Re: non-routable Scan?

From: Anders Thulin (Anders.X.Thulinat_private)
Date: Wed Apr 18 2001 - 23:30:49 PDT

  • Next message: Chris Arnold: "Re: Increase in Sun RPC Scans"

    Curley Mr Eric P wrote:
    
    > Could it be a scan for reconnaissance purposes.  Is it a type of
    > OS-fingerprinting.
    
      Some remote exploits are done that way: first do the exploit, but use
    a bogus src address, as you don't want to be traced, and don't expect a reply
    anyway. If the exploit starts an xterm, you'll get feedback about
    success status anyhow. If it adds a user login or opens a backdoor,
    that's tested from somewhere else.
    
      Did you have any other unusual traffic, but with legitimate
    src address this time? It might be attempts to verify the
    exploit.
    
     I assume that the firewall stopped the packets -- if not, you
    might want to check for unsual connections from inside your net to
    somewhere outside it -- such as X connections, for instance.
    
      The best way to check is, of course, to inspect the actual packets
    to see if they seem legit or not.
    
    --
    Anders Thulin     Anders.X.Thulinat_private     040-661 50 63
    Telia ProSoft AB, Carlsgatan 6, SE-201 20 Malmö, Sweden
    



    This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 07:51:38 PDT