funsec mailing list archives
Network probing from Tehran...
From: "Fergie" <fergdawg () netzero net>
Date: Mon, 12 Dec 2005 14:35:37 GMT
Came into work this morning and reviewing IDS logs from the weekend... Happens all the time, mostly from China, but this is the first I've seen from Iran -- at least in a while. ;-) I'm guessing that sending an abuse/alert note would probably go unanswered... :-) - ferg [snip] Description: Triggers when a single TCP packet with none of the SYN, FIN, ACK, or RST flags set has been sent to a specific host. This is indicative that a reconnaissance sweep of your network may be in progress. The use of this type of packet indicates an attempt to conceal the sweep. This may be the prelude to a more serious attack. This should never occur in legitimate traffic. The source of this packet should be shunned.
Winters-IDS reported a high severity alert at 12/10/2005 10:13:04 Signature TCP NULL Packet (3040:0) from 62.220.106.138 to x.x.73.128 Actions taken: None ---------------------------------------------------- Winters-IDS reported a high severity alert at 12/10/2005 10:09:51 Signature TCP NULL Packet (3040:0) from 62.220.106.138 to x.x.131.111 Actions taken: None ---------------------------------------------------- Winters-IDS reported a high severity alert at 12/10/2005 10:07:40 Signature TCP NULL Packet (3040:0) from 62.220.106.138 to x.x.108.64 Actions taken: None ----------------------------------------------------
[IPv4 whois information for 62.220.106.138 ] [whois.ripe.net] % This is the RIPE Whois query server #1. % The objects are in RPSL format. % % Note: the default output of the RIPE Whois server % is changed. Your tools may need to be adjusted. See % http://www.ripe.net/db/news/abuse-proposal-20050331.html % for more details. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html % Information related to '62.220.96.0 - 62.220.107.255' inetnum: 62.220.96.0 - 62.220.107.255 netname: TAKTA-NET descr: Soroush Interactive Network country: IR admin-c: AA2755-RIPE tech-c: AHR tech-c: MOH3-RIPE status: ASSIGNED PA mnt-by: SINET-MNT changed: hostmaster () ripe net 20011025 changed: registry () tehran sinet ir 20040212 source: RIPE person: Ahmad Akbarshahi address: ParsaTek Company address: APT#450, Bahar Building, address: Bahar Street, Tehran - Iran phone: +98 21 8301883 phone: +98 21 8301884 fax-no: +98 21 8311505 e-mail: a.akbarshahi () parsatek com e-mail: akbarshahi () yahoo com nic-hdl: AA2755-RIPE notify: akbarshahi () yahoo com mnt-by: SINET-MNT changed: akbarshahi () takta net 20010919 changed: registry () tehran sinet ir 20040212 changed: registry () tehran sinet ir 20041125 source: RIPE person: Mohammad Mofatteh address: Takta.NET address: No.14, Mollasadra St. address: Tehran - IRAN phone: +98 21 830 1883 phone: +98 21 830 1884 fax-no: +98 21 831 1505 e-mail: mofatteh () gmail com e-mail: mohammad () tehran sinet ir e-mail: registry () tehran sinet ir e-mail: mohammad () takta net notify: mofatteh () gmail com nic-hdl: MOH3-RIPE mnt-by: MNT-MOHAMMAD changed: registry () takta net 20010513 changed: registry () tehran sinet ir 20030212 changed: mohammad () tehran sinet ir 20040219 changed: mohammad () tehran sinet ir 20040608 source: RIPE person: Amir Hassan Rasti address: Institute for Studies in Theoretical Physics address: and Mathematics (IPM) address: P.O.Box 19395-1795 address: Tehran, Iran phone: +98 21 2291812 fax-no: +98 21 2298656 e-mail: amir () nic ir notify: amir () nic ir mnt-by: SHARIF-EDU-MNT nic-hdl: AHR changed: amir () nic ir 20040501 source: RIPE % Information related to '62.220.96.0/19AS21341' route: 62.220.96.0/19 descr: Soroush Rasaneh Institute origin: AS21341 mnt-by: SINET-MNT changed: akbarshahi () takta net 20020107 changed: mohammad () tehran sinet ir 20040212 source: RIPE -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg () netzero net or fergdawg () sbcglobal net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Network probing from Tehran... Fergie (Dec 12)