JK, > Does anyone have any idea what would cause a scan to originate from port 53 > on an IRIX based server and destined for users on incrementing ports > starting in the 1000 range and continuing, in cases, to 4000 range. the attacker might be expecting that your ACL / packetfilter accepts/passes all packets originating from 53 UDP (DNS-lookups). This is often the case on insecure packet-filter installations. > 2000/09/14,09:21:48 -5:00 GMT, > Server.IP.Address:53,Client.IP.Address:1038,UDP With kind regards, Maarten Van Horenbeeck OS2 & Unix System Administrator http://www.daemon.be maartenat_private
This archive was generated by hypermail 2b30 : Wed May 16 2001 - 15:25:58 PDT