[41450] in North American Network Operators' Group
Re: FTP Probes from Taiwan/China
daemon@ATHENA.MIT.EDU (kysi ferul)
Mon Sep 10 12:40:54 2001
Message-ID: <20010910164019.72932.qmail@web12101.mail.yahoo.com>
Date: Mon, 10 Sep 2001 09:40:19 -0700 (PDT)
From: kysi ferul <redwingblakburdz@yahoo.com>
To: Gordon Ewasiuk <gewasiuk@gnmc.net>,
mike harrison <meuon@highertech.net>
Cc: "Stephen J. Wilcox" <steve@opaltelecom.co.uk>,
"nanog@merit.edu" <nanog@merit.edu>
In-Reply-To: <Pine.GSO.4.33.0109091526110.7839-100000@enterprise.gnmc.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1750790804-1000140019=:72861"
Errors-To: owner-nanog-outgoing@merit.edu
--0-1750790804-1000140019=:72861
Content-Type: text/plain; charset=us-ascii
"FORMOSA"...from Jonathan Swift's "Gulliver!" Please see: "Two Babylons"
Gordon Ewasiuk <gewasiuk@gnmc.net> wrote:
On Today, mike harrison wrote:
>> > Has anyone seen a dramatic increase in FTP probes/scans/bad stuff from
>> > certain IP blocks in Taiwan or China? Specifically, 211/8, 61/8, and
>> > 202/7. I'm logging over 7500 probes/hr right now. Is there a new
>> > exploit out or something?
>> >
>> > Another network just surfaced: 210.82/15
>
>I am getting lots of port 80'ish scans from those IP ranges.
>and a few port 139, but I have not seen a port 21 (FTP) scan from anyone
>in the last 30 minutes... while monitoring a /19 and a /20 locally.
Apprec. the info. Probes are falling off now. 25k in the last 6hrs
(as of 1500hrs EST).
Not much in the grand scheme of things but more then I like. A couple of
servers at this facility are being targeted - no sooner had I ACL'ed
one block when probes from a new block to the same targets surfaced. In
any event, the target servers are offline pending a close inspection.
Thanks to all that responded,
-Gordon
--------------------------------------------------
Gordon Ewasiuk, Certifed Sun Fanatic, Winstar VHC
The REAL office number is here-----> 703.893.4901
Tired of BSODs, My Computer, and Code Red?
http://www.sun.com/solaris/binaries/
-------------------------------------------------
Kysi Ferul redwingblakburdz@yahoo.com
---------------------------------
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger.
--0-1750790804-1000140019=:72861
Content-Type: text/html; charset=us-ascii
<P> "FORMOSA"...from Jonathan Swift's "Gulliver!" Please see: "Two Babylons"
<P> <B><I>Gordon Ewasiuk <gewasiuk@gnmc.net></I></B> wrote:
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid"><BR>On Today, mike harrison wrote:<BR>>> > Has anyone seen a dramatic increase in FTP probes/scans/bad stuff from<BR>>> > certain IP blocks in Taiwan or China? Specifically, 211/8, 61/8, and<BR>>> > 202/7. I'm logging over 7500 probes/hr right now. Is there a new<BR>>> > exploit out or something?<BR>>> ><BR>>> > Another network just surfaced: 210.82/15<BR>><BR>>I am getting lots of port 80'ish scans from those IP ranges.<BR>>and a few port 139, but I have not seen a port 21 (FTP) scan from anyone<BR>>in the last 30 minutes... while monitoring a /19 and a /20 locally.<BR><BR>Apprec. the info. Probes are falling off now. 25k in the last 6hrs<BR>(as of 1500hrs EST).<BR><BR>Not much in the grand scheme of things but more then I like. A couple of<BR>servers at this facility are being targeted - no sooner had I ACL'ed<BR>one block when probes from a new block to the same targets surfaced. In<BR>any event, the target servers are offline pending a close inspection.<BR><BR>Thanks to all that responded,<BR><BR>-Gordon<BR><BR>--------------------------------------------------<BR>Gordon Ewasiuk, Certifed Sun Fanatic, Winstar VHC<BR>The REAL office number is here-----> 703.893.4901<BR>Tired of BSODs, My Computer, and Code Red?<BR>http://www.sun.com/solaris/binaries/<BR>-------------------------------------------------<BR><BR></BLOCKQUOTE><BR><BR><P> </P>
<P>Kysi Ferul <A href="mailto:redwingblakburdz@yahoo.com">redwingblakburdz@yahoo.com</A><BR><BR></P><p><br><hr size=1><b>Do You Yahoo!?</b><br>
Get email alerts & NEW webcam video instant messaging with <a
href="http://rd.yahoo.com/mail_us/tag/?http://im.yahoo.com/">Yahoo! Messenger</a>.
--0-1750790804-1000140019=:72861--
