http://isc.sans.edu/diary/Outbound+SSH+Traffic+from+HP+Virtual+Connect+Blades/10498
It is going for a range of ips. We only see syn's never a response from the ips. Netflow sampling at 1/1k results from yesterday's SSH fun:) Countx1k ip 244 49.48.46.49 125 49.48.46.51 74 49.48.46.50 69 49.48.46.54 25 49.48.46.55 18 49.48.46.53 11 49.48.46.48 2 49.48.46.57 (coffee != sleep) & (!coffee == sleep) donald.sm...@qwest.com ________________________________________ From: arin-ppml-boun...@arin.net [arin-ppml-boun...@arin.net] On Behalf Of Joel Jaeggli [joe...@bogus.com] Sent: Monday, March 07, 2011 9:41 PM To: NANOG; arin-p...@arin.net Subject: [arin-ppml] why hp bladeserver chassis have a sudden interest in thailand. http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1299558177753+28353475&threadId=1471451 As a potentially cautionary tale for the squatting on unused pieces of address space either in your network or applications. drive slow (and filter 22 outgoing to 49.48.46.49 until you get new firmware) joel _______________________________________________ PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (arin-p...@arin.net). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/arin-ppml Please contact i...@arin.net if you experience any issues. This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
