Security Incidents mailing list archives
Re: Strange DNS/TCP activity
From: asmodeus () BENSHAW COM (Asmodeus)
Date: Thu, 27 Jan 2000 11:15:08 -0500
On Wed, 26 Jan 2000, Pavel Kankovsky wrote:
Our nameservers have been a subject of suspicious probes (?) aimed at TCP port 53 recently. Here is a genuine tcpdump transcript of one of the probes (line-wrapped for better readability):
<snip> A server I administrate has received the same probes for months now. ALways from 3 increasing ports, the first port number is always rounded to the nearest hundred (as in 2900,2901,2902; 2800,2801,2802, etc) There seem to be a number of machines in a single class C which are doing it, and several which are from other IP blocks. IIRC, I received no response from the whois-obtained contacts. .Shawn
Current thread:
- Re: PC Anywhere client seems to probe class C of connected networks, (continued)
- Re: PC Anywhere client seems to probe class C of connected networks Robert Graham (Jan 26)
- Probes to tcp 2766 ('System V Listner') Russell Fulton (Jan 26)
- Re: No Idea Paul L Schmehl (Jan 25)
- Re: No Idea Robert Graham (Jan 25)
- Possible Probe = Possible Malfunction Ron Gula (Jan 25)
- Possible attemt at hacking? Geir A. Bjune (Jan 25)
- Re: Possible attemt at hacking? Brendan Grieve (Jan 27)
- Re: ? Adam Boileau (Jan 25)
- Korea (was RE: ?) Fernando Cardoso (Jan 26)
- Strange DNS/TCP activity Pavel Kankovsky (Jan 26)
- Re: Strange DNS/TCP activity Asmodeus (Jan 27)
- Re: Strange DNS/TCP activity Roy Pait (Jan 27)
- port 768 Guido A.J. Stevens (Jan 27)
- Re: port 768 Robert Graham (Jan 27)
- Re: Strange DNS/TCP activity technot (Jan 27)
- Re: Strange DNS/TCP activity Richard Bejtlich (Jan 27)
- Connect thru PIX & ports 1727, 2209, 9200 CL: Nelson, Jeff (Jan 27)
- Re: Korea (again) Kim R. Rasmussen (Jan 26)
- Re: Korea (again) zeek (Jan 27)
- Re: Korea (again) Kim Roland Rasmussen (Jan 27)
- Re: Korea (again) Thomas Molina (Jan 27)