> determine what type of scans these are. I assume it is one of the > various > recent Linux worms. > Quite right. This also the reason for the increase in 53/udp scans (for the current bind exploits) and 515/tcp (RedHat 7.0 lpd exploit). As far as I know, Ramen and Lion use these exploits to spread. So if you receive these scans, there's probably not directly a malevolent human behind it, but it's an infected Linux box trying to spread the word. As for Ramen I could say the integrated scan tool is probably synscan by psychoid, these packets can easily be identified for they all have src port == dest port, ID == 39426 and window size of 0x404. When I get those scans and I have the necessary time I check whether the originating host has really been cracked and then try to contact the tech contact whois tells me. Cheers, Jan -- Radio HUNDERT,6 Medien GmbH Berlin - EDV - j.muentherat_private
This archive was generated by hypermail 2b30 : Fri Apr 20 2001 - 09:41:40 PDT