Security Incidents mailing list archives

Re: more info on ramen.tgz

From: "Nathan W. Lindstrom" <nlindstrom () ENSIM COM>
Date: Wed, 17 Jan 2001 16:13:02 -0800

I glanced through the source code for the synscan program awhile back, and if I recollect correctly,
it is somehow using www.microsoft.de as a scan list delimiter, a sort of string NUL for the list of
IP addresses that it scans.  Bear in mind that I'm only remembering it, I could be wrong.  Odd
behavior, yes; there was the comment of /* Greetz to Bob */ or somesuch right above the line that
sends the data to www.microsoft.de.  No idea why though....

--Nathan



outcast wrote:


that is realy odd 212.184.80.190 goes to microsoft's germany website.

On Wed, 17 Jan 2001, Jeffrey F. Lawhorn wrote:

One more thing I've noticed about the synscan in the ramen.tgz, it sends a TCP
packet to 212.184.80.190 port 80 from port 31337 after it finishes scanning
each /16.

Unfortunately I was unable to capture any of the actual packets.  Did anyone
else manage to capture one of these packets?

jeffl


--
Jeffrey F. Lawhorn                       |Internet Security Consulting
Software Design Associates, Inc.         |IDS Monitoring/Reporting
jeffl () wanet net       619-679-5900 voice |Expunge Intruders
http://www.wanet.net/ 619-679-2327 fax   |
Finger jeffl () wanet net for PGP Public Key.

Insist on Quality! WANet.Net is an ISP/C Member - http://www.ispc.org/

Current thread:

more info on ramen.tgz Jeffrey F. Lawhorn (Jan 17)
- Re: more info on ramen.tgz Joe Stewart (Jan 17)
- Re: more info on ramen.tgz outcast (Jan 17)
  - Re: more info on ramen.tgz Nathan W. Lindstrom (Jan 17)
- Re: more info on ramen.tgz Daniel Martin (Jan 17)
- Re: more info on ramen.tgz dor (Jan 17)
- Re: more info on ramen.tgz Russell Fulton (Jan 17)
- <Possible follow-ups>
- Re: more info on ramen.tgz Russell Fulton (Jan 17)