Yes. The first time that happened to me, the source IP address was a competitor, and I was UnAmused. It's since happened a handful more times, and when I tend to contact the administrators of those networks, they tend to be helpful, and I haven't seen too many repeats. The competitor initially blamed it on a sales person who had misconfigured HP Openview on their laptop, and had attempted to scan the entire 208.0.0.0 network. The second time, it was blamed on a buggy Windows driver for a PCMCIA NIC card (3Com I think). Source ports tended to be low, in the 1027-1035 range you describe. Then I saw it a couple more times from totally different locations. I've also seen it come from 10.0.2.71, port 1047. I figure there's not a lot I can do about that one. I tried a traceroute, but that got me nowhere. :) On Thu, 21 May 1998, Max Euston wrote: > Hello, > Has anyone seen this before? I have been getting UDP (161/SNMP) port > scans across my 205.247.224/24 (from .255 to .[012]?) repeatedly from > certain IP #s. The most recent events happened 6 times over the past 5 > days (all from the same IP). The user of that IP has a laptop w/ > Win-95(B?) running FrontPage-98 and IE-4.01; they also have > AOL-(something), Office-97, Outlook-98, Project-98. Although they use DHCP > (in a Win-95/Win-NT shop), it seems that this machine has always gotten the > same IP#. The user seems to have been using the machine during each scan. > The UDP source port seems to stay in the range 1030-1035 (for this and > previous scans from other locations). I don't have a dump of the incomming > packets, just a log that they were dropped. > > Any info greatly appreciated. > > Thanks, > > Max > --- > Max Euston <meustonat_private> > > ----- Dodge dodgeat_private PGP key available upon request
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:59:47 PDT