AF:
NF:0
PS:10
SRH:1
SFN:
DSR:
MID:<20080424181743.76b25299@ripper.onstor.net>
CFG:
PT:0
S:andy.sharp@onstor.com
RQ:
SSV:onstor-exch02.onstor.net
NSV:
SSH:
R:<brian.baker@onstor.com>,<ttruong@onstor.com>
MAID:1
X-Sylpheed-Privacy-System:
X-Sylpheed-Sign:0
SCF:#mh/Mailbox/sent
RMID:#imap/andys@onstor.net@onstor-exch02.onstor.net/INBOX	0	BB375AF679D4A34E9CA8DFA650E2B04E099E0EDA@onstor-exch02.onstor.net
X-Sylpheed-End-Special-Headers: 1
Date: Thu, 24 Apr 2008 18:18:14 -0700
From: Andrew Sharp <andy.sharp@onstor.com>
To: "Brian Baker" <brian.baker@onstor.com>
Cc: "Trung Truong" <ttruong@onstor.com>
Subject: Re: Network Scan [Fwd: Re: (b2932152)Network scan from
 66.201.51.69]
Message-ID: <20080424181814.5eba0253@ripper.onstor.net>
In-Reply-To: <BB375AF679D4A34E9CA8DFA650E2B04E099E0EDA@onstor-exch02.onstor.net>
References: <BB375AF679D4A34E9CA8DFA650E2B04E099E0EDA@onstor-exch02.onstor.net>
Organization: Onstor
X-Mailer: Sylpheed-Claws 2.6.0 (GTK+ 2.8.20; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Oh #@%!& I just noticed that's our ssh gateway machine.  Hmm, I guess
I'll have to do my random nmapping of internet addresses from inside
the firewall from now on ~:^)

Kind of strange, actually.  Is that machine used for anything besides
incoming ssh traffic?  Could conceivably been a DNS error or even a
typing error by someone.  Does anyone other than me use it?

a


On Thu, 24 Apr 2008 16:29:01 -0700 "Brian Baker"
<brian.baker@onstor.com> wrote:

> Someone tried to ssh to a couple addresses on the Verizon network. The
> crybabies took it as a port scan. Lets make sure we are not running
> nessus, nmap or any other port scan utils from this system. 
> 
> -----Original Message-----
> From: Phillip Lossing [mailto:Phillip@FiberInternetCenter.com] 
> Sent: Thursday, April 24, 2008 4:21 PM
> To: Brian Baker
> Cc: secmbox3@verizonbusiness.com; noc@fiberinternetcenter.com
> Subject: Network Scan [Fwd: Re: (b2932152)Network scan from
> 66.201.51.69]
> 
> Hi Brian,
> 
> We received word from Verizon of a network scan that appears to
> originate
> from Onstor's corporate network. Please see the original email
> below.  I know we've never had any issues with Onstor in the past, so
> there is the possibility of a trojan or virus. If you could please
> check into this we would appreciate it.
> 
> Thank you,
> 
> Phillip Lossing
> Fiber Internet Center
> 
> 
> > We detected a scan of part of the Verizon Business Public IP network
> which
> > appears to have originated from the source address 66.201.51.69.
> > The scanning began at approximately 2008-04-23 04:09:05 UTC.  If
> > neither
> you
> > nor the owner of this address are aware of this traffic, it is
> possible
> > that a third party is either forging the source address or executing
> an
> > unauthorized scan from this machine.  If you suspect the scan is
> > being executed by an unauthorized third party, a trojan, or a
> > virus, please consult
> > http://www.cert.org/tech_tips/root_compromise.html.
> >
> > This address attempted to scan approximately 14 addresses on TCP/22.
> >
> > This is a violation of Verizon Business's acceptable use policy.
> > For further information, please consult:
> http://global.mci.com/terms/a_u_p/.
> > A reply to this message is not required, but the activity above must
> be
> > stopped.  If you need to contact us about this issue, please reply
> > to
> this
> > message leaving the ticket number in the subject line.
> >
> > Thank you
> >
> > Verizon Business Infrastructure/Network Security Team
> >
> > Sample of log entries:
> > 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:43804,Dst IP
> > 65.207.233.39:22,tcp
> > 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:45311,Dst IP
> > 65.207.233.36:22,tcp
> > 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:45984,Dst IP
> > 65.207.233.37:22,tcp
> > 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:43804,Dst IP
> > 65.207.233.39:22,tcp
> > 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:45311,Dst IP
> > 65.207.233.36:22,tcp
> > 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:34200,Dst IP
> > 65.207.233.32:22,tcp
> > 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:47690,Dst IP
> > 65.207.233.33:22,tcp
> > 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:43402,Dst IP
> > 65.207.233.35:22,tcp
> > 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:49152,Dst IP
> > 65.207.233.40:22,tcp
> > 2008-04-23 04:09:05 UTC,Src IP 66.201.51.69:47440,Dst IP
> > 65.207.233.41:22,tcp
> >
> >
> 
> 
> 
