So, I got alerted last night that source IP 74.53.76.11 was hitting my web server. It was scanned....heavily.
The FW blocked it...it all hit the clean-up rule, which is a bit weird. Usually, IPs that scan will hit open ports also (I've a few open). This one was one of those with a source port of 80 that isc.sans.org was reporting about a few weeks ago. The IP belongs to ThePlanet. TrustedSource shows some squirrely activity but nothing definitive. My IDS didn't pick up anything either. I also searched MyNetWatchman but the server is busted and craps out when I try to conduct searches. The scan started at 14:38 and ended at 17:45 EST.
I'll keep a watch out for further activity.
References:
http://www.trustedsource.org/query/74.53.76.11
http://www.dshield.org/ipinfo.html?ip=74.53.76.11
EDIT (4/1/2010):
74.53.76.11 scanned the server today, generating 2144 FW log entries that were blocks triggered by the clean-up rule.
EDIT (4/2/2010):
124.217.254.63 also scanned the server today, generating 487 FW log entries that were blocks triggered by the clean-up rule.
http://www.trustedsource.org/query/124.217.254.63
No comments:
Post a Comment