AF:
NF:0
PS:10
SRH:1
SFN:
DSR:
MID:<20080424181200.1d376aba@ripper.onstor.net>
CFG:
PT:0
S:andy.sharp@onstor.com
RQ:
SSV:onstor-exch02.onstor.net
NSV:
SSH:
R:<brian.baker@onstor.com>,<ttruong@onstor.com>
MAID:1
X-Sylpheed-Privacy-System:
X-Sylpheed-Sign:0
SCF:#mh/Mailbox/sent
RMID:#imap/andys@onstor.net@onstor-exch02.onstor.net/INBOX	0	BB375AF679D4A34E9CA8DFA650E2B04E099E0EDA@onstor-exch02.onstor.net
X-Sylpheed-End-Special-Headers: 1
Date: Thu, 24 Apr 2008 18:12:48 -0700
From: Andrew Sharp <andy.sharp@onstor.com>
To: "Brian Baker" <brian.baker@onstor.com>
Cc: "Trung Truong" <ttruong@onstor.com>
Subject: Re: Network Scan [Fwd: Re: (b2932152)Network scan from
 66.201.51.69]
Message-ID: <20080424181248.4d4b75e6@ripper.onstor.net>
In-Reply-To: <BB375AF679D4A34E9CA8DFA650E2B04E099E0EDA@onstor-exch02.onstor.net>
References: <BB375AF679D4A34E9CA8DFA650E2B04E099E0EDA@onstor-exch02.onstor.net>
Organization: Onstor
X-Mailer: Sylpheed-Claws 2.6.0 (GTK+ 2.8.20; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Heh.  So I assume you told them, more politely than I would, of course,
that you would be happy to log all outgoing port 22 connections so that
you could forensicly determine which IP address originated which
outgoing attempt on any particular day/date, and then match those logs
agains your DHCP logs and track down which of 500 windows machines
behind the firewall is infected with a virus ... as soon as they start
doing the same?

They must have a server dedicated to just this outgoing mail traffic if
how often my own IP addresses get ssh "probed" is any indication.

Cheers,

a

On Thu, 24 Apr 2008 16:29:01 -0700 "Brian Baker"
<brian.baker@onstor.com> wrote:

> Someone tried to ssh to a couple addresses on the Verizon network. The
> crybabies took it as a port scan. Lets make sure we are not running
> nessus, nmap or any other port scan utils from this system. 
> 
> -----Original Message-----
> From: Phillip Lossing [mailto:Phillip@FiberInternetCenter.com] 
> Sent: Thursday, April 24, 2008 4:21 PM
> To: Brian Baker
> Cc: secmbox3@verizonbusiness.com; noc@fiberinternetcenter.com
> Subject: Network Scan [Fwd: Re: (b2932152)Network scan from
> 66.201.51.69]
> 
> Hi Brian,
> 
> We received word from Verizon of a network scan that appears to
> originate
> from Onstor's corporate network. Please see the original email
> below.  I know we've never had any issues with Onstor in the past, so
> there is the possibility of a trojan or virus. If you could please
> check into this we would appreciate it.
> 
> Thank you,
> 
> Phillip Lossing
> Fiber Internet Center
> 
> 
> > We detected a scan of part of the Verizon Business Public IP network
> which
> > appears to have originated from the source address 66.201.51.69.
> > The scanning began at approximately 2008-04-23 04:09:05 UTC.  If
> > neither
> you
> > nor the owner of this address are aware of this traffic, it is
> possible
> > that a third party is either forging the source address or executing
> an
> > unauthorized scan from this machine.  If you suspect the scan is
> > being executed by an unauthorized third party, a trojan, or a
> > virus, please consult
> > http://www.cert.org/tech_tips/root_compromise.html.
> >
> > This address attempted to scan approximately 14 addresses on TCP/22.
> >
> > This is a violation of Verizon Business's acceptable use policy.
> > For further information, please consult:
> http://global.mci.com/terms/a_u_p/.
> > A reply to this message is not required, but the activity above must
> be
> > stopped.  If you need to contact us about this issue, please reply
> > to
> this
> > message leaving the ticket number in the subject line.
> >
> > Thank you
> >
> > Verizon Business Infrastructure/Network Security Team
> >
> > Sample of log entries:
> > 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:43804,Dst IP
> > 65.207.233.39:22,tcp
> > 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:45311,Dst IP
> > 65.207.233.36:22,tcp
> > 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:45984,Dst IP
> > 65.207.233.37:22,tcp
> > 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:43804,Dst IP
> > 65.207.233.39:22,tcp
> > 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:45311,Dst IP
> > 65.207.233.36:22,tcp
> > 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:34200,Dst IP
> > 65.207.233.32:22,tcp
> > 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:47690,Dst IP
> > 65.207.233.33:22,tcp
> > 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:43402,Dst IP
> > 65.207.233.35:22,tcp
> > 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:49152,Dst IP
> > 65.207.233.40:22,tcp
> > 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:47440,Dst IP
> > 65.207.233.41:22,tcp
> >
> >
> 
> 
> 
