djcanadianjeff

Port Scans & Probes From AS395978 and/or AS205280

Discussion created by djcanadianjeff on Jan 24, 2018
Latest reply on Jan 28, 2018 by cartel

Portscan Wireshark

 

Even when I unplug my router and change my mac address to get a new IP within seconds I start to see probes from these connections so I suspect they are probing any and all shaw internet facing IPv4 Addresses

 

To get the above capture you can install and run tcpdump on a DD-WRT / OpenWRT router with the following filter

tcpdump -U -i 'eth1' -w synpackets.pcap 'tcp[13] & 2 != 0 and not tcp[13]=18 and dst YOURSHAWIP'

you need to change eth1 to your WAN/INTERNET interface for it to work and then once you have captured enough packets you can open it up in a GUI tool like Wireshark to look at the packets

 

To get GEOIP working in wireshark follow the wiki @ wiki.wireshark.org/HowToUseGeoIP which requires you to download and save the maxmind geoip files into a folder and tell wireshark how to find them

 

The filter I used in wireshark is

(ip.geoip.src_asnum contains "AS205280") || (ip.geoip.src_asnum contains "AS395978")

 

The following IPs are seen probing within seconds of changing my shaw IP to a new one

 

77.72.85.16 AS205280 United Protection (UK) Security LIMITED
77.72.85.17 AS205280 United Protection (UK) Security LIMITED
77.72.85.18 AS205280 United Protection (UK) Security LIMITED
77.72.85.23 AS205280 United Protection (UK) Security LIMITED
77.72.85.24 AS205280 United Protection (UK) Security LIMITED
77.72.85.27 AS205280 United Protection (UK) Security LIMITED
77.72.85.106 AS205280 United Protection (UK) Security LIMITED
181.214.87.7 AS395978 OkServers LLC
181.214.87.11 AS395978 OkServers LLC
181.214.87.12 AS395978 OkServers LLC
181.214.87.70 AS395978 OkServers LLC
181.214.87.239 AS395978 OkServers LLC

Outcomes