RE: Spoofed scans

From: Bojan Zdrnja (Bojan.Zdrnjaat_private)
Date: Mon Jan 07 2002 - 05:06:23 PST

  • Next message: James: "Re: Spoofed scans"

    Only if machine is on their subnet, of course. Otherwise he'll get hardware
    address of his router.
    Can you get us more information about those packets ?
    I'm interested to see what kind of scanning they do.
    
    Regards,
    
    Bojan Zdrnja
    
    > -----Original Message-----
    > From: James [mailto:jameshat_private]
    > Sent: 7. siječanj 2002 1:47
    > To: incidentsat_private
    > Subject: Re: Spoofed scans
    >
    >
    > Capture the data link layer and get the hardware address.
    > Perhaps this will
    > indicate the true IP.
    >
    >
    > "Ask the plants of the earth and they will teach you." Job 12:8
    >
    > ----- Original Message -----
    > From: "Richard Arends" <richardat_private>
    > To: <incidentsat_private>
    > Sent: Sunday, January 06, 2002 4:41 AM
    > Subject: Spoofed scans
    >
    >
    > > Hello,
    > >
    > > Last couple of weeks i'm getting more and more spoofed scans on my
    > > firewall. All scans are icmp or port 53 (domain). Mostly
    > 'they' first send
    > > a few icmp packets and then a scan for port 53 trying to do
    > a reverse
    > > lookup for my ip.
    > >
    > > Are there more seeing this type off scans and is there a
    > way to substract
    > > the real scanner (ip) from the list ip's ???
    > >
    > > Greetings,
    > >
    > > Richard.
    > >
    > > ----
    > > An OS is like swiss cheese, the bigger it is, the more
    > holes you get!
    > >
    > >
    > >
    > --------------------------------------------------------------
    > ------------
    > --
    > > This list is provided by the SecurityFocus ARIS analyzer service.
    > > For more information on this free incident handling, management
    > > and tracking system please see: http://aris.securityfocus.com
    > >
    > >
    >
    >
    > --------------------------------------------------------------
    > --------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    >
    >
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 08:22:32 PST