Richard, I have noticed an increase in port 53 scanning activity and TCP port 22 as well. In the absence of all other evidence, I suspect that there is either a new bind exploit in the wild (or a rumor of one) or port 80 vulnerabilities are reaching a lull and the hackers are simply playing the odds. Bind arguably being the next most common service to exploit. I'm keeping a very close eye on my HIDS at this point! As for the spoofed scans, you really can't determine who the scanner truly is. The scan might not even be directly coming from any of the IPs you detected. If he's using a spoofing technique like monitoring the TCP relies of a quiet machine for an increase in relative sequence numbers (ala hping), he's pretty much untraceable. --Gideon On Sun, 6 Jan 2002, Richard Arends wrote: /* Hello, /* /* Last couple of weeks i'm getting more and more spoofed scans on my /* firewall. All scans are icmp or port 53 (domain). Mostly 'they' first send /* a few icmp packets and then a scan for port 53 trying to do a reverse /* lookup for my ip. /* /* Are there more seeing this type off scans and is there a way to substract /* the real scanner (ip) from the list ip's ??? /* /* Greetings, /* /* Richard. /* /* ---- /* An OS is like swiss cheese, the bigger it is, the more holes you get! /* /* /* ---------------------------------------------------------------------------- /* This list is provided by the SecurityFocus ARIS analyzer service. /* For more information on this free incident handling, management /* and tracking system please see: http://aris.securityfocus.com /* ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 08:41:20 PST