# Additional networks I encountered # We have blocked someone from your IP space for abuse. Reason: Port Scanning. Log lines are below. Time zone is UTC. # I am writing to inform you so that you can take whatever action is necessary to prevent this user from doing this again. # Please note, replies to this address will not be monitored. If you need more information, please email it-incident@iu.edu. # Thank you, # University Information Security Office # Indiana University 149.165.128.0/17 192.12.206.0/24 # Downloaded from https://raw.githubusercontent.com/robertdavidgraham/masscan/master/data/exclude.conf # http://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml # http://tools.ietf.org/html/rfc5735 # "This" network 0.0.0.0/8 # Private networks 10.0.0.0/8 # Carrier-grade NAT - RFC 6598 100.64.0.0/10 # Host loopback 127.0.0.0/8 # Link local 169.254.0.0/16 # Private networks 172.16.0.0/12 # IETF Protocol Assignments 192.0.0.0/24 # DS-Lite 192.0.0.0/29 # NAT64 192.0.0.170/32 # DNS64 192.0.0.171/32 # Documentation (TEST-NET-1) 192.0.2.0/24 # 6to4 Relay Anycast 192.88.99.0/24 # Private networks 192.168.0.0/16 # Benchmarking 198.18.0.0/15 # Documentation (TEST-NET-2) 198.51.100.0/24 # Documentation (TEST-NET-3) 203.0.113.0/24 # Reserved 240.0.0.0/4 # Limited Broadcast 255.255.255.255/32 #Received: from elbmasnwh002.us-ct-eb01.gdeb.com ([153.11.13.41] # helo=ebsmtp.gdeb.com) by mx1.gd-ms.com with esmtp (Exim 4.76) (envelope-from # ) id 1VS55c-0004qL-0F for support@erratasec.com; Fri, 04 # Oct 2013 09:06:40 -0400 #To: #CC: #Subject: Scanning and Probing our network #From: Robert Mandes #Date: Fri, 4 Oct 2013 09:06:36 -0400 # #Stop scanning and probing our network, 153.11.0.0/16. We are a defense #contractor and report to Federal law enforcement authorities when scans #and probes are directed at our network. I assume you don't want to be #part of that report. Please permanently remove our network range from #your current and future research. # #Thank you # #Robert Mandes #Information Security Officer #General Dynamics #Electric Boat # #C 860-625-0605 #P 860-433-1553 153.11.0.0/16 #Date: Mon, 7 Oct 2013 17:25:41 -0700 #Subject: Re: please stop the attack to our router #From: Di Li # #Make sure you stop the scan immediately, that's not OK for any company or #organization scan our network at all. # #If you fail to do that we will block whole traffic from ASN 10439, and we #will fail a police report after that. # #Let me know when you stop, since we still receive the attack from you, and #by the way your scan are not going anywhere, it's was dropped from our edge #since the first 5 scan # #Oct 7 17:17:32:I:SNMP: Auth. failure, intruder IP: 209.126.230.72 #... #Oct 7 16:55:27:I:SNMP: Auth. failure, intruder IP: 209.126.230.72 # #Di 4.53.201.0/24 5.152.179.0/24 8.12.162.0-8.12.164.255 8.14.84.0/22 8.14.145.0-8.14.147.255 8.17.250.0-8.17.252.255 23.27.0.0/16 23.231.128.0/17 37.72.172.0/23 38.72.200.0/22 50.93.192.0-50.93.197.255 50.115.128.0/20 50.117.0.0/17 50.118.128.0/17 63.141.222.0/24 64.62.253.0/24 64.92.96.0/19 64.145.79.0/24 64.145.82.0/23 64.158.146.0/23 65.49.24.0/24 65.49.93.0/24 65.162.192.0/22 66.79.160.0/19 66.160.191.0/24 68.68.96.0/20 69.46.64.0/19 69.176.80.0/20 72.13.80.0/20 72.52.76.0/24 74.82.43.0/24 74.82.160.0/19 74.114.88.0/22 74.115.0.0/24 74.115.2.0/24 74.115.4.0/24 74.122.100.0/22 75.127.0.0/24 103.251.91.0/24 108.171.32.0/24 108.171.42.0/24 108.171.52.0/24 108.171.62.0/24 118.193.78.0/23 130.93.16.0/23 136.0.0.0/16 142.111.0.0/16 142.252.0.0/16 146.82.55.93 149.54.136.0/21 149.54.152.0/21 166.88.0.0/16 172.252.0.0/16 173.245.64.0/19 173.245.194.0/23 173.245.220.0/22 173.252.192.0/18 178.18.16.0/22 178.18.26.0-178.18.29.255 183.182.22.0/24 192.92.114.0/24 192.155.160.0/19 192.177.0.0/16 192.186.0.0/18 192.249.64.0/20 192.250.240.0/20 194.110.214.0/24 198.12.120.0-198.12.122.255 198.144.240.0/20 199.33.120.0/24 199.33.124.0/22 199.48.147.0/24 199.68.196.0/22 199.127.240.0/21 199.187.168.0/22 199.188.238.0/23 199.255.208.0/24 203.12.6.0/24 204.13.64.0/21 204.16.192.0/21 204.19.238.0/24 204.74.208.0/20 205.159.189.0/24 205.164.0.0/18 205.209.128.0/18 206.108.52.0/23 206.165.4.0/24 208.77.40.0/21 208.80.4.0/22 208.123.223.0/24 209.51.185.0/24 209.54.48.0/20 209.107.192.0/23 209.107.210.0/24 209.107.212.0/24 211.156.110.0/23 216.83.33.0-216.83.49.255 216.83.51.0-216.83.63.255 216.151.183.0/24 216.151.190.0/23 216.172.128.0/19 216.185.36.0/24 216.218.233.0/24 216.224.112.0/20 #Received: from [194.77.40.242] (HELO samba.agouros.de) # for abuse@erratasec.com; Sat, 12 Oct 2013 09:55:35 -0500 #Received: from rumba.agouros.de (rumba-internal [192.168.8.1]) by # samba.agouros.de (Postfix) with ESMTPS id 9055FBAD1D for # ; Sat, 12 Oct 2013 16:55:32 +0200 (CEST) #Received: from rumba.agouros.de (localhost [127.0.0.1]) by rumba.agouros.de # (Postfix) with ESMTP id 7B5DD206099 for ; Sat, 12 Oct # 2013 16:55:32 +0200 (CEST) #Received: from localhost.localdomain (localhost [127.0.0.1]) by # rumba.agouros.de (Postfix) with ESMTP id 5FBC420601D for # ; Sat, 12 Oct 2013 16:55:32 +0200 (CEST) #To: #Subject: Loginattempts from Your net #Message-ID: <20131012145532.5FBC420601D@rumba.agouros.de> #Date: Sat, 12 Oct 2013 16:55:32 +0200 #From: # #The address 209.126.230.72 from Your network tried to log in to #our network using Port 22 (1)/tcp. Below You will find a listing of the dates and #times the incidents occured as well as the attacked IP-Addresses. #This is a matter of concern for us and continued tries might result in #legal action. If the machine was victim to a hack take it offline, repair #the damage and use better protection next time. #The times included are in Central European (Summer) Time. #Date Sourceip port destips # #07.10.2013 22:34:40 CEST 209.126.230.72 22 194.77.40.242 (1) #08.10.2013 01:44:15 CEST 209.126.230.72 22 194.77.40.246 (1) # #Regards, #Konstantin Agouros 194.77.40.242 194.77.40.246 #Received: from [165.160.9.58] (HELO mx2.cscinfo.com) #X-Virus-Scanned: amavisd-new at cscinfo.com #Received: from mx2.cscinfo.com ([127.0.0.1]) by localhost # (plmail02.wil.csc.local [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id # GGQ7EiQaK2P0 for ; Wed, 30 Oct 2013 09:26:00 -0400 # (EDT) #Received: from casarray.cscinfo.com (pwmailch02.cscinfo.com [172.20.53.94]) by # mx2.cscinfo.com (Postfix) with ESMTPS id 4BA5E58170 for # ; Wed, 30 Oct 2013 09:26:00 -0400 (EDT) #Received: from PWMAILM02.cscinfo.com ([169.254.7.52]) by # PWMAILCH02.cscinfo.com ([172.20.53.94]) with mapi id 14.02.0247.003; Wed, 30 # Oct 2013 09:26:00 -0400 #From: "Derksen, Bill" #Subject: Unauthorized Scanning #Date: Wed, 30 Oct 2013 13:25:59 +0000 #Message-ID: <1F80316A0C861F40A9A88F18465F138E01EF885F@PWMAILM02.cscinfo.com> #x-originating-ip: [172.31.252.72] # #We have detected unauthorized activity from your systems on our public netw= #ork. Please suspend scanning of our networks immediately. # #Our network block is 165.160/16 # #Further scanning will result in reports of unauthorized activity being file= #d with law enforcement agencies. # #Corporation Service Company # # # #________________________________ # #NOTICE: This e-mail and any attachments is intended only for use by the add= #ressee(s) named herein and may contain legally privileged, proprietary or c= #onfidential information. If you are not the intended recipient of this e-ma= #il, you are hereby notified that any dissemination, distribution or copying= # of this email, and any attachments thereto, is strictly prohibited. If you= # receive this email in error please immediately notify me via reply email o= #r at (800) 927-9800 and permanently delete the original copy and any copy o= #f any e-mail, and any printout. 165.160.0.0/16 #****************************** #Greetings from the IT Security Team at Utah State University. # #We have detected network activity that might be suspicious or #malicious. We think it might be sourced from your network. We #include IP Addresses as well as description, log snippets, and #other useful information. # #Please review this information or forward to the responsible person. 129.123.0.0/16 144.39.0.0/16 204.113.91.0/24