Last Updated: 2015-01-10 03:15:45 UTC
by Mark Hofman (Version: 1)
Hi, if you have some logs from the following subnets to your infrastructure and you are able to share, could you?
- 126.96.36.199/24 (although I'll take /16)
If you can't share logs or packets, maybe you could send me a source IP and Destination Port. (just use the contact form or send them direct to markh.isc (at) gmail.com )
The above are all active on SSH and DNS, just trying to see if there is anything else and if so what and in which part of the world.
NOTE: Thanks for all the info so far, very much appreciated, keep it coming. If sending a file please email direct to markh.isc (at) gmail.com as the contact form file facility is having a challenge. It is being looked at, but in the mean time please use the email address. - RESOLVED
Update: Firstly thank you all for providing information. The response has been great. I've spent the last 5 hours sending thank you's and getting the info down :-).
A first look at the data is already providing some interesting info. I'll hopefully get the first cut of some info out later today. If you have devices in the Middle East, Africa, Asia, Europe, South America or Australia I especially interested in those. Also if you have a packet capture for allowed connections from 188.8.131.52, 65, 66, 67 or IDS/IPS capture of the initial request (allowed or denied) and you can share, great.
Some of the log shared so far include firewall and router logs, honeypot logs (one especially interesting as it is using P0F to passively finger print the source), but also some really interesting netflow and argus info. So again thanks to you all.