Security Incidents mailing list archives
Re: very strange scan patterns
From: ejovi () EJOVI NET (Ejovi Nuwere)
Date: Wed, 7 Jun 2000 10:02:30 -0400
Most routers/firewalls will prevent spoofing of internal addresses coming from an external interface. Since if seems to be coming from two or three specific machines I wouldn't rule out the idea of those machines having been comprised. What do the probing machines have in common? Same os? Same switch? e.
It looks like a probe (perhaps using nmap with the -sS option to spoof the source address) - port 23 gets noticed sinced it's obviously wrappered. Unless it is some sort of host "bouncing/reflecting" from the real attacker to hosts "ourdomain" back to hosts to magpie and kefti. Can anyone explain this apparent activity or know the signature for this attack? Thanks Joe
Current thread:
- Re: Port-scans from visited web-sites?, (continued)
- Re: Port-scans from visited web-sites? Joe McAlerney (Jun 08)
- Re: Port-scans from visited web-sites? Greg A. Woods (Jun 08)
- Re: Port-scans from visited web-sites? Erich Meier (Jun 10)
- scan log Max Gribov (Jun 11)
- Re: scan log Jason Witty (Jun 12)
- FW-1 log analysis tool Chew Poh Chang (CAPL) (Jun 08)
- Re: FW-1 log analysis tool Lance Spitzner (Jun 10)
- Re: FW-1 log analysis tool Kenneth Ish (Jun 11)
- port 12345 scanning Luke Dudney (Jun 11)
- Protocol 54 M J (Jun 07)
- Re: very strange scan patterns Ejovi Nuwere (Jun 07)
- hacked @home with logs and info.. nmorgowicz () RALCOIND COM (Jun 07)
- Re: hacked @home with logs and info.. Shadow Boxer (Jun 08)
- UDP Port 2078 Dundo (Jun 08)
- New KAK worm distribution out Roy Wilson (Jun 08)
- Re: hacked @home with logs and info.. Randy Mclean (Jun 09)
- Re: Microsoft version.binding us now? Bill Marquette (Jun 24)