Re: ISC# [2560154] 17.172.232.153.5223 MNDNNN

47 views
Skip to first unread message

Phillip Smith

unread,
Apr 9, 2013, 7:44:19 PM4/9/13
to iscds...@googlegroups.com
---------- Forwarded message ----------
From: Brent Goodwin <br...@ptsi.net>
Date: Tue, Apr 9, 2013 at 6:28 PM
Subject: Re: ISC# [2560154] 17.172.232.153.5223 MNDNNN
To: Swa Frantzen - ISC <i...@section66.com>


I guess you can call me stupid or simple minded, but these screen shots show me this.  I am about to report the wiskalten@gmail to google abuse, unless you can explain this to me in a way I can understand it.  

Right, the IP you're querying is 68.178.176.152

5223.com is the domain, that they're abusing to make their hostname look like an Apple IP Address.

I'd treat it like any other unsolicited internet traffic, unless they're actually establishing a connection somehow. Are they doing that, or just sending unsolicited incoming packets?

HAREN BHATT

unread,
Apr 10, 2013, 8:45:33 AM4/10/13
to iscds...@googlegroups.com
Even is am seeing outbound traffic to 17.172.232.153 on port 5223 443. 

Below are the logs :

106023: Deny tcp src inside:xxx.xxx.xxx.xxx/61554 dst outside:17.172.232.153/443 by access-group "inside_access_in_1" [0x0, 0x0]
106023: Deny tcp src inside:xxx.xxx.xxx.xxx/51346 dst outside:17.172.232.153/443 by access-group "inside_access_in_1" [0x0, 0x0]
106023: Deny tcp src inside:xxx.xxx.xxx.xxx/56661 dst outside:17.172.232.153/443 by access-group "inside_access_in_1" [0x0, 0x0]
106023: Deny tcp src inside:xxx.xxx.xxx.xxx/49783 dst outside:17.172.232.153/5223 by access-group "inside_access_in_1" [0x0, 0x0]
106023: Deny tcp src inside:xxx.xxx.xxx.xxx/56115 dst outside:17.172.232.153/5223 by access-group "inside_access_in_1" [0x0, 0x0]
106023: Deny tcp src inside:xxx.xxx.xxx.xxx/49495 dst outside:17.172.232.153/5223 by access-group "inside_access_in_1" [0x0, 0x0]
106023: Deny tcp src inside:xxx.xxx.xxx.xxx/59138 dst outside:17.172.232.153/5223 by access-group "inside_access_in_1" [0x0, 0x0]



--
--
Need IPv6 Training? See http://www.ipv6securitytraining.com . IPv6 Security Training
 
To unsubscribe from this group, send email to
iscdshield+...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/iscdshield?hl=en
 
---
You received this message because you are subscribed to the Google Groups "SANS Internet Storm Center / DShield" group.
To unsubscribe from this group and stop receiving emails from it, send an email to iscdshield+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 



--

Haren

 

Haren Bhatt |

 

 hcb...@gmail.com |

 http://security-culture.blogspot.com/

 

"We Have A Culture Of Security."

NOTICEThis communication is meant only for the addressee(s) named above and may contain information which is and/or legally privileged. If you are not the named addressee(s), or the agent responsible for receiving and delivering this communication to the named addressee(s), this communication has been sent to you in error, please notify the sender and delete all copies. If so, kindly contact us immediately for retrieval purposes. Unauthorized dissemination, distribution, copying or reliance on this communication is prohibited and may attract criminal penalties.
For privacy reasons all the addressee(s) may be hidden.

Phillip Smith

unread,
Apr 10, 2013, 7:20:13 PM4/10/13
to iscds...@googlegroups.com
On 10 April 2013 22:45, HAREN BHATT <hcb...@gmail.com> wrote:
Even is am seeing outbound traffic to 17.172.232.153 on port 5223 443. 

Below are the logs :

106023: Deny tcp src inside:xxx.xxx.xxx.xxx/61554 dst outside:17.172.232.153/443 by access-group "inside_access_in_1" [0x0, 0x0]
106023: Deny tcp src inside:xxx.xxx.xxx.xxx/51346 dst outside:17.172.232.153/443 by access-group "inside_access_in_1" [0x0, 0x0]
106023: Deny tcp src inside:xxx.xxx.xxx.xxx/56661 dst outside:17.172.232.153/443 by access-group "inside_access_in_1" [0x0, 0x0]
106023: Deny tcp src inside:xxx.xxx.xxx.xxx/49783 dst outside:17.172.232.153/5223 by access-group "inside_access_in_1" [0x0, 0x0]
106023: Deny tcp src inside:xxx.xxx.xxx.xxx/56115 dst outside:17.172.232.153/5223 by access-group "inside_access_in_1" [0x0, 0x0]
106023: Deny tcp src inside:xxx.xxx.xxx.xxx/49495 dst outside:17.172.232.153/5223 by access-group "inside_access_in_1" [0x0, 0x0]
106023: Deny tcp src inside:xxx.xxx.xxx.xxx/59138 dst outside:17.172.232.153/5223 by access-group "inside_access_in_1" [0x0, 0x0]


Unless your logs log hostnames (highly unlikely), those are blocks to the IP ADDRESS 17.172.232.153, not the DOMAIN 5223.com from your screenshots in your previous email. 

Those blocks will be an Apple device trying to "phone home". I think you're confusing IP Addresses and Hostnames/Domains here.
Reply all
Reply to author
Forward
0 new messages