Web Server Got Scanned

 

So, I got alerted last night that source IP 74.53.76.11 was hitting my web server. It was scanned....heavily.

The FW blocked it...it all hit the clean-up rule, which is a bit weird.  Usually, IPs that scan will hit open ports also (I've a few open).  This one was one of those with a source port of 80 that isc.sans.org was reporting about a few weeks ago.  The IP belongs to ThePlanet.  TrustedSource shows some squirrely activity but nothing definitive.  My IDS didn't pick up anything either.    I also searched MyNetWatchman but the server is busted and craps out when I try to conduct searches.  The scan started at 14:38 and ended at 17:45 EST.

I'll keep a watch out for further activity.

References:

http://www.trustedsource.org/query/74.53.76.11

http://www.dshield.org/ipinfo.html?ip=74.53.76.11

EDIT (4/1/2010):

74.53.76.11 scanned the server today, generating 2144 FW log entries that were blocks triggered by the clean-up rule.

http://www.trustedsource.org/query/74.53.76.11

http://www.dshield.org/ipdetails.html?ip=74.53.76.11

EDIT (4/2/2010):

124.217.254.63 also scanned the server today, generating 487 FW log entries that were blocks triggered by the clean-up rule.

http://www.trustedsource.org/query/124.217.254.63

http://www.dshield.org/ipinfo.html?ip=124.217.254.63

Kismet for Macs - WEP/WPA/WPA2

 

Added KisMac to my Macbook.

This software is NICE!!  I've used Kismet before (on a Sharp Zaurus SL5500), but the Mac version is VERY nice!

One disturbing thing (that I should put on my security blog) is that I saw a lot of WAPs in my neighborhood still using WEP.  Three of them were Actiontec routers, which show the new rollout of FIOS from Verizon.  Mine also shows up, but mine is set to use WPA2.  There were maybe 5-6 WAPs using WPA (of maybe 10-12), but I was the ONLY one that I detected that was using WPA2.  That's not good, IMO.

I may take a drive around tomorrow to sample the neighborhood.  I'll parse that data and post it on my security blog.