RE: Spoofed scans

From: Bojan Zdrnja (Bojan.Zdrnjaat_private)
Date: Mon Jan 07 2002 - 05:06:23 PST

Next message: James: "Re: Spoofed scans"

Previous message: Philip Wagenaar: "RE: Spoofed scans"
In reply to: James: "Re: Spoofed scans"
Next in thread: Richard Arends: "Re: Spoofed scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Only if machine is on their subnet, of course. Otherwise he'll get hardware
address of his router.
Can you get us more information about those packets ?
I'm interested to see what kind of scanning they do.

Regards,

Bojan Zdrnja

> -----Original Message-----
> From: James [mailto:jameshat_private]
> Sent: 7. siječanj 2002 1:47
> To: incidentsat_private
> Subject: Re: Spoofed scans
>
>
> Capture the data link layer and get the hardware address.
> Perhaps this will
> indicate the true IP.
>
>
> "Ask the plants of the earth and they will teach you." Job 12:8
>
> ----- Original Message -----
> From: "Richard Arends" <richardat_private>
> To: <incidentsat_private>
> Sent: Sunday, January 06, 2002 4:41 AM
> Subject: Spoofed scans
>
>
> > Hello,
> >
> > Last couple of weeks i'm getting more and more spoofed scans on my
> > firewall. All scans are icmp or port 53 (domain). Mostly
> 'they' first send
> > a few icmp packets and then a scan for port 53 trying to do
> a reverse
> > lookup for my ip.
> >
> > Are there more seeing this type off scans and is there a
> way to substract
> > the real scanner (ip) from the list ip's ???
> >
> > Greetings,
> >
> > Richard.
> >
> > ----
> > An OS is like swiss cheese, the bigger it is, the more
> holes you get!
> >
> >
> >
> --------------------------------------------------------------
> ------------
> --
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
> >
> >
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: James: "Re: Spoofed scans"
Previous message: Philip Wagenaar: "RE: Spoofed scans"
In reply to: James: "Re: Spoofed scans"
Next in thread: Richard Arends: "Re: Spoofed scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 08:22:32 PST