Security Incidents mailing list archives

Re: What's going on here?

From: <wykkyd () ziplip com>
Date: 26 Aug 2002 20:24:22 -0000

In-Reply-To: <C2DC75EEA405354AA9C03EF5CB8CDE080AC912 () EXCHANGE xpert com>


FWIN,2002/08/23,18:47:42 -4:00 
GMT,10.60.1.102:80,xxx.xx.96.7:9176,TCP (flags:S)
FWIN,2002/08/23,18:47:42 -4:00 
GMT,10.10.2.105:80,xxx.xx.96.7:13682,TCP (flags:S)


Someone is scanning a victim that's in reserved address-space,
giving your address as decoy.

see:
http://www.rootshell.be/~helevius/nid_3pe_v101.pdf

Regards,
Yonatan.


No, if that was the case, they would have been SYN-ACK (or RST) packets, 
which they are not indicated as being.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

What's going on here? Jackie (Aug 26)
- <Possible follow-ups>
- RE: What's going on here? Yonatan Bokovza (Aug 26)
  - RE: What's going on here? Russell Fulton (Aug 27)
    - RE: What's going on here? Hugo van der Kooij (Aug 28)
    - Re: What's going on here? Mark (Aug 28)
- RE: What's going on here? NESTING, DAVID M (SBCSI) (Aug 26)
- Re: What's going on here? wykkyd (Aug 26)
- Re: What's going on here? wykkyd (Aug 29)