it is different that abuse at rogers.com I can update the information.
> According to the info on this ip there have been over 20,000 - 445 reports
> and it doesn't indicate that an abuse has been sent on this IP.  I see 445
> scans from Roger's Cable ip's frequently. If you get any info from them
> about these scans I would appreciate it if you would let me know.  Thanks,
> Deb  
> 
> CustName:   Rogers Cable Inc. Glph
> Address:    1 Mount Pleasant Road
> City:       Toronto
> StateProv:  ON
> PostalCode: M4Y-2Y5
> Country:    CA
> RegDate:    2003-04-24
> Updated:    2003-04-24
> 
> NetRange:   24.102.141.0 - 24.102.141.127 
> CIDR:       24.102.141.0/25 
> NetName:    ON-ROG-9-GLPH-4
> NetHandle:  NET-24-102-141-0-1
> Parent:     NET-24-100-0-0-1
> NetType:    Reassigned
> Comment:    
> RegDate:    2003-04-24
> Updated:    2003-04-24
> 
> TechHandle: AD30-ARIN
> TechName:   Taylor, Phillip 
> TechPhone:  +1-416-935-4729
> TechEmail:  abuse at rogers.com 
> 
> Deborah F Hale
> Certified Business Continuity Professional/Computer Security Specialist
> BCP Enterprise, Inc
> Telephone: (712) 252-0361
> www.bcpenterprise.com
>  
> 
> 
> -----Original Message-----
> From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
> Of Matthew Harrell
> Sent: Wednesday, June 25, 2003 7:11 AM
> To: Dshield Mailing List
> Subject: [Dshield] CONSTANT 445/tcp scans from a node
> 
> 
> We have been receiving a barrage of 445/tcp scans fro 24.102.141.32.  It's
> been going on for three days now.  The computer scans our entire external
> subnet for hours.  Then the activity will stop for a while, and start up
> again a couple hours later.  I'm also pretty sure this is the same node
that
> was doing this to us a week or two ago.  At that time, not only did
Dshield
> send the automated abuse e-mail, but I also called his ISP.  I was told to
> send e-mail to a particular address (which, if I remember correctly, was
> different than the one Dshield sent to).  I got no reply, but the scans
> stopped shortly after sending the e-mail.
> 
> When the scans started up again, dshield sent another abuse e-mail with no
> response.  I'll try sending another myself like I did before--maybe the IP
> address is slightly different.  It's frustrating that there's really 
> nothing
> else I can do about this.  We're not vulnerable to this, but it sure is
> clogging up my Snort logs!  Has anyone else experienced such repetitive
> 445/tcp scans from one node over the course of days?
> 
> 
> -----------------
> Matt Harrell
> Plexus Systems
> mhar at plex.com 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
> 
> 


More information about the list mailing list