Tuesday, March 30, 2010

Web Server Got Scanned

 

So, I got alerted last night that source IP 74.53.76.11 was hitting my web server. It was scanned....heavily.

The FW blocked it...it all hit the clean-up rule, which is a bit weird.  Usually, IPs that scan will hit open ports also (I've a few open).  This one was one of those with a source port of 80 that isc.sans.org was reporting about a few weeks ago.  The IP belongs to ThePlanetTrustedSource shows some squirrely activity but nothing definitive.  My IDS didn't pick up anything either.    I also searched MyNetWatchman but the server is busted and craps out when I try to conduct searches.  The scan started at 14:38 and ended at 17:45 EST.

I'll keep a watch out for further activity.

References:

http://www.trustedsource.org/query/74.53.76.11

http://www.dshield.org/ipinfo.html?ip=74.53.76.11

EDIT (4/1/2010):

74.53.76.11 scanned the server today, generating 2144 FW log entries that were blocks triggered by the clean-up rule.


http://www.dshield.org/ipdetails.html?ip=74.53.76.11

EDIT (4/2/2010):

124.217.254.63 also scanned the server today, generating 487 FW log entries that were blocks triggered by the clean-up rule.

http://www.trustedsource.org/query/124.217.254.63

http://www.dshield.org/ipinfo.html?ip=124.217.254.63
Post a Comment