Security Incidents mailing list archives
Re: I am popular today...
From: viha () CRYPTLINK NET (Ville)
Date: Sat, 29 Apr 2000 14:39:23 +0300
On Fri, 28 Apr 2000, Dirk Koopman wrote:
Are ALL these people _really_ interested in the response time of my class C? Or is this some kind of of (pointless) DoS? Has one of hidden M$ machines been acquired by some trojan?
Are you one of these?
None of ours, but the lot of them do seem like quite innocent average Windows boxen. Were all of the pings targeted at one IP or do you host a bunch of virtual domains? If you do, you could _occasionally_ see pings done by clients using 'efficient downloading' software that check for site availability. It could be interesting if you contacted one of those domains and asked them to query the customer to run the latest anti-virus s/w. Is it continuous or only saw it as a one-time happening? It could also be a really small DDoS network only forming (or spreading, if it happens to be a trojan) now. Though, if none of your customers do IRC or anything overly inter- active, I see no reason they would bother trying to flood your box. You might also want to dump those raw packets to see if they contain any known patterns or sequences - some IDS might already have a signature to match them. -- Ville(viha () cryptlink net, 'Cryptlink Networking);
Current thread:
- Re: BIND 8.2.2.-P3, 0-day exploit, (continued)
- Re: BIND 8.2.2.-P3, 0-day exploit kj (Apr 24)
- Odd snmp scans from 10.0.0.0/8 address ??? Russell Fulton (Apr 25)
- Re: BIND 8.2.2.-P3, 0-day exploit Stone (Apr 26)
- Re: BIND 8.2.2.-P3, 0-day exploit Ryan Russell (Apr 27)
- Re: BIND 8.2.2.-P3, 0-day exploit Patrick Oonk (Apr 27)
- regulary 137 and 524 port scan Cho Yongsang (Apr 27)
- huge scans from www.oix.com jose (Apr 28)
- I am popular today... Dirk Koopman (Apr 28)
- Re: I am popular today... Ryan Sweat (Apr 28)
- Analysis: AboveNet attacks Robert Graham (Apr 28)
- Re: I am popular today... Ville (Apr 29)
- Lots netbios scans (udp 137) Russell Fulton (Apr 30)
- High port UDP probe? Damian Gerow (Apr 25)
- Re: High port UDP probe? Mark Rowe (Apr 26)
- Lots of scan on port 9520 Erick Perez (Apr 25)
- possible bind worm? Roelof Temmingh (Apr 25)
- Re: Rooted through in.identd on Red Hat 6.0 Erich Meier (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Brett Glass (Apr 20)
- Tools to analyze "captured" binaries? -Reply Network Security (Apr 20)
- Re: Tools to analyze "captured" binaries? -Reply Ex Machina (Apr 22)
- Port 137 scans on the rise Bryan Andersen (Apr 20)