309 lines
8.3 KiB
Plaintext
309 lines
8.3 KiB
Plaintext
|
|
|
|
|
|
# Additional networks I encountered
|
|
|
|
# We have blocked someone from your IP space for abuse. Reason: Port Scanning. Log lines are below. Time zone is UTC.
|
|
# I am writing to inform you so that you can take whatever action is necessary to prevent this user from doing this again.
|
|
# Please note, replies to this address will not be monitored. If you need more information, please email it-incident@iu.edu.
|
|
# Thank you,
|
|
# University Information Security Office
|
|
# Indiana University
|
|
149.165.128.0/17
|
|
192.12.206.0/24
|
|
|
|
|
|
|
|
# Downloaded from https://raw.githubusercontent.com/robertdavidgraham/masscan/master/data/exclude.conf
|
|
|
|
# http://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
|
|
# http://tools.ietf.org/html/rfc5735
|
|
# "This" network
|
|
0.0.0.0/8
|
|
# Private networks
|
|
10.0.0.0/8
|
|
# Carrier-grade NAT - RFC 6598
|
|
100.64.0.0/10
|
|
# Host loopback
|
|
127.0.0.0/8
|
|
# Link local
|
|
169.254.0.0/16
|
|
# Private networks
|
|
172.16.0.0/12
|
|
# IETF Protocol Assignments
|
|
192.0.0.0/24
|
|
# DS-Lite
|
|
192.0.0.0/29
|
|
# NAT64
|
|
192.0.0.170/32
|
|
# DNS64
|
|
192.0.0.171/32
|
|
# Documentation (TEST-NET-1)
|
|
192.0.2.0/24
|
|
# 6to4 Relay Anycast
|
|
192.88.99.0/24
|
|
# Private networks
|
|
192.168.0.0/16
|
|
# Benchmarking
|
|
198.18.0.0/15
|
|
# Documentation (TEST-NET-2)
|
|
198.51.100.0/24
|
|
# Documentation (TEST-NET-3)
|
|
203.0.113.0/24
|
|
# Reserved
|
|
240.0.0.0/4
|
|
# Limited Broadcast
|
|
255.255.255.255/32
|
|
|
|
|
|
#Received: from elbmasnwh002.us-ct-eb01.gdeb.com ([153.11.13.41]
|
|
# helo=ebsmtp.gdeb.com) by mx1.gd-ms.com with esmtp (Exim 4.76) (envelope-from
|
|
# <bmandes@gdeb.com>) id 1VS55c-0004qL-0F for support@erratasec.com; Fri, 04
|
|
# Oct 2013 09:06:40 -0400
|
|
#To: <support@erratasec.com>
|
|
#CC: <ebsoc@gdeb.com>
|
|
#Subject: Scanning and Probing our network
|
|
#From: Robert Mandes <bmandes@gdeb.com>
|
|
#Date: Fri, 4 Oct 2013 09:06:36 -0400
|
|
#
|
|
#Stop scanning and probing our network, 153.11.0.0/16. We are a defense
|
|
#contractor and report to Federal law enforcement authorities when scans
|
|
#and probes are directed at our network. I assume you don't want to be
|
|
#part of that report. Please permanently remove our network range from
|
|
#your current and future research.
|
|
#
|
|
#Thank you
|
|
#
|
|
#Robert Mandes
|
|
#Information Security Officer
|
|
#General Dynamics
|
|
#Electric Boat
|
|
#
|
|
#C 860-625-0605
|
|
#P 860-433-1553
|
|
|
|
153.11.0.0/16
|
|
|
|
|
|
|
|
|
|
#Date: Mon, 7 Oct 2013 17:25:41 -0700
|
|
#Subject: Re: please stop the attack to our router
|
|
#From: Di Li <di@egihosting.com>
|
|
#
|
|
#Make sure you stop the scan immediately, that's not OK for any company or
|
|
#organization scan our network at all.
|
|
#
|
|
#If you fail to do that we will block whole traffic from ASN 10439, and we
|
|
#will fail a police report after that.
|
|
#
|
|
#Let me know when you stop, since we still receive the attack from you, and
|
|
#by the way your scan are not going anywhere, it's was dropped from our edge
|
|
#since the first 5 scan
|
|
#
|
|
#Oct 7 17:17:32:I:SNMP: Auth. failure, intruder IP: 209.126.230.72
|
|
#...
|
|
#Oct 7 16:55:27:I:SNMP: Auth. failure, intruder IP: 209.126.230.72
|
|
#
|
|
#Di
|
|
|
|
4.53.201.0/24
|
|
5.152.179.0/24
|
|
8.12.162.0-8.12.164.255
|
|
8.14.84.0/22
|
|
8.14.145.0-8.14.147.255
|
|
8.17.250.0-8.17.252.255
|
|
23.27.0.0/16
|
|
23.231.128.0/17
|
|
37.72.172.0/23
|
|
38.72.200.0/22
|
|
50.93.192.0-50.93.197.255
|
|
50.115.128.0/20
|
|
50.117.0.0/17
|
|
50.118.128.0/17
|
|
63.141.222.0/24
|
|
64.62.253.0/24
|
|
64.92.96.0/19
|
|
64.145.79.0/24
|
|
64.145.82.0/23
|
|
64.158.146.0/23
|
|
65.49.24.0/24
|
|
65.49.93.0/24
|
|
65.162.192.0/22
|
|
66.79.160.0/19
|
|
66.160.191.0/24
|
|
68.68.96.0/20
|
|
69.46.64.0/19
|
|
69.176.80.0/20
|
|
72.13.80.0/20
|
|
72.52.76.0/24
|
|
74.82.43.0/24
|
|
74.82.160.0/19
|
|
74.114.88.0/22
|
|
74.115.0.0/24
|
|
74.115.2.0/24
|
|
74.115.4.0/24
|
|
74.122.100.0/22
|
|
75.127.0.0/24
|
|
103.251.91.0/24
|
|
108.171.32.0/24
|
|
108.171.42.0/24
|
|
108.171.52.0/24
|
|
108.171.62.0/24
|
|
118.193.78.0/23
|
|
130.93.16.0/23
|
|
136.0.0.0/16
|
|
142.111.0.0/16
|
|
142.252.0.0/16
|
|
146.82.55.93
|
|
149.54.136.0/21
|
|
149.54.152.0/21
|
|
166.88.0.0/16
|
|
172.252.0.0/16
|
|
173.245.64.0/19
|
|
173.245.194.0/23
|
|
173.245.220.0/22
|
|
173.252.192.0/18
|
|
178.18.16.0/22
|
|
178.18.26.0-178.18.29.255
|
|
183.182.22.0/24
|
|
192.92.114.0/24
|
|
192.155.160.0/19
|
|
192.177.0.0/16
|
|
192.186.0.0/18
|
|
192.249.64.0/20
|
|
192.250.240.0/20
|
|
194.110.214.0/24
|
|
198.12.120.0-198.12.122.255
|
|
198.144.240.0/20
|
|
199.33.120.0/24
|
|
199.33.124.0/22
|
|
199.48.147.0/24
|
|
199.68.196.0/22
|
|
199.127.240.0/21
|
|
199.187.168.0/22
|
|
199.188.238.0/23
|
|
199.255.208.0/24
|
|
203.12.6.0/24
|
|
204.13.64.0/21
|
|
204.16.192.0/21
|
|
204.19.238.0/24
|
|
204.74.208.0/20
|
|
205.159.189.0/24
|
|
205.164.0.0/18
|
|
205.209.128.0/18
|
|
206.108.52.0/23
|
|
206.165.4.0/24
|
|
208.77.40.0/21
|
|
208.80.4.0/22
|
|
208.123.223.0/24
|
|
209.51.185.0/24
|
|
209.54.48.0/20
|
|
209.107.192.0/23
|
|
209.107.210.0/24
|
|
209.107.212.0/24
|
|
211.156.110.0/23
|
|
216.83.33.0-216.83.49.255
|
|
216.83.51.0-216.83.63.255
|
|
216.151.183.0/24
|
|
216.151.190.0/23
|
|
216.172.128.0/19
|
|
216.185.36.0/24
|
|
216.218.233.0/24
|
|
216.224.112.0/20
|
|
|
|
#Received: from [194.77.40.242] (HELO samba.agouros.de)
|
|
# for abuse@erratasec.com; Sat, 12 Oct 2013 09:55:35 -0500
|
|
#Received: from rumba.agouros.de (rumba-internal [192.168.8.1]) by
|
|
# samba.agouros.de (Postfix) with ESMTPS id 9055FBAD1D for
|
|
# <abuse@erratasec.com>; Sat, 12 Oct 2013 16:55:32 +0200 (CEST)
|
|
#Received: from rumba.agouros.de (localhost [127.0.0.1]) by rumba.agouros.de
|
|
# (Postfix) with ESMTP id 7B5DD206099 for <abuse@erratasec.com>; Sat, 12 Oct
|
|
# 2013 16:55:32 +0200 (CEST)
|
|
#Received: from localhost.localdomain (localhost [127.0.0.1]) by
|
|
# rumba.agouros.de (Postfix) with ESMTP id 5FBC420601D for
|
|
# <abuse@erratasec.com>; Sat, 12 Oct 2013 16:55:32 +0200 (CEST)
|
|
#To: <abuse@erratasec.com>
|
|
#Subject: Loginattempts from Your net
|
|
#Message-ID: <20131012145532.5FBC420601D@rumba.agouros.de>
|
|
#Date: Sat, 12 Oct 2013 16:55:32 +0200
|
|
#From: <elwood@agouros.de>
|
|
#
|
|
#The address 209.126.230.72 from Your network tried to log in to
|
|
#our network using Port 22 (1)/tcp. Below You will find a listing of the dates and
|
|
#times the incidents occured as well as the attacked IP-Addresses.
|
|
#This is a matter of concern for us and continued tries might result in
|
|
#legal action. If the machine was victim to a hack take it offline, repair
|
|
#the damage and use better protection next time.
|
|
#The times included are in Central European (Summer) Time.
|
|
#Date Sourceip port destips
|
|
#
|
|
#07.10.2013 22:34:40 CEST 209.126.230.72 22 194.77.40.242 (1)
|
|
#08.10.2013 01:44:15 CEST 209.126.230.72 22 194.77.40.246 (1)
|
|
#
|
|
#Regards,
|
|
#Konstantin Agouros
|
|
|
|
194.77.40.242
|
|
194.77.40.246
|
|
|
|
|
|
|
|
#Received: from [165.160.9.58] (HELO mx2.cscinfo.com)
|
|
#X-Virus-Scanned: amavisd-new at cscinfo.com
|
|
#Received: from mx2.cscinfo.com ([127.0.0.1]) by localhost
|
|
# (plmail02.wil.csc.local [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id
|
|
# GGQ7EiQaK2P0 for <protodev@erratasec.com>; Wed, 30 Oct 2013 09:26:00 -0400
|
|
# (EDT)
|
|
#Received: from casarray.cscinfo.com (pwmailch02.cscinfo.com [172.20.53.94]) by
|
|
# mx2.cscinfo.com (Postfix) with ESMTPS id 4BA5E58170 for
|
|
# <protodev@erratasec.com>; Wed, 30 Oct 2013 09:26:00 -0400 (EDT)
|
|
#Received: from PWMAILM02.cscinfo.com ([169.254.7.52]) by
|
|
# PWMAILCH02.cscinfo.com ([172.20.53.94]) with mapi id 14.02.0247.003; Wed, 30
|
|
# Oct 2013 09:26:00 -0400
|
|
#From: "Derksen, Bill" <bderksen@cscinfo.com>
|
|
#Subject: Unauthorized Scanning
|
|
#Date: Wed, 30 Oct 2013 13:25:59 +0000
|
|
#Message-ID: <1F80316A0C861F40A9A88F18465F138E01EF885F@PWMAILM02.cscinfo.com>
|
|
#x-originating-ip: [172.31.252.72]
|
|
#
|
|
#We have detected unauthorized activity from your systems on our public netw=
|
|
#ork. Please suspend scanning of our networks immediately.
|
|
#
|
|
#Our network block is 165.160/16
|
|
#
|
|
#Further scanning will result in reports of unauthorized activity being file=
|
|
#d with law enforcement agencies.
|
|
#
|
|
#Corporation Service Company
|
|
#
|
|
#
|
|
#
|
|
#________________________________
|
|
#
|
|
#NOTICE: This e-mail and any attachments is intended only for use by the add=
|
|
#ressee(s) named herein and may contain legally privileged, proprietary or c=
|
|
#onfidential information. If you are not the intended recipient of this e-ma=
|
|
#il, you are hereby notified that any dissemination, distribution or copying=
|
|
# of this email, and any attachments thereto, is strictly prohibited. If you=
|
|
# receive this email in error please immediately notify me via reply email o=
|
|
#r at (800) 927-9800 and permanently delete the original copy and any copy o=
|
|
#f any e-mail, and any printout.
|
|
|
|
165.160.0.0/16
|
|
|
|
#******************************
|
|
#Greetings from the IT Security Team at Utah State University.
|
|
#
|
|
#We have detected network activity that might be suspicious or
|
|
#malicious. We think it might be sourced from your network. We
|
|
#include IP Addresses as well as description, log snippets, and
|
|
#other useful information.
|
|
#
|
|
#Please review this information or forward to the responsible person.
|
|
129.123.0.0/16
|
|
144.39.0.0/16
|
|
204.113.91.0/24
|
|
|
|
|