Looking for Packets for IP address 71.6.165.200
The DShield database this morning show a tremendous uptick in activity coming out of IP address 71.6.165.200 over the past few weeks, so I am reaching out to everyone to see if anybody has packets related to this IP address. The WHOIS shows a newly registered IP block to CariNet, Inc., a San Diego based cloud provider, on January 3 2014. Since that time there has been an upshot in reports to the DShield database for both unwanted TCP and UDP packets.
If anybody has information on the IP address 71.6.165.200, or a POC at CariNet, would greatly help. I will contact the abuse department on Monday with whatever information I can collect today.
As always, thanx for supporting the Internet Storm Center,
tony d0t Carothers –gmail.com
==============================
UPDATE: 27 January 2014
The senior security engineer onsite has contacted the customer, who has agreed to take down the site and work with the ISC to resolve these issues. Great job everyone!! A community effort helps out the community everytime!!
Comments
The Alien Vault Guys are also tagged this offending IP as Scanning host. Here is the link for the full report...
http://www.alienvault.com/apps/rep_monitor/ip/71.6.165.200/
Anonymous
Jan 26th 2014
1 decade ago
Anonymous
Jan 26th 2014
1 decade ago
Gary Pietila
Anonymous
Jan 26th 2014
1 decade ago
Anonymous
Jan 26th 2014
1 decade ago
Anonymous
Jan 27th 2014
1 decade ago
Jim C.
Anonymous
Jan 27th 2014
1 decade ago
Anonymous
Jan 27th 2014
1 decade ago
sorted by # of packets:
1023/tcp: 2 packets from 1 hosts
webcache/tcp: 2 packets from 1 hosts
imaps/tcp: 2 packets from 1 hosts
9943/tcp: 2 packets from 1 hosts
pop3s/tcp: 3 packets from 1 hosts
27017/tcp: 4 packets from 1 hosts
ssh/tcp: 4 packets from 2 hosts
9100/tcp: 6 packets from 1 hosts
mysql/tcp: 6 packets from 2 hosts
ntp/udp: 7 packets from 1 hosts
ldap/tcp: 9 packets from 1 hosts
https/tcp: 11 packets from 1 hosts
domain/tcp: 16 packets from 2 hosts
telnet/tcp: 19 packets from 1 hosts
71.6.165.200 [T:7]: 1023/tcp:2 www/tcp:1 ssh/tcp:2 8443/tcp:1 20000/tcp:1 27017/tcp:4 telnet/tcp:1 domain/tcp:1 ldap/tcp:1 imaps/tcp:2 28017/tcp:1 5001/tcp:1 9943/tcp:1 https/tcp:1 9100/tcp:1 5560/tcp:1 8000/tcp:1 total:23 (0116 - 0125)
71.6.167.142 [T:7]: 2323/tcp:1 1023/tcp:1 www/tcp:1 8443/tcp:1 snmp/udp:1 domain/tcp:2 623/udp:1 ssh/udp:1 9999/tcp:1 5001/tcp:1 9943/tcp:2 9100/tcp:6 mysql/tcp:2 pop3s/tcp:3 webcache/tcp:1 ntp/udp:7 ldap/tcp:9 6379/tcp:1 https/tcp:11 8000/tcp:1 total:54 (0105 - 0126)
66.240.192.138 [T:7]: 2323/tcp:1 8129/tcp:1 nntp/tcp:1 1023/tcp:1 www/tcp:1 20000/tcp:1 ssh/tcp:2 snmp/udp:1 domain/tcp:14 telnet/tcp:19 ssh/udp:1 9999/tcp:1 5560/tcp:1 mysql/tcp:4 webcache/tcp:2 sip/udp:1 9200/tcp:1 ldap/tcp:1 11211/tcp:1 total:55 (0104 - 0126)
* all forward dns queries for the hostnames fail (NXDOMAIN)
hth,
--
juan
Anonymous
Jan 27th 2014
1 decade ago
Only about 500 attempts between then and now so not a big talker.
The MS-SQL just looks like a port scan but the UPnP is actually sending a s discovery request.
It seems to be crawling our IP space without much rhyme or reason.
If you still need more packets, I can send in what I pulled from our IDS.
Anonymous
Jan 27th 2014
1 decade ago
Yeah I'm the POC for abuse. I'll take a look at this now. Anybody having issues, please email me directly at zwikholm@cari.net. I'm not in the office today, but I'm taking a look at this right now. Thanks
Zach W.
Anonymous
Jan 27th 2014
1 decade ago