I have recently started to notice that there is a large number of [what appears to be] port scans coming from an IP address that belongs to MCV. I found only one post over two years ago (http://forum.micasaverde.com/index.php/topic,3688.msg18256.html#msg18256), but does not explain this:
Small sample of ports scanned:
39502, 17206, 17733, 35381, 17246, 41732, 24372, 25431, 21817, 56621, 19709, 62752, 55112, 62908, 56370, 64133, 13136, 51911, 16073, 50847, 31616, 20195, 24974, 22134, 16849, 14850, 6227, 50043, 62417, 62636, 26176, 54810, 63947, 52549, 6000, , 11278, 3839, 18570, 5165, 16137, 34756, 48653, 40184, 11678, 60744, , 33977, 62069, 33136, 41245, 64818, 60581, 61537, 21049, 27747, 42901, 49366, 51920, 50182, 62567, 52537, 30452, 64904, 15853, 31570, 58170
I copied these ports from consecutive reports, so some may be repeats. Again, this is a small sample of what my firewall actually saw. The source port is 443 (SSL).
I have data going back to 2/26/13 when I started to take notice. The scans from MCV occur every day and appearing systematic. (Interesting finding: The scan occurrences MAY coincide when my Vera has an activity. I don’t have enough data to confirm this yet.) Since my network is constantly scanned by China and other foreign countries, I don’t always follow up or research. I do remember having seeing this IP address prior to 2/26, but have deleted those logs.
The source IP is 173.254.216.50
Reverse WHOIS reports this:
[Querying whois.arin.net]
[Redirected to rwhois.oc3networks.com:4321]
[Querying rwhois.oc3networks.com]
[rwhois.oc3networks.com]
%rwhois V-1.0,V-1.5:00090h:00 manage.quadranet.com (Ubersmith RWhois Server V-2.3.0)
autharea=173.254.216.0/24
xautharea=173.254.216.0/24
network:Class-Name:network
network:Auth-Area:173.254.216.0/24
network:ID:NET-30524.173.254.216.32/27
network:Network-Name:Public Network IP Range
network:IP-Network:173.254.216.32/27
network:IP-Network-Block:173.254.216.32 - 173.254.216.63
network:Org-Name:Mi Casa Verde
network:Street-Address:530 West 6th St
network:City:Los Angeles
network:State:CA
network:Postal-Code:90014
network:Country-Code:US
network:Tech-Contact:MAINT-30524.173.254.216.32/27
network:Created:20110906220216000
network:Updated:20110906220216000
contact:POC-Email:admin@micasaverde.com
I expect to see these types of port scans from China and other foreign countries attempting industrial espionage, but not from MCV.
I’m also running Vera Alerts. I am wondering if that plays a role. I will see for a few days if the scans occur when Vera triggers an alert that gets sent through Vera Alerts.
I am not making an accusation, I am simply trying to understand what is happening. Can someone shed some light?
Thanks.