Re: Spoofed scans

From: James (jamesh@cybermesa.com)
Date: 01/07/02

• Previous message: Richard Arends: "Spoofed scans"
• In reply to: Richard Arends: "Spoofed scans"
• Next in thread: Philip Wagenaar: "RE: Spoofed scans"
• Reply: Philip Wagenaar: "RE: Spoofed scans"
• Reply: Bojan Zdrnja: "RE: Spoofed scans"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "James" <jamesh@cybermesa.com>
To: <incidents@securityfocus.com>
Date: Sun, 6 Jan 2002 17:47:07 -0700

Capture the data link layer and get the hardware address. Perhaps this will
indicate the true IP.

"Ask the plants of the earth and they will teach you." Job 12:8

----- Original Message -----
From: "Richard Arends" <richard@unixguru.nl>
To: <incidents@securityfocus.com>
Sent: Sunday, January 06, 2002 4:41 AM
Subject: Spoofed scans

> Hello,
>
> Last couple of weeks i'm getting more and more spoofed scans on my
> firewall. All scans are icmp or port 53 (domain). Mostly 'they' first send
> a few icmp packets and then a scan for port 53 trying to do a reverse
> lookup for my ip.
>
> Are there more seeing this type off scans and is there a way to substract
> the real scanner (ip) from the list ip's ???
>
> Greetings,
>
> Richard.
>
> ----
> An OS is like swiss cheese, the bigger it is, the more holes you get!
>
>
> --------------------------------------------------------------------------

--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Richard Arends: "Spoofed scans"
• In reply to: Richard Arends: "Spoofed scans"
• Next in thread: Philip Wagenaar: "RE: Spoofed scans"
• Reply: Philip Wagenaar: "RE: Spoofed scans"
• Reply: Bojan Zdrnja: "RE: Spoofed scans"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: Malicious web sites ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ... (Incidents) Re: [incident] IIS defacement through FTP, possible DoS ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ... (Incidents) RE: Distributed ICMP/UDP scan or attack? ... This list is provided by the SecurityFocus ARIS analyzer service. ... and tracking system please see: http://aris.securityfocus.com ... For more information on this free incident handling, management ... (Incidents) Re: strange attacks - flood udp packets from 1030 to msql ... > This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ... (Incidents) RE: Can anyone identify this backdoor? ... > and tracking system please see: http://aris.securityfocus.com ... This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management ... (Incidents)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)