X-MimeOLE: Produced By Microsoft Exchange V6.5
Received: by onstor-exch02.onstor.net 
	id <01C8A662.FA977048@onstor-exch02.onstor.net>; Thu, 24 Apr 2008 16:29:02 -0700
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-class: urn:content-classes:message
Subject: FW: Network Scan [Fwd: Re: (b2932152)Network scan from 66.201.51.69]
Date: Thu, 24 Apr 2008 16:29:01 -0700
Message-ID: <BB375AF679D4A34E9CA8DFA650E2B04E099E0EDA@onstor-exch02.onstor.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: Network Scan [Fwd: Re: (b2932152)Network scan from 66.201.51.69]
Thread-Index: AcimYeVPZfEBk1CMSwGOH+PAnCTllAAAM3Qw
From: "Brian Baker" <IMCEAEX-_O=ONSTOR_OU=FIRST+20ADMINISTRATIVE+20GROUP_CN=RECIPIENTS_CN=BRIAN+2EBAKER@onstor.com>
To: "Trung Truong" <ttruong@onstor.com>,
	"Andy Sharp" <andy.sharp@onstor.com>

Someone tried to ssh to a couple addresses on the Verizon network. The
crybabies took it as a port scan. Lets make sure we are not running
nessus, nmap or any other port scan utils from this system.=20

-----Original Message-----
From: Phillip Lossing [mailto:Phillip@FiberInternetCenter.com]=20
Sent: Thursday, April 24, 2008 4:21 PM
To: Brian Baker
Cc: secmbox3@verizonbusiness.com; noc@fiberinternetcenter.com
Subject: Network Scan [Fwd: Re: (b2932152)Network scan from
66.201.51.69]

Hi Brian,

We received word from Verizon of a network scan that appears to
originate
from Onstor's corporate network. Please see the original email below.  I
know we've never had any issues with Onstor in the past, so there is the
possibility of a trojan or virus. If you could please check into this we
would appreciate it.

Thank you,

Phillip Lossing
Fiber Internet Center


> We detected a scan of part of the Verizon Business Public IP network
which
> appears to have originated from the source address 66.201.51.69.  The
> scanning began at approximately 2008-04-23 04:09:05 UTC.  If neither
you
> nor the owner of this address are aware of this traffic, it is
possible
> that a third party is either forging the source address or executing
an
> unauthorized scan from this machine.  If you suspect the scan is being
> executed by an unauthorized third party, a trojan, or a virus, please
> consult http://www.cert.org/tech_tips/root_compromise.html.
>
> This address attempted to scan approximately 14 addresses on TCP/22.
>
> This is a violation of Verizon Business's acceptable use policy.  For
> further information, please consult:
http://global.mci.com/terms/a_u_p/.
> A reply to this message is not required, but the activity above must
be
> stopped.  If you need to contact us about this issue, please reply to
this
> message leaving the ticket number in the subject line.
>
> Thank you
>
> Verizon Business Infrastructure/Network Security Team
>
> Sample of log entries:
> 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:43804,Dst IP
> 65.207.233.39:22,tcp
> 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:45311,Dst IP
> 65.207.233.36:22,tcp
> 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:45984,Dst IP
> 65.207.233.37:22,tcp
> 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:43804,Dst IP
> 65.207.233.39:22,tcp
> 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:45311,Dst IP
> 65.207.233.36:22,tcp
> 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:34200,Dst IP
> 65.207.233.32:22,tcp
> 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:47690,Dst IP
> 65.207.233.33:22,tcp
> 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:43402,Dst IP
> 65.207.233.35:22,tcp
> 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:49152,Dst IP
> 65.207.233.40:22,tcp
> 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:47440,Dst IP
> 65.207.233.41:22,tcp
>
>



