Re: Spoofed scans

From: Gideon Lenkey (glenkey@infotech-nj.com)
Date: Sun Jan 06 2002 - 17:57:49 PST

  • Next message: Crist J. Clark: "Re: Spoofed scans"

    Richard,
    
    I have noticed an increase in port 53 scanning activity and TCP port 22
    as well. In the absence of all other evidence, I suspect that there is
    either a new bind exploit in the wild (or a rumor of one) or port 80
    vulnerabilities are reaching a lull and the hackers are simply playing
    the odds. Bind arguably being the next most common service to exploit.
    I'm keeping a very close eye on my HIDS at this point!
    
    As for the spoofed scans, you really can't determine who the scanner
    truly is. The scan might not even be directly coming from any of the IPs
    you detected. If he's using a spoofing technique like monitoring the TCP
    relies of a quiet machine for an increase in relative sequence
    numbers (ala hping), he's pretty much untraceable.
    
    --Gideon
    
    On Sun, 6 Jan 2002, Richard Arends wrote:
    
    /* Hello,
    /*
    /* Last couple of weeks i'm getting more and more spoofed scans on my
    /* firewall. All scans are icmp or port 53 (domain). Mostly 'they' first send
    /* a few icmp packets and then a scan for port 53 trying to do a reverse
    /* lookup for my ip.
    /*
    /* Are there more seeing this type off scans and is there a way to substract
    /* the real scanner (ip) from the list ip's ???
    /*
    /* Greetings,
    /*
    /* Richard.
    /*
    /* ----
    /* An OS is like swiss cheese, the bigger it is, the more holes you get!
    /*
    /*
    /* ----------------------------------------------------------------------------
    /* This list is provided by the SecurityFocus ARIS analyzer service.
    /* For more information on this free incident handling, management
    /* and tracking system please see: http://aris.securityfocus.com
    /*
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 08:41:20 PST