Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: Looking for Packets for IP address 71.6.165.200 - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Looking for Packets for IP address 71.6.165.200

The DShield database this morning show a tremendous uptick in activity coming out of IP address 71.6.165.200 over the past few weeks, so I am reaching out to everyone to see if anybody has packets related to this IP address.  The WHOIS shows a newly registered IP block to CariNet, Inc., a San Diego based cloud provider, on January 3 2014.  Since that time there has been an upshot in reports to the DShield database for both unwanted TCP and UDP packets. 

If anybody has information on the IP address 71.6.165.200, or a POC at CariNet, would greatly help.  I will contact the abuse department on Monday with whatever information I can collect today.

As always, thanx for supporting the Internet Storm Center,

tony d0t Carothers –gmail.com

==============================

UPDATE: 27 January 2014

The senior security engineer onsite has contacted the customer, who has agreed to take down the site and work with the ISC to resolve these issues.  Great job everyone!!  A community effort helps out the community everytime!!

Tony

150 Posts
ISC Handler
I see port scans on 53,1433,161,2225,123,110 - Seems a scanning host with slow scan . It see time intervals in each scan but then targeting critical services

The Alien Vault Guys are also tagged this offending IP as Scanning host. Here is the link for the full report...

http://www.alienvault.com/apps/rep_monitor/ip/71.6.165.200/
hcbhatt

14 Posts
I have been seeing ntpdx overflow attempts from this source. Those were first seen on the 12th but have become more numerous in the past week.
Ken

40 Posts
Hi, I live in San Diego so I decided to call CariNet. Spoke to their support guy & told him about this article. He confirmed this is one of their customers addresses and is opening a case but he is asking you (ISC) to send any information you have to complaints@cari.net

Gary Pietila
Ken
4 Posts
Thank you Gary, I will send in the information I have collected tomorrow morning. Thank you all for the feedback and supporting the ISC!
Tony

150 Posts
ISC Handler
My pleasure, glad to help a organization that does so much good for the Internet. (And gave some great Security Essentials training in 2007)
Tony
4 Posts
Starting on 13 January, we started seeing connection attempts from 71.6.165.200 to several common service ports. It is a very slow scan - about 30 packets per day. We have only seen one probe so far today (27 January), so maybe CariNet has put a stop to it.

Jim C.
JimC

17 Posts
We are also seeing traffic from 71.6.165.200 on various port. It is trying 3/4 attempt in an hour and the last one is at 10:17am EST on 27th Jan. So not sure if its stopped or not. Will monitor for some time.
JimC
1 Posts
we've been seeing packets from ubuntu12192138.aspadmin.net [66.240.192.138]* ubuntu12165200.aspadmin.net [71.6.165.200] and ubuntu12167142.aspadmin.net [71.6.167.142] since january 4th. the rates are very low, so we haven't yet reported them.

sorted by # of packets:

1023/tcp: 2 packets from 1 hosts
webcache/tcp: 2 packets from 1 hosts
imaps/tcp: 2 packets from 1 hosts
9943/tcp: 2 packets from 1 hosts
pop3s/tcp: 3 packets from 1 hosts
27017/tcp: 4 packets from 1 hosts
ssh/tcp: 4 packets from 2 hosts
9100/tcp: 6 packets from 1 hosts
mysql/tcp: 6 packets from 2 hosts
ntp/udp: 7 packets from 1 hosts
ldap/tcp: 9 packets from 1 hosts
https/tcp: 11 packets from 1 hosts
domain/tcp: 16 packets from 2 hosts
telnet/tcp: 19 packets from 1 hosts


71.6.165.200 [T:7]: 1023/tcp:2 www/tcp:1 ssh/tcp:2 8443/tcp:1 20000/tcp:1 27017/tcp:4 telnet/tcp:1 domain/tcp:1 ldap/tcp:1 imaps/tcp:2 28017/tcp:1 5001/tcp:1 9943/tcp:1 https/tcp:1 9100/tcp:1 5560/tcp:1 8000/tcp:1 total:23 (0116 - 0125)
71.6.167.142 [T:7]: 2323/tcp:1 1023/tcp:1 www/tcp:1 8443/tcp:1 snmp/udp:1 domain/tcp:2 623/udp:1 ssh/udp:1 9999/tcp:1 5001/tcp:1 9943/tcp:2 9100/tcp:6 mysql/tcp:2 pop3s/tcp:3 webcache/tcp:1 ntp/udp:7 ldap/tcp:9 6379/tcp:1 https/tcp:11 8000/tcp:1 total:54 (0105 - 0126)
66.240.192.138 [T:7]: 2323/tcp:1 8129/tcp:1 nntp/tcp:1 1023/tcp:1 www/tcp:1 20000/tcp:1 ssh/tcp:2 snmp/udp:1 domain/tcp:14 telnet/tcp:19 ssh/udp:1 9999/tcp:1 5560/tcp:1 mysql/tcp:4 webcache/tcp:2 sip/udp:1 9200/tcp:1 ldap/tcp:1 11211/tcp:1 total:55 (0104 - 0126)

* all forward dns queries for the hostnames fail (NXDOMAIN)

hth,
--
juan
JimC
2 Posts
It's been trying to hit UPnP (port 1900) and MS-SQL (port 1434) ports via UDP since January 12, 2014.
Only about 500 attempts between then and now so not a big talker.
The MS-SQL just looks like a port scan but the UPnP is actually sending a s discovery request.
It seems to be crawling our IP space without much rhyme or reason.
If you still need more packets, I can send in what I pulled from our IDS.
Jasey

93 Posts
Hey guys,

Yeah I'm the POC for abuse. I'll take a look at this now. Anybody having issues, please email me directly at zwikholm@cari.net. I'm not in the office today, but I'm taking a look at this right now. Thanks

Zach W.
Zach W

10 Posts
Hi everybody,

My name is John Matherly from the Shodan project and that server is operated by me (I just setup rdns on it to indicate it's part of Shodan). The server is being used to get an initial snapshot of a bunch of new services that I've added, including NTP (123), DNS (53), MS-SQL (1434), the router backdoor on port 32764 and a slew of others. I was trying a new configuration where I more quickly crawl the Internet, and I'm very sorry for any trouble this has caused. Over the years I've purposely moved slowly to make sure the project doesn't put undue stress on networks/ systems, unfortunately I've failed at that today. As mentioned earlier, to ensure people are at least aware of what the system is doing I've added an rdns entry to indicate that it belongs to Shodan and if there are specific concerns about the packets I'd be happy to address them.

And I'm not sure how familiar people here are with Shodan, but the way it scans is as follows:

1. Pick a random IPv4 address
2. Pick a random port to survey (out of the list of ports it currently looks at: http://www.shodanhq.com/help/filters#port)
3. Check for the random port on the random IP
4. Goto step 1

I.e. it was designed to not port scan an entire system or network at once, to hopefully prevent a system from receiving too much traffic at once. And I also try to maintain a uniform/ completely random distribution to make sure the data in Shodan isn't biased towards individual networks.

In terms of protocol details, here are a few of them and what type of interaction is performed (a short summary):

- SSH: No data is sent for ssh, it just grabs whatever the daemon returns
- DNS: It asks for the version.bind information
- MS-SQL: It sends a ping command to the monitor port for MS-SQL (1434), this doesn't affect the system and I've been told is benign.
- UPnP: It's basically HTTP over UDP and Shodan does a basic discovery request
- SNMP (161): Attempts to grab the public sysDescr.0 mib without authenticating

If there are any concerns, questions or suggestions please contact me directly at jmath@shodan.io. Once again I'm very sorry for any inconvenience this may have caused.

Best regards,

-John

PS: To see some of the research that's coming out of the project, you can check out today's blog post on the NTP data collected so far: http://shodanio.wordpress.com/2014/01/27/analyzing-ntp-usage-on-the-internet-with-shodan/ Note that the data itself is also made available to research institutions and CERTs for free.
John Matherly

2 Posts
Wow. It sure would be great if the entire world worked together like this little community did to get this resolved so fast. Nice, professional job, folks!
Anonymous
You are full of it.
I bring a new server online and within 30 minutes of turning on the FTP I have you knocking on it's door attempting to login via anon FTP.
Talk about a perfect storm, my new servers IP just happened to get randomly selected, you also just happened to select a random port which just happens to be FTP.
I search the offending IP and stumble upon this thread.

The only service you are providing is one for yourself trying to find vulnerable systems, you may be posting some benign information to try and convince people otherwise but you are up to no good there is no doubt about it.
Anonymous
My router's firewall is currently rejecting packets from this IP.

DROP IN=vlan2 OUT= MACSRC=<removed> MACDST=<removed> MACPROTO=0800 SRC=71.6.165.200 DST=108.204.225.18 LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=56159 PROTO=TCP SPT=11326 DPT=53
Anonymous
It seems to be active again

sshd[11877]: Bad protocol version identification '\005d\005\311' from 71.6.165.200 + brute
Anonymous
As someone else mentioned, this IP seems to be active again.
I saw this IP come up in my Minecraft server console. I'm assuming it was doing some port scanning.
Anonymous
This IP keeps trying to connect using Anonymous to my FTP server, Keeps Port Scanning my server, also keeps trying to connect to my email server. All in a short period of time......

February 9th 2015
Anonymous
I've been filtering through some traffic on one of my servers and I've come across this ip address 71.6.165.200 attempting FTP logins as has been stated here. Seeing as the last post here was 9 months ago, I can confirm this ip is still active and looking for vulnerable systems as if November 26, 2015.

Sean Hunter
Sean

1 Posts
Everyone,

I saw a disturbing alert early this morning from my Fortinet specifically calling out this suspect IP (71.6.165.200). I was wondering if anyone has seen any similar suspect behavior.

Message meets Alert condition
date=2016-03-30 time=06:50:23 devname=FG100D3G14808153 devid=FG100D3G14808153 logid=0101037128 type=event subtype=vpn level=error vd="root" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=71.6.165.200 locip= [deleted] remport=4500 locport=4500 outintf="wan1" cookies="e5f858a0876af576/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=failure init=remote mode=main dir=inbound stage=1 role=responder result=ERROR

Message meets Alert condition
date=2016-03-30 time=06:50:23 devname=FG100D3G14808153 devid=FG100D3G14808153 logid=0101037124 type=event subtype=vpn level=error vd="root" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action=negotiate remip=71.6.165.200 locip= [deleted] remport=4500 locport=4500 outintf="wan1" cookies="e5f858a0876af576/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=negotiate_error reason="peer SA proposal not match local policy" peer_notif="NOT-APPLICABLE"

What bothers me is that the IP in question is trying to make a VPN connection to my firewall. Can anyone shed any light on this?
theray

1 Posts
This IP address belongs to Shodan.io (isc.sans.edu/…)
Except if you have specific reasons, you can just ignore it. Their bots are constantly scanning the Net for "juiciy" services.
Xme

484 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!