Looking for Packets for IP address 71.6.165.200

Published: 2014-01-26
Last Updated: 2014-01-27 18:13:45 UTC
by Tony Carothers (Version: 1)
22 comment(s)

The DShield database this morning show a tremendous uptick in activity coming out of IP address 71.6.165.200 over the past few weeks, so I am reaching out to everyone to see if anybody has packets related to this IP address.  The WHOIS shows a newly registered IP block to CariNet, Inc., a San Diego based cloud provider, on January 3 2014.  Since that time there has been an upshot in reports to the DShield database for both unwanted TCP and UDP packets. 

If anybody has information on the IP address 71.6.165.200, or a POC at CariNet, would greatly help.  I will contact the abuse department on Monday with whatever information I can collect today.

As always, thanx for supporting the Internet Storm Center,

tony d0t Carothers –gmail.com

==============================

UPDATE: 27 January 2014

The senior security engineer onsite has contacted the customer, who has agreed to take down the site and work with the ISC to resolve these issues.  Great job everyone!!  A community effort helps out the community everytime!!

Keywords:
22 comment(s)

Comments

I see port scans on 53,1433,161,2225,123,110 - Seems a scanning host with slow scan . It see time intervals in each scan but then targeting critical services

The Alien Vault Guys are also tagged this offending IP as Scanning host. Here is the link for the full report...

http://www.alienvault.com/apps/rep_monitor/ip/71.6.165.200/
I have been seeing ntpdx overflow attempts from this source. Those were first seen on the 12th but have become more numerous in the past week.
Hi, I live in San Diego so I decided to call CariNet. Spoke to their support guy & told him about this article. He confirmed this is one of their customers addresses and is opening a case but he is asking you (ISC) to send any information you have to complaints@cari.net

Gary Pietila
Thank you Gary, I will send in the information I have collected tomorrow morning. Thank you all for the feedback and supporting the ISC!
My pleasure, glad to help a organization that does so much good for the Internet. (And gave some great Security Essentials training in 2007)
Starting on 13 January, we started seeing connection attempts from 71.6.165.200 to several common service ports. It is a very slow scan - about 30 packets per day. We have only seen one probe so far today (27 January), so maybe CariNet has put a stop to it.

Jim C.
We are also seeing traffic from 71.6.165.200 on various port. It is trying 3/4 attempt in an hour and the last one is at 10:17am EST on 27th Jan. So not sure if its stopped or not. Will monitor for some time.
we've been seeing packets from ubuntu12192138.aspadmin.net [66.240.192.138]* ubuntu12165200.aspadmin.net [71.6.165.200] and ubuntu12167142.aspadmin.net [71.6.167.142] since january 4th. the rates are very low, so we haven't yet reported them.

sorted by # of packets:

1023/tcp: 2 packets from 1 hosts
webcache/tcp: 2 packets from 1 hosts
imaps/tcp: 2 packets from 1 hosts
9943/tcp: 2 packets from 1 hosts
pop3s/tcp: 3 packets from 1 hosts
27017/tcp: 4 packets from 1 hosts
ssh/tcp: 4 packets from 2 hosts
9100/tcp: 6 packets from 1 hosts
mysql/tcp: 6 packets from 2 hosts
ntp/udp: 7 packets from 1 hosts
ldap/tcp: 9 packets from 1 hosts
https/tcp: 11 packets from 1 hosts
domain/tcp: 16 packets from 2 hosts
telnet/tcp: 19 packets from 1 hosts


71.6.165.200 [T:7]: 1023/tcp:2 www/tcp:1 ssh/tcp:2 8443/tcp:1 20000/tcp:1 27017/tcp:4 telnet/tcp:1 domain/tcp:1 ldap/tcp:1 imaps/tcp:2 28017/tcp:1 5001/tcp:1 9943/tcp:1 https/tcp:1 9100/tcp:1 5560/tcp:1 8000/tcp:1 total:23 (0116 - 0125)
71.6.167.142 [T:7]: 2323/tcp:1 1023/tcp:1 www/tcp:1 8443/tcp:1 snmp/udp:1 domain/tcp:2 623/udp:1 ssh/udp:1 9999/tcp:1 5001/tcp:1 9943/tcp:2 9100/tcp:6 mysql/tcp:2 pop3s/tcp:3 webcache/tcp:1 ntp/udp:7 ldap/tcp:9 6379/tcp:1 https/tcp:11 8000/tcp:1 total:54 (0105 - 0126)
66.240.192.138 [T:7]: 2323/tcp:1 8129/tcp:1 nntp/tcp:1 1023/tcp:1 www/tcp:1 20000/tcp:1 ssh/tcp:2 snmp/udp:1 domain/tcp:14 telnet/tcp:19 ssh/udp:1 9999/tcp:1 5560/tcp:1 mysql/tcp:4 webcache/tcp:2 sip/udp:1 9200/tcp:1 ldap/tcp:1 11211/tcp:1 total:55 (0104 - 0126)

* all forward dns queries for the hostnames fail (NXDOMAIN)

hth,
--
juan
It's been trying to hit UPnP (port 1900) and MS-SQL (port 1434) ports via UDP since January 12, 2014.
Only about 500 attempts between then and now so not a big talker.
The MS-SQL just looks like a port scan but the UPnP is actually sending a s discovery request.
It seems to be crawling our IP space without much rhyme or reason.
If you still need more packets, I can send in what I pulled from our IDS.
Hey guys,

Yeah I'm the POC for abuse. I'll take a look at this now. Anybody having issues, please email me directly at zwikholm@cari.net. I'm not in the office today, but I'm taking a look at this right now. Thanks

Zach W.

Diary Archives