reverse.lstn.net

Discussion in 'other firewalls' started by CloneRanger, Oct 6, 2011.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Anybody seeing tons of daily inbounds from this IP ?

    I am & have been to multiple different Port #'s for ages !
     
  2. kerykeion

    kerykeion Registered Member

    Joined:
    Jun 30, 2010
    Posts:
    284
    Location:
    Philippines
    That IP's probably sniffing your IP for any open socks proxy port
     
  3. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    697
    Location:
    EU
    Infos.

    Rules.
     

    Attached Files:

  4. kner0

    kner0 Registered Member

    Joined:
    Oct 8, 2011
    Posts:
    15
    Yes I have!

    Code:
    Oct  7 22:21:28 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:8909 from 69.162.125.43:12200
    Oct  7 22:21:28 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:9090 from 69.162.125.43:12200
    Oct  7 22:21:28 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:8123 from 69.162.125.43:12200
    Oct  7 22:21:28 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:1080 from 69.162.125.43:12200
    Oct  7 22:21:29 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:8085 from 216.245.196.122:12200
    Oct  7 22:27:03 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:8085 from 58.218.199.227:12200
    Oct  7 22:27:03 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:8000 from 58.218.199.227:12200
    Oct  7 22:27:03 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:73 from 58.218.199.227:12200
    Oct  7 22:27:56 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:24182 from 173.201.143.5:80
    Oct  7 22:30:11 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:3389 from 211.44.250.196:6000
    Oct  7 22:31:39 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:8909 from 69.162.125.43:12200
    Oct  7 22:31:39 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:8123 from 69.162.125.43:12200
    Oct  7 22:41:52 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:8909 from 69.162.125.43:12200
    Oct  7 22:41:52 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:8085 from 69.162.125.43:12200
    Oct  7 22:41:52 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:1080 from 69.162.125.43:12200
    Oct  7 22:42:28 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to UDP 173.XX.XXX.XXX:59914 from 97.64.183.164:53
    Oct  7 22:43:13 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:1830 from 74.63.192.70:12200
    Oct  7 22:43:13 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:8123 from 74.63.192.70:12200
    Oct  7 22:43:13 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:2301 from 74.63.192.70:12200
    Oct  7 22:43:54 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:8085 from 216.245.196.122:12200
    Oct  7 22:43:54 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:8909 from 216.245.196.122:12200
    Oct  7 22:47:50 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:24182 from 122.224.5.57:80
    Oct  7 22:50:39 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:9415 from 58.218.199.250:12200
    Oct  7 22:50:39 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:73 from 58.218.199.250:12200
    Oct  7 22:50:39 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:6588 from 58.218.199.250:12200
    Oct  7 22:50:39 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:8080 from 58.218.199.250:12200
    Oct  7 22:50:39 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:80 from 58.218.199.250:12200
    Oct  7 22:51:15 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:27977 from 221.194.46.176:12200
    Oct  7 22:51:15 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:9000 from 221.194.46.176:12200
    Oct  7 22:51:46 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:8909 from 69.162.125.43:12200
    Oct  7 22:51:46 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:9090 from 69.162.125.43:12200
    Oct  7 22:51:46 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:8085 from 69.162.125.43:12200
    Oct  7 22:51:46 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:8123 from 69.162.125.43:12200
    Oct  7 22:57:42 173_XX-XXX-XXX Firewall[70]:  33300 Deny ICMP:8.0 173.XX.XXX.XXX 173.XX.XXX.XXX in via en0
    Oct  7 23:01:51 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:9090 from 69.162.125.43:12200
    Oct  7 23:01:51 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:8085 from 69.162.125.43:12200
    Oct  7 23:01:51 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:1080 from 69.162.125.43:12200
    Oct  7 23:06:18 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:8085 from 216.245.196.122:12200
    Oct  7 23:06:18 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:8909 from 216.245.196.122:12200
    Oct  7 23:09:15 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:1830 from 74.63.192.70:12200
    Oct  7 23:09:15 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:8123 from 74.63.192.70:12200
    Oct  7 23:09:15 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:2301 from 74.63.192.70:12200
    Oct  7 23:11:21 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:8909 from 69.162.125.43:12200
    Oct  7 23:11:21 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:9090 from 69.162.125.43:12200
    Oct  7 23:11:21 173_XX-XXX-XXX Firewall[70]: Stealth Mode connection attempt to TCP 173.XX.XXX.XXX:8085 from 69.162.125.43:12200
    
     
  5. kner0

    kner0 Registered Member

    Joined:
    Oct 8, 2011
    Posts:
    15
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ kerykeion

    I understand that ;) but this is almost non stop EVERY day :eek:

    @ Rules :thumb:

    @ kner0

    Not just me then !

    Not a lot we can do really, as long as our FW's are 100% blocking, as mine is, they can't get in :) I'm just don't understand why nobody in ISP & DataCentre land etc, hasn't blocked them by now ?
     
  7. kner0

    kner0 Registered Member

    Joined:
    Oct 8, 2011
    Posts:
    15
    Interesting, I was considering setting up pf so that it would forward all those connection attempts into a honeypot. However, as you said why and the world hasn't this been stopped yet? Just who are these people? How can they hack off this many techies and still not be A) arrested or B) compromised?
     
  8. kner0

    kner0 Registered Member

    Joined:
    Oct 8, 2011
    Posts:
    15
    I just figured out that port number 8123 is used by Polipo, a forwarding and caching proxy server and computer software daemon.

    I've had IP's connecting to that port bouncing off my wall. Do you have any other packets bouncing off your wall on known ports?

    http://en.wikipedia.org/wiki/Polipo

    Another strange one.

    http://ip-lookup.net/whois-ip?ip=184.154.156.10

    Code:
    10/10/11 12:14:11 AM	173-XX-XX-XXX	Stealth Mode connection attempt to TCP 173.XX.XX.XXX from 184.154.156.10:6000
     
    Last edited: Oct 10, 2011
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Good idea, don't let me stop you ;) Be interesting to see what you discover :thumb:

    Yeah, Polipo is used with TOR.

    All the time :D But i'm mainly interested in finding out what's going on with ALL the static.reverse.lstn.net probes etc. I'm seeing them now from

    43.125.162.69 (TCP Port 12200) to ME (TCP Port 8123)

    Reverse indeed ! I've been told Many times to ignore Reverse IP #'s as they are just "coincidences" Doesn't appear that way with this outfit !

    RE -http://www.singlehop.com

    So could be anyone using their services !
     
  10. kner0

    kner0 Registered Member

    Joined:
    Oct 8, 2011
    Posts:
    15
    Well, last night abuse@singlehop.com was eager to learn all that I had discovered lol. Now I think I have yet another team of engineers on this one.
     
  11. kner0

    kner0 Registered Member

    Joined:
    Oct 8, 2011
    Posts:
    15
    Okay, so I called Limestone networks and talked to someone there who seemed to genuinely wanted to fix the situation after I directed him here to this forum. Now my logs look like this.

    This isn't fixed but things did improve.

    @ CloneRanger did this clean up your logs at all?

    Code:
    Tuesday, October 11, 2011 1:54:17 PM America/Chicago 
    Oct 11 13:56:39 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:8085 from 221.194.46.176:12200
    Oct 11 13:56:39 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:9090 from 221.194.46.176:12200
    Oct 11 14:01:04 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:9090 from 69.162.125.43:12200
    Oct 11 14:01:05 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:8085 from 216.245.196.122:12200
    Oct 11 14:01:05 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:8909 from 216.245.196.122:12200
    Oct 11 14:10:26 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:1830 from 74.63.192.70:12200
    Oct 11 14:10:26 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:8123 from 74.63.192.70:12200
    Oct 11 14:10:50 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:8909 from 69.162.125.43:12200
    Oct 11 14:10:50 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:9090 from 69.162.125.43:12200
    Oct 11 14:10:50 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:8085 from 69.162.125.43:12200
    Oct 11 14:10:50 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:1080 from 69.162.125.43:12200
    Oct 11 14:19:18 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:51989 from 112.65.245.205:80
    Oct 11 14:19:55 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:51989 from 112.65.245.205:80
    Oct 11 14:21:02 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:8909 from 69.162.125.43:12200
    Oct 11 14:21:02 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:9090 from 69.162.125.43:12200
    Oct 11 14:21:02 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:8085 from 69.162.125.43:12200
    Oct 11 14:21:02 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:8123 from 69.162.125.43:12200
    Oct 11 14:26:58 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to UDP 173.XX.XXX.XX:55841 from XXX.XX.XXX.XX:53
    Oct 11 14:27:05 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to UDP 173.XX.XXX.XX:60120 from XXX.XX.XXX.XX:53
    Oct 11 14:27:48 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:5900 from 93.84.115.184:9424
    Oct 11 14:30:47 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:8909 from 69.162.125.43:12200
    Oct 11 14:30:47 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:9090 from 69.162.125.43:12200
    Oct 11 14:30:47 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:8085 from 69.162.125.43:12200
    Oct 11 14:30:47 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:8123 from 69.162.125.43:12200
    Oct 11 14:30:47 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:1080 from 69.162.125.43:12200
    Oct 11 14:37:41 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to UDP 173.XX.XXX.XX:54999 from XXX.XX.XXX.XX:53
    Oct 11 14:40:29 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:1080 from 69.162.125.43:12200
    
     
  12. Ryan G Limestone

    Ryan G Limestone Registered Member

    Joined:
    Oct 11, 2011
    Posts:
    4
    @kner0 thanks for directing me to this forum and bringing attention to the hosts mentioned.

    *static.reverse.lstn.net is the default rDNS across all of our IP ranges.

    You should not see any further port scans from 69.162.125.43, 216.245.196.122, and 74.63.192.70. If you do please submit a report using the form on our website. This will get the attention of our abuse team faster than sending an e-mail to abuse@limestonenetworks.com

    208.115.219.10 is no longer assigned to a client of ours and is not being used.
     
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    So i see :)

    :thumb:

    Well, sorta :D Today i'm only seeing attacks/probes etc from 69.162.125.43 from Port # 12200

    @ Ryan G Limestone

    Nice to know you are serious about sorting things out :thumb: How come i'm still getting that IP # even right now ?

    What is/was the source of these attacks, Spam/Bots/Malware etc ?
     
    Last edited: Oct 11, 2011
  14. Ryan G Limestone

    Ryan G Limestone Registered Member

    Joined:
    Oct 11, 2011
    Posts:
    4
    @CloneRanger there was an issue with the block I had put in place. It should be resolved now and you shouldn't see connection attempts. Sorry about that.

    I'm not sure what the cause is at the moment, but I have disabled the IPs until we are able to investigate it with our client and resolve it.
     
  15. kner0

    kner0 Registered Member

    Joined:
    Oct 8, 2011
    Posts:
    15
    No problem, thanks for your help and cooperation in solving this matter.
    Unfortunately, I still see scans coming from 69.162.125.43 and 74.63.192.70. But there are far less of them. But now there are others...
    Code:
     Tuesday, October 11, 2011 4:45:29 PM America/Chicago 
    Oct 11 16:48:39 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:8909 from 69.162.125.43:12200
    Oct 11 16:48:39 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:9090 from 69.162.125.43:12200
    Oct 11 16:48:45 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to UDP 173.XX.XXX.XX:64257 from XXX.XX.XXX.XX:53
    Oct 11 16:48:50 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:1830 from 74.63.192.70:12200
    Oct 11 16:48:51 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:8123 from 74.63.192.70:12200
    Oct 11 16:48:51 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:2301 from 74.63.192.70:12200
    Oct 11 16:54:23 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to UDP 173.XX.XXX.XX:65081 from XXX.XX.XXX.XX:53
    Oct 11 16:54:24 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to UDP 173.XX.XXX.XX:55823 from XXX.XX.XXX.XX:53
    Oct 11 16:54:24 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to UDP 173.XX.XXX.XX:64237 from XXX.XX.XXX.XX:53
    Oct 11 16:54:24 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to UDP 173.XX.XXX.XX:53694 from XXX.XX.XXX.XX:53
    Oct 11 16:54:24 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to UDP 173.XX.XXX.XX:58863 from XXX.XX.XXX.XX:53
    Oct 11 16:54:24: --- last message repeated 1 time ---
    Oct 11 16:54:24 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to UDP 173.XX.XXX.XX:61480 from XXX.XX.XXX.XX:53
    Oct 11 16:54:24 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to UDP 173.XX.XXX.XX:58099 from XXX.XX.XXX.XX:53
    Oct 11 16:54:24 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to UDP 173.XX.XXX.XX:60933 from XXX.XX.XXX.XX:53
    Oct 11 16:55:21 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to UDP 173.XX.XXX.XX:49418 from XXX.XX.XXX.XX:53
    Oct 11 16:57:16 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:27977 from 58.218.199.147:12200
    Oct 11 16:57:16 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:8000 from 58.218.199.147:12200
    Oct 11 16:57:16 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:2479 from 58.218.199.147:12200
    Oct 11 16:57:16 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:8123 from 58.218.199.147:12200
    Oct 11 16:57:16 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:6588 from 58.218.199.147:12200
    Oct 11 16:58:15 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:8909 from 69.162.125.43:12200
    Oct 11 16:58:15 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:8123 from 69.162.125.43:12200
    Oct 11 16:59:03 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to UDP 173.XX.XXX.XX:55844 from XXX.XX.XXX.XX:53
    Oct 11 16:59:34 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to UDP 173.XX.XXX.XX:62621 from XXX.XX.XXX.XX:53
    Oct 11 16:59:35 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to UDP 173.XX.XXX.XX:51693 from XXX.XX.XXX.XX:53
    Oct 11 17:00:42 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to UDP 173.XX.XXX.XX:60675 from XXX.XX.XXX.XX:53
    Oct 11 17:01:22 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:24182 from 112.65.245.205:80
    Oct 11 17:02:13 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:24182 from 112.65.245.205:80
    Oct 11 17:08:06 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:8909 from 69.162.125.43:12200
    Oct 11 17:19:40 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to UDP 173.XX.XXX.XX:51188 from XXX.XX.XXX.XX:53
    Oct 11 17:21:16 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to TCP 173.XX.XXX.XX:9090 from 58.218.199.250:12200
    
    Same here.
    I'd like to know as well.


    Edit:
    It may have just stopped...
     
    Last edited: Oct 11, 2011
  16. kner0

    kner0 Registered Member

    Joined:
    Oct 8, 2011
    Posts:
    15
    Now there is a new IP from Limestone Networks scanning me.
    Code:
    Oct 11 19:58:44 173-XX-XXX-XX Firewall[62]: Stealth Mode connection attempt to UDP 173.XX.XXX.XX:5060 from 74.63.209.114:5068 
     
  17. kner0

    kner0 Registered Member

    Joined:
    Oct 8, 2011
    Posts:
    15
  18. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ kner0

    Looks like between us & we've managed to get that Zeus botnet shutdown :) Not forgetting the behind the scenes work by Ryan G Limestone & his team :thumb:

    @ Ryan G Limestone Please keep us posted as to what/why etc :thumb:

    Well so far today it's almost unreally quiet in FW land ! & no reverse.lstn.net probes etc either :thumb:
     
  19. kner0

    kner0 Registered Member

    Joined:
    Oct 8, 2011
    Posts:
    15
    Cool :thumb: How many people do you think we might have just affected?

    @ Ryan G Limestone Thanks again for your help in this.

    I only have two left. 58.218.199.227 and 221.194.46.176. Other than those two all is quiet...
     
    Last edited: Oct 12, 2011
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
  21. Ryan G Limestone

    Ryan G Limestone Registered Member

    Joined:
    Oct 11, 2011
    Posts:
    4
    I don't believe these type of scans have anything to do with the Zeus botnet. Botnets do engage in port scanning and DDoS attacks but just because you see that type of activity does not mean it is botnet related.

    The users on 69.162.125.43, 216.245.196.122, and 74.63.192.70 were running an application to scan IP addresses for open proxies. We have taken the necessary actions to make sure the scans stop.
     
  22. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ m00nbl00d

    You're right ;)

    @ Ryan G Limestone

    Thanks for the update :thumb: Whatever you've done to stop those idiots has worked, from what i've seen here :thumb:
     
  23. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    It's started up again :( Getting ongoing attacks from here

     
  24. Marc05

    Marc05 Registered Member

    Joined:
    Oct 31, 2011
    Posts:
    8
    Great thread, thank you guys for pursuing this issue. Unfortunately, I don't think these scans are going to stop any time soon. What I yet don't understand is how exactly are these IPs being selected? Are the attackers just using brute force scanning, or are they after a certain group, whether it'd be because of location, ISP, DNS, etc?
     
  25. Ryan G Limestone

    Ryan G Limestone Registered Member

    Joined:
    Oct 11, 2011
    Posts:
    4
    @CloneRanger, can you let me know if you have seen any hits from 69.162.125.43 since the 17th/18th?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.