RE: What's going on here?

From: Yonatan Bokovza (Yonatan@xpert.com)
Date: 08/26/02


From: Yonatan Bokovza <Yonatan@xpert.com>
To: 'Jackie' <JackieJ@Syllables.com>, "'incidents@securityfocus.com'" <incidents@securityfocus.com>
Date: Mon, 26 Aug 2002 18:54:06 +0300


> -----Original Message-----
> From: Jackie [mailto:JackieJ@Syllables.com]
> Sent: Saturday, August 24, 2002 02:57
> To: incidents@securityfocus.com
> Subject: What's going on here?
>
>
> ZoneAlarm reported this burst, all from port 80 on a reserved IP
> block. What the honk's going on?
>
>
> FWIN,2002/08/23,18:47:42 -4:00
> GMT,10.60.1.102:80,xxx.xx.96.7:9176,TCP (flags:S)
> FWIN,2002/08/23,18:47:42 -4:00
> GMT,10.10.2.105:80,xxx.xx.96.7:13682,TCP (flags:S)

Someone is scanning a victim that's in reserved address-space,
giving your address as decoy.

see:
http://www.rootshell.be/~helevius/nid_3pe_v101.pdf

Regards,
Yonatan.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: large scale distributed scan of port tcp 445
    ... Windows 2000 Port Invites Intruders ... >> This list is provided by the SecurityFocus ARIS analyzer service. ... >> For more information on this free incident handling, management ...
    (Incidents)
  • Re: slapper changed to udp 1812?
    ... Anyone can change the PORT to any number, ... >> This list is provided by the SecurityFocus ARIS analyzer service. ... >> For more information on this free incident handling, management ...
    (Incidents)
  • RE: port 9274?
    ... The systems with this rootkit installed had this port open for ... 1460 NOP NOP SackOK ... This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, ...
    (Incidents)
  • Odd scan
    ... It starts at port 1080 then moves down the usual suspects of 3128, ... This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, ...
    (Incidents)
  • RE: large scale distributed scan of port tcp 445
    ... large scale distributed scan of port tcp 445 ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)