Security Incidents mailing list archives
Re: more info on ramen.tgz
From: "Nathan W. Lindstrom" <nlindstrom () ENSIM COM>
Date: Wed, 17 Jan 2001 16:13:02 -0800
I glanced through the source code for the synscan program awhile back, and if I recollect correctly, it is somehow using www.microsoft.de as a scan list delimiter, a sort of string NUL for the list of IP addresses that it scans. Bear in mind that I'm only remembering it, I could be wrong. Odd behavior, yes; there was the comment of /* Greetz to Bob */ or somesuch right above the line that sends the data to www.microsoft.de. No idea why though.... --Nathan outcast wrote:
that is realy odd 212.184.80.190 goes to microsoft's germany website. On Wed, 17 Jan 2001, Jeffrey F. Lawhorn wrote:One more thing I've noticed about the synscan in the ramen.tgz, it sends a TCP packet to 212.184.80.190 port 80 from port 31337 after it finishes scanning each /16. Unfortunately I was unable to capture any of the actual packets. Did anyone else manage to capture one of these packets? jeffl -- Jeffrey F. Lawhorn |Internet Security Consulting Software Design Associates, Inc. |IDS Monitoring/Reporting jeffl () wanet net 619-679-5900 voice |Expunge Intruders http://www.wanet.net/ 619-679-2327 fax | Finger jeffl () wanet net for PGP Public Key. Insist on Quality! WANet.Net is an ISP/C Member - http://www.ispc.org/
Current thread:
- more info on ramen.tgz Jeffrey F. Lawhorn (Jan 17)
- Re: more info on ramen.tgz Joe Stewart (Jan 17)
- Re: more info on ramen.tgz outcast (Jan 17)
- Re: more info on ramen.tgz Nathan W. Lindstrom (Jan 17)
- Re: more info on ramen.tgz Daniel Martin (Jan 17)
- Re: more info on ramen.tgz dor (Jan 17)
- Re: more info on ramen.tgz Russell Fulton (Jan 17)
- <Possible follow-ups>
- Re: more info on ramen.tgz Russell Fulton (Jan 17)