Security Incidents mailing list archives
Several DNS probes coming from HALOA-NETS (fr.clara.net)
From: Fabio Bastiglia Oliva <fboliva () safenetworks com>
Date: Wed, 21 Feb 2001 19:40:33 -0300
Hello, Several customers of our company were portscanned last night. The aggressor IP address was 212.43.237.227 and it was looking for the BIND versions as showed below: (GMT-3) --- Feb 20 21:59:28 xxxxxxxxx snort[149]: spp_portscan: PORTSCAN DETECTED from 212.43.237.227 (STEALTH) Feb 20 21:59:28 xxxxxxxxx snort[149]: IDS198 - SCAN-SYN FIN: 212.43.237.227:510 -> 200.xxx.xxx.xxx:510 Feb 20 21:59:41 xxxxxxxxx snort[149]: spp_portscan: portscan status from 212.43.237.227: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH Feb 20 22:00:02 xxxxxxxxx snort[149]: spp_portscan: End of portscan from 212.43.237.227: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH Feb 21 03:01:08 xxxxxxxxx snort[149]: spp_portscan: PORTSCAN DETECTED from 212.43.237.227 (STEALTH) Feb 21 03:01:08 xxxxxxxxx snort[149]: IDS198 - SCAN-SYN FIN: 212.43.237.227:53 -> 200.xxx.xxx.xxx:53 Feb 21 03:01:09 xxxxxxxxx snort[149]: IDS277 - NAMED Iquery Probe: 212.43.237.227:2090 -> 200.xxx.xxx.xxx:53 Feb 21 03:01:09 xxxxxxxxx snort[149]: IDS277 - NAMED Iquery Probe: 212.43.237.227:2091 -> 200.xxx.xxx.xxx:53 Feb 21 03:01:09 xxxxxxxxx snort[149]: IDS277 - NAMED Iquery Probe: 212.43.237.227:2092 -> 200.xxx.xxx.xxx:53 Feb 21 03:01:09 xxxxxxxxx snort[149]: IDS277 - NAMED Iquery Probe: 212.43.237.227:2093 -> 200.xxx.xxx.xxx:53 Feb 21 03:01:09 xxxxxxxxx snort[149]: IDS277 - NAMED Iquery Probe: 212.43.237.227:2094 -> 200.xxx.xxx.xxx:53 Feb 21 03:01:10 xxxxxxxxx snort[149]: IDS278 - SCAN -named Version probe: 212.43.237.227:2090 -> 200.xxx.xxx.xxx:53 Feb 21 03:01:10 xxxxxxxxx snort[149]: IDS278 - SCAN -named Version probe: 212.43.237.227:2091 -> 200.xxx.xxx.xxx:53 Feb 21 03:01:10 xxxxxxxxx snort[149]: IDS278 - SCAN -named Version probe: 212.43.237.227:2092 -> 200.xxx.xxx.xxx:53 Feb 21 03:01:10 xxxxxxxxx snort[149]: IDS278 - SCAN -named Version probe: 212.43.237.227:2093 -> 200.xxx.xxx.xxx:53 Feb 21 03:01:10 xxxxxxxxx snort[149]: IDS278 - SCAN -named Version probe: 212.43.237.227:2094 -> 200.xxx.xxx.xxx:53 Feb 21 03:01:57 xxxxxxxxx snort[149]: spp_portscan: portscan status from 212.43.237.227: 3 connections across 1 hosts: TCP(2), UDP(1) STEALTH Feb 21 03:03:35 xxxxxxxxx snort[149]: spp_portscan: End of portscan from 212.43.237.227: TOTAL time(2s) hosts(1) TCP(2)--- --- Someone here had the same problem? The IP address belongs to HALOA-NETS as showed below: --- inetnum: 212.43.237.224 - 212.43.237.255 netname: HALOA-NETS descr: Haloa country: FR rev-srv: ns3.fr.clara.net rev-srv: ns4.fr.clara.net --- Still no response of the admins of this network regarding this problem. Best regards ________________________________ Fabio Bastiglia Oliva - Diretor fboliva () safenetworks com Safe Networks Informática LTDA. http://www.safenetworks.com "Você acha que está seguro? Nós achamos que não! Visite-nos antes que você vire estatística! Safe Networks Security Solutions"
Current thread:
- Several DNS probes coming from HALOA-NETS (fr.clara.net) Fabio Bastiglia Oliva (Feb 21)