Looking for packets from three particular subnets

Published: 2014-01-31
Last Updated: 2014-01-31 21:14:55 UTC
by Chris Mohan (Version: 1)
18 comment(s)
A reader wrote in reporting seeing a large amount odd activity from three subnets across a large number of disparate networks he managed. Addresses from these subnets have been generating between 100,000 - 500,000 inbound connections a day apiece, primarily targeting port 80 however, he had also seen a very small amount of inbound port 25 and port 443 as well. Sadly he wasn't able to capture any packets.
 
The Subnets in question are:
 
5.254.116.32-5.254.116.63 ("AppLayer_Anti-DDoS_Hosting" located in Russia)
94.23.97.196-94.23.97.199 ("GAMESPROTECT AntiDDoS Network" located in Germany)
5.254.105.16-5.254.105.31 ("WooServers" located in Germany)
 
If you have any packet captures of this traffic or know why theses subnets are making apparently unsolicited, random connections, please write in and let us know!
 

Chris Mohan --- Internet Storm Center Handler on Duty

18 comment(s)
CVE-2013-6230 & CVE 2014-0591 fixed in BIND 9.9.5, BIND 9.8.7 & BIND 9.6-ESV.
ISC StormCast for Friday, January 31st 2014 http://isc.sans.edu/podcastdetail.html?id=3815

Attack on Yahoo mail accounts

Published: 2014-01-31
Last Updated: 2014-01-31 00:43:22 UTC
by Chris Mohan (Version: 1)
0 comment(s)
Yahoo announced they discovered attempts to access Yahoo mail accounts [1]. Not a huge amount of information has currently been released about what happened, but the usernames and passwords have come from some unnamed third party source, not from Yahoo.
 
Yahoo, and we at the Storm Center, advises you change your Yahoo email account passwords.
 
I’d also recommend being wary of any odd email messages from friends with Yahoo accounts that send you links or attachments in the next few days.
 
[1] http://yahoo.tumblr.com/post/75083532312/important-security-update-for-yahoo-mail-users
 

Chris Mohan --- Internet Storm Center Handler on Duty

Keywords: email
0 comment(s)

Comments


Diary Archives