Anybody else seeing a surge in exploit attempts from Iran?

[Jeremy Shelley]

Over the past two days our firewalls have seen a huge surge in attacks from IP addresses in Iran (almost 30,000 attempts in the last 24 hours).  The attacker is attempting to exploit port 2623 (LMDP?) or 3009 (PXC-NTFY?).

Is anybody else seeing traffic like this or are we just the lucky target?

This group looks like it's going to be a great resource!

Jeremy

[Bugbear]

We had about 15,000 packets from 2.185.244.128 destined for source UDP 3009 on October 8th. It stopped and there was no additional traffic to or from that IP so I have not grabbed a capture.

Tim

Jeremy

--
Need IPv6 Training? See http://www.ipv6securitytraining.com . IPv6 Security Training
 
To unsubscribe from this group, send email to
iscdshield+...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/iscdshield?hl=en

[Roper Rop]

17.172.232.153.5223

[Phillip Smith]

On 10 April 2013 08:48, Roper Rop <br...@ptsi.net> wrote:

17.172.232.153.5223

A quick whois will tell you 17.0.0.0/8 is registered to Apple. Port 5223 is Apple's Push Notification Services [1]. Perhaps you've added new Apple devices to your network, or existing ones have been upgraded to versions that incorporate APNS?

What you're calling an "attack" is likely just trailing packets from a valid connection. IME Apple are quite chatty with their "closed" connections.

[1] http://support.apple.com/kb/ts1629

[Tom Byrnes]

ThreatSTOP’s Check IP shows that this is a clean IP, in the US, that belongs to Apple.

 

You can check IPs for free, for yourself, against The DShield list. Maxmind geo data, and over 30 other sources at:

 

http://www.threatstop.com/checkip

 

 

--

--
Need IPv6 Training? See http://www.ipv6securitytraining.com . IPv6 Security Training
 
To unsubscribe from this group, send email to
iscdshield+...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/iscdshield?hl=en
 

---
You received this message because you are subscribed to the Google Groups "SANS Internet Storm Center / DShield" group.
To unsubscribe from this group and stop receiving emails from it, send an email to iscdshield+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Joel Esler]

All of the 17. Block is owned by Apple.  Also port 5223 is jabber. Iirc. Are you using Jabber?  Do you have a Mac?

--

Joel Esler

Sent from my iPhone 

--

[Ziots, Edward]

Concurr this is defintely Apple in the USA.

 

http://www.geoiptool.com/en/?IP=17.172.232.153

 

Z

 

Edward E. Ziots, CISSP, CISA, Security +, Network +

Security Engineer

Lifespan Organization

ezi...@lifespan.org

Work:401-444-9081

 

 

This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you.

 

[HAREN BHATT]

A detailed Who IS - As below:

None of the port are seen open. 

Domain Whois record

Don't have a domain name for which to get a record

Network Whois record

Queried whois.arin.net with "n 17.172.232.153"...

NetRange:       17.0.0.0 - 17.255.255.255
CIDR:           17.0.0.0/8
OriginAS:       
NetName:        APPLE-WWNET
NetHandle:      NET-17-0-0-0-1
Parent:         
NetType:        Direct Assignment
RegDate:        1990-04-16
Updated:        2012-04-02
Ref:            http://whois.arin.net/rest/net/NET-17-0-0-0-1

OrgName:        Apple Inc.
OrgId:          APPLEC-1-Z
Address:        20400 Stevens Creek Blvd., City Center Bldg 3
City:           Cupertino
StateProv:      CA
PostalCode:     95014
Country:        US
RegDate:        2009-12-14
Updated:        2011-03-08
Ref:            http://whois.arin.net/rest/org/APPLEC-1-Z

OrgAbuseHandle: APPLE11-ARIN
OrgAbuseName:   Apple Abuse
OrgAbusePhone:  +1-408-974-7777 
OrgAbuseEmail:  ab...@apple.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/APPLE11-ARIN

OrgTechHandle: ZA42-ARIN
OrgTechName:   Apple Computer Inc
OrgTechPhone:  +1-408-974-7777 
OrgTechEmail:  dr...@apple.com
OrgTechRef:    http://whois.arin.net/rest/poc/ZA42-ARIN

RTechHandle: ZA42-ARIN
RTechName:   Apple Computer Inc
RTechPhone:  +1-408-974-7777 
RTechEmail:  dr...@apple.com
RTechRef:    http://whois.arin.net/rest/poc/ZA42-ARIN

DNS records

DNS query for 153.232.172.17.in-addr.arpa returned an error from the server: NameError

No records to display

Traceroute

Tracing route to 17.172.232.153 [17.172.232.153]...

hop

rtt

rtt

rtt

ip address

fully qualified domain name

1

1

1

1

70.84.211.97

61.d3.5446.static.theplanet.com

2

1

0

1

70.87.254.5

po101.dsr02.dllstx5.networklayer.com

3

0

0

0

70.85.127.109

po52.dsr02.dllstx3.networklayer.com

4

1

0

0

173.192.18.230

ae17.bbr02.eq01.dal03.networklayer.com

5

0

0

0

4.59.36.93

xe-11-0-3.edge2.dallas3.level3.net

6

25

25

25

4.69.145.190

vlan80.csw3.dallas1.level3.net

7

25

25

24

4.69.151.158

ae-83-83.ebr3.dallas1.level3.net

8

24

24

24

4.69.134.22

ae-7-7.ebr3.atlanta2.level3.net

9

27

25

24

4.69.148.242

ae-63-63.ebr1.atlanta2.level3.net

10

26

26

26

4.69.200.209

ae-1-10.bar1.charlotte1.level3.net

11

26

26

25

4.69.200.218

ae-3-3.car1.charlotte1.level3.net

12

29

28

27

4.71.124.62

apple-compu.car1.charlotte1.level3.net

13

*

*

*

14

*

*

*

15

*

*

*

16

*

*

*

Trace aborted

Service scan

FTP - 21

Error: TimedOut

SMTP - 25

Error: TimedOut

HTTP - 80

Error: ConnectionRefused

POP3 - 110

Error: TimedOut

IMAP - 143

Error: TimedOut

Haren

 

Haren Bhatt |

Head- SOC |

hcb...@gmail.com |

http://security-culture.blogspot.com/

 

"We Have A Culture Of Security."

NOTICE: This communication is meant only for the addressee(s) named above and may contain information which is and/or legally privileged. If you are not the named addressee(s), or the agent responsible for receiving and delivering this communication to the named addressee(s), this communication has been sent to you in error, please notify the sender and delete all copies. If so, kindly contact us immediately for retrieval purposes. Unauthorized dissemination, distribution, copying or reliance on this communication is prohibited and may attract criminal penalties.
For privacy reasons all the addressee(s) may be hidden.

[BioChem Admin]

We have a large number of them too? 

On Wednesday, October 10, 2012 6:59:47 AM UTC-5, Jeremy Shelley wrote: