Security Incidents mailing list archives
RE: What's going on here?
From: Russell Fulton <r.fulton () auckland ac nz>
Date: 27 Aug 2002 14:57:38 +1200
On Tue, 2002-08-27 at 03:54, Yonatan Bokovza wrote:
-----Original Message----- From: Jackie [mailto:JackieJ () Syllables com] Sent: Saturday, August 24, 2002 02:57 To: incidents () securityfocus com Subject: What's going on here? ZoneAlarm reported this burst, all from port 80 on a reserved IP block. What the honk's going on? FWIN,2002/08/23,18:47:42 -4:00 GMT,10.60.1.102:80,xxx.xx.96.7:9176,TCP (flags:S) FWIN,2002/08/23,18:47:42 -4:00 GMT,10.10.2.105:80,xxx.xx.96.7:13682,TCP (flags:S)Someone is scanning a victim that's in reserved address-space, giving your address as decoy.
Ummm... I don't think so, in that case the flags would be SA not S. These appear to be SYN packets sent from port 80 to random port numbers. -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand "It aint necessarily so" - Gershwin ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- What's going on here? Jackie (Aug 26)
- <Possible follow-ups>
- RE: What's going on here? Yonatan Bokovza (Aug 26)
- RE: What's going on here? Russell Fulton (Aug 27)
- RE: What's going on here? Hugo van der Kooij (Aug 28)
- Re: What's going on here? Mark (Aug 28)
- RE: What's going on here? Russell Fulton (Aug 27)
- RE: What's going on here? NESTING, DAVID M (SBCSI) (Aug 26)
- Re: What's going on here? wykkyd (Aug 26)
- Re: What's going on here? wykkyd (Aug 29)