RE: What's going on here?

From: Hugo van der Kooij (hvdkooij@vanderkooij.org)
Date: 08/27/02

Previous message: YAO,TONY (HP-NewZealand,ex1): "RE: Trojan? DDOS Bot?"
In reply to: Russell Fulton: "RE: What's going on here?"
Next in thread: Mark: "Re: What's going on here?"
Next in thread: wykkyd@ziplip.com: "Re: What's going on here?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 27 Aug 2002 22:33:46 +0200 (CEST)
From: Hugo van der Kooij <hvdkooij@vanderkooij.org>
To: "'incidents@securityfocus.com'" <incidents@securityfocus.com>

On 27 Aug 2002, Russell Fulton wrote:

> On Tue, 2002-08-27 at 03:54, Yonatan Bokovza wrote:
> > > -----Original Message-----
> > > From: Jackie [mailto:JackieJ@Syllables.com]
> > > Sent: Saturday, August 24, 2002 02:57
> > > To: incidents@securityfocus.com
> > > Subject: What's going on here?
> > >
> > >
> > > ZoneAlarm reported this burst, all from port 80 on a reserved IP
> > > block. What the honk's going on?
> > >
> > >
> > > FWIN,2002/08/23,18:47:42 -4:00
> > > GMT,10.60.1.102:80,xxx.xx.96.7:9176,TCP (flags:S)
> > > FWIN,2002/08/23,18:47:42 -4:00
> > > GMT,10.10.2.105:80,xxx.xx.96.7:13682,TCP (flags:S)
> >
> > Someone is scanning a victim that's in reserved address-space,
> > giving your address as decoy.

I noticed similar light weight "scans" on a customer network.

Part of them were sites trying to push data to the client after the client
stopped their session. (long live those aggressive banner pushers.)

I was not able to get a detailed trace for further investigation.

Hugo.

-- All email send to me is bound to the rules described on my homepage. hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger.

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Previous message: YAO,TONY (HP-NewZealand,ex1): "RE: Trojan? DDOS Bot?"
In reply to: Russell Fulton: "RE: What's going on here?"
Next in thread: Mark: "Re: What's going on here?"
Next in thread: wykkyd@ziplip.com: "Re: What's going on here?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: OE Version.
... I've seen the same error message occur if the msn account is a legacy pop3 account when using the incorrect server. ... you should disable e-mail scanning. ... Antivirus software can make about the same thing ... :>> your mail client and the incoming data, ...
(microsoft.public.windows.inetexplorer.ie6_outlookexpress)
Re: OE Version.
... scanning has also been responsible for wiping out entire dbx files. ... Turn of NAV email scanning. ... "Your server has unexpectedly terminated the connection. ... your mail client and the incoming data, ...
(microsoft.public.windows.inetexplorer.ie6_outlookexpress)
Re: OE Version.
... I've seen the same error message occur if the msn account is a legacy pop3 account when using the incorrect server. ... scanning has also been responsible for wiping out entire dbx files. ... Antivirus software can make about the same thing ... :>> your mail client and the incoming data, ...
(microsoft.public.windows.inetexplorer.ie6_outlookexpress)
Re: Web Application and Windows Application working together
... of the application is a scanning facility to allow users to scan documents ... a file containing Customer data would be saved to ... client PC ... server* and your cicle is reduced to this: ...
(microsoft.public.dotnet.languages.vb)
Re: The item is currently being scanned for viruses. Try again in a few moments. Outlook Error
... Perhaps an updated scanning engine on the client or server? ... I know is that if you have an Exchange AV solution in place, ...
(microsoft.public.exchange.admin)