Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Several DNS probes coming from HALOA-NETS (fr.clara.net)

From: Fabio Bastiglia Oliva <fboliva () safenetworks com>
Date: Wed, 21 Feb 2001 19:40:33 -0300
Hello,

Several customers of our company were portscanned last night.
The aggressor IP address was 212.43.237.227 and it was looking
for the BIND versions as showed below:

(GMT-3)
---
Feb 20 21:59:28 xxxxxxxxx snort[149]: spp_portscan: PORTSCAN DETECTED from 212.43.237.227 (STEALTH)
Feb 20 21:59:28 xxxxxxxxx snort[149]: IDS198 - SCAN-SYN FIN: 212.43.237.227:510 -> 200.xxx.xxx.xxx:510
Feb 20 21:59:41 xxxxxxxxx snort[149]: spp_portscan: portscan status from 212.43.237.227: 1 connections across 1 hosts: 
TCP(1), UDP(0) STEALTH
Feb 20 22:00:02 xxxxxxxxx snort[149]: spp_portscan: End of portscan from 212.43.237.227: TOTAL time(0s) hosts(1) TCP(1) 
UDP(0) STEALTH

Feb 21 03:01:08 xxxxxxxxx snort[149]: spp_portscan: PORTSCAN DETECTED from 212.43.237.227 (STEALTH)
Feb 21 03:01:08 xxxxxxxxx snort[149]: IDS198 - SCAN-SYN FIN: 212.43.237.227:53 -> 200.xxx.xxx.xxx:53
Feb 21 03:01:09 xxxxxxxxx snort[149]: IDS277 - NAMED Iquery Probe: 212.43.237.227:2090 -> 200.xxx.xxx.xxx:53
Feb 21 03:01:09 xxxxxxxxx snort[149]: IDS277 - NAMED Iquery Probe: 212.43.237.227:2091 -> 200.xxx.xxx.xxx:53
Feb 21 03:01:09 xxxxxxxxx snort[149]: IDS277 - NAMED Iquery Probe: 212.43.237.227:2092 -> 200.xxx.xxx.xxx:53
Feb 21 03:01:09 xxxxxxxxx snort[149]: IDS277 - NAMED Iquery Probe: 212.43.237.227:2093 -> 200.xxx.xxx.xxx:53
Feb 21 03:01:09 xxxxxxxxx snort[149]: IDS277 - NAMED Iquery Probe: 212.43.237.227:2094 -> 200.xxx.xxx.xxx:53
Feb 21 03:01:10 xxxxxxxxx snort[149]: IDS278 - SCAN -named Version probe: 212.43.237.227:2090 -> 200.xxx.xxx.xxx:53
Feb 21 03:01:10 xxxxxxxxx snort[149]: IDS278 - SCAN -named Version probe: 212.43.237.227:2091 -> 200.xxx.xxx.xxx:53
Feb 21 03:01:10 xxxxxxxxx snort[149]: IDS278 - SCAN -named Version probe: 212.43.237.227:2092 -> 200.xxx.xxx.xxx:53
Feb 21 03:01:10 xxxxxxxxx snort[149]: IDS278 - SCAN -named Version probe: 212.43.237.227:2093 -> 200.xxx.xxx.xxx:53
Feb 21 03:01:10 xxxxxxxxx snort[149]: IDS278 - SCAN -named Version probe: 212.43.237.227:2094 -> 200.xxx.xxx.xxx:53
Feb 21 03:01:57 xxxxxxxxx snort[149]: spp_portscan: portscan status from 212.43.237.227: 3 connections across 1 hosts: 
TCP(2), UDP(1) STEALTH
Feb 21 03:03:35 xxxxxxxxx snort[149]: spp_portscan: End of portscan from 212.43.237.227: TOTAL time(2s) hosts(1) 
TCP(2)---
---

Someone here had the same problem?

The IP address belongs to HALOA-NETS as showed below:

---
inetnum: 212.43.237.224 - 212.43.237.255
netname: HALOA-NETS
descr: Haloa
country: FR
rev-srv: ns3.fr.clara.net
rev-srv: ns4.fr.clara.net
---

Still no response of the admins of this network regarding this
problem.


Best regards
________________________________
Fabio Bastiglia Oliva - Diretor
fboliva () safenetworks com

Safe Networks Informática LTDA.
http://www.safenetworks.com

"Você acha que está seguro? Nós achamos que não!
 Visite-nos antes que você vire estatística!
               Safe Networks Security Solutions"
Previous By Date Next
Previous By Thread Next

Current thread: