Portal Home > Knowledgebase > Transparency Report > 06/04/2014 [HACK] University Information Security Office @ Netherlands 17 (51545)

06/04/2014 [HACK] University Information Security Office @ Netherlands 17 (51545)

91.239.64.179 was observed probing caltech.edu for security holes. It
has been blocked at our border routers. It may be compromised.

For more info contact security@caltech.edu
Please include the entire subject line of the original message

Bob

(time zone of log is PDT, which is UTC-07:00, date is MMDD)
log entries are from Cisco netflow, time is flow start time
date.time srcIP srcPort dstIP dstPort proto #pkts
0405.16:48:04.538 91.239.64.179 34951 134.4.230.208 21 6 1
0405.16:48:20.541 91.239.64.179 56012 134.4.176.22 21 6 1
0405.16:48:35.709 91.239.64.179 50534 131.215.249.5 21 6 1
0405.16:48:38.635 91.239.64.179 32848 131.215.105.164 21 6 1
0405.16:48:40.940 91.239.64.179 32896 131.215.49.161 21 6 1
0405.16:48:44.537 91.239.64.179 54092 131.215.127.117 21 6 1
0405.16:48:45.242 91.239.64.179 38701 134.4.65.145 21 6 1
0405.16:48:51.065 91.239.64.179 57611 134.4.130.121 21 6 1
0405.16:48:54.649 91.239.64.179 42696 131.215.203.134 21 6 1
0405.16:48:58.732 91.239.64.179 56142 134.4.72.68 21 6 1
0405.16:49:20.751 91.239.64.179 35115 134.4.105.26 21 6 1
0405.16:49:28.952 91.239.64.179 43515 131.215.202.69 21 6 1
0405.16:49:28.491 91.239.64.179 55143 131.215.178.80 21 6 1
0405.16:49:45.646 91.239.64.179 50860 134.4.36.143 21 6 1
0405.16:49:47.694 91.239.64.179 45396 134.4.20.89 21 6 1
0405.16:49:53.579 91.239.64.179 39743 134.4.211.232 21 6 1
0405.16:50:05.743 91.239.64.179 33535 134.4.204.198 21 6 1
0405.16:50:17.146 91.239.64.179 54460 131.215.51.147 21 6 1
0405.16:50:16.507 91.239.64.179 55425 134.4.193.52 21 6 1
0405.16:50:15.021 91.239.64.179 34098 131.215.43.96 21 6 1

======================================================

We have blocked someone from your IP space for abuse. Reason: Port Scanning. Log lines are below. Time zone is UTC.

2014-04-05T23:48:32+00:00 squawk [1:1750045:12] ANI SRC SCAN - Potential FTP Scan or Bruteforce - Inbound [Classification: An attempted login using a suspicious username was detected] [Priority: 2]: {TCP} 91.239.64.179:51545 -> 149.163.36.70:21

I am writing to inform you so that you can take whatever action is necessary to prevent this user from doing this again. We would be happy to discuss further if you would like. Please feel free to respond to this email to follow up.

Thank you,

University Information Security Office
Indiana University
http://protect.iu.edu/uiso


Action that has been taken from Proxy.sh: To prevent further inconvenience caused to third party, we have blocked port 51545.