RE: What's going on here?

[Hugo van der Kooij <hvdkooij () vanderkooij org>]

On 27 Aug 2002, Russell Fulton wrote:

> On Tue, 2002-08-27 at 03:54, Yonatan Bokovza wrote:
> > > -----Original Message-----
> > > From: Jackie [mailto:JackieJ () Syllables com]
> > > Sent: Saturday, August 24, 2002 02:57
> > > To: incidents () securityfocus com
> > > Subject: What's going on here?
> > >
> > >
> > > ZoneAlarm reported this burst, all from port 80 on a reserved IP
> > > block. What the honk's going on?
> > >
> > >
> > > FWIN,2002/08/23,18:47:42 -4:00 
> > > GMT,10.60.1.102:80,xxx.xx.96.7:9176,TCP (flags:S)
> > > FWIN,2002/08/23,18:47:42 -4:00 
> > > GMT,10.10.2.105:80,xxx.xx.96.7:13682,TCP (flags:S)
> >
> > Someone is scanning a victim that's in reserved address-space,
> > giving your address as decoy.

I noticed similar light weight "scans" on a customer network.

Part of them were sites trying to push data to the client after the client 
stopped their session. (long live those aggressive banner pushers.)

I was not able to get a detailed trace for further investigation.

Hugo.

-- 
All email send to me is bound to the rules described on my homepage.
    hvdkooij () vanderkooij org         http://hvdkooij.xs4all.nl/
            Don't meddle in the affairs of sysadmins,
            for they are subtle and quick to anger.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com