Security Incidents mailing list archives
Re: Interesting scan
From: Dave Booth <dbooth () CARLSON COM>
Date: Tue, 20 Feb 2001 09:22:52 -0600
Yoann LeCorvic wrote: > I don't know what he is looking for... Could also be a DOS Attempt, > but I have never heard/seen this before. What you should try to do > is to get a packet trace of one of these scans, and check the > contents. As it's telnet, an IMAP, he may just try to get the > password or things like that... I've already got a tcpdump running in the background on that box looking for telnet and imap packets. Nothing yet which doesnt surprise me since its a fairly infrequent scan but if I get anything it will come to the list. > ... he isu sing an automated tool that scans for IP Addresses > sequentially, yes, its clearly a sequential scan and its doing "something" to my dsl router too since those "get_ip_mtu returned zero" errors are syslog messages from my cisco 675 and only appear coincident with this scan pattern. Its odd because like yourself I've not seen this pattern in all my years of running firewalls, hence the initial posting. -- Dave Booth, CWT-IT dbooth () carlson com +---------------------------------------------------+ | Catapultam habeo. Nisi pecuniam omnem mihi dabis, | | ad caput tuum saxum immane mittam. | +---------------------------------------------------+
Current thread:
- Interesting scan Booth, David CWT-MSP (Feb 19)
- <Possible follow-ups>
- Re: Interesting scan Dave Booth (Feb 20)
- Re: Interesting scan Brian Engle (Feb 20)
- Interesting scan Bruce Parkinson (Feb 27)
- Re: Interesting scan Daniel Martin (Feb 27)