Could it be that you've been been decoy addresses in a portscan? For instance, hacker (H) wants to attack A. Hacker finds B and C that are legit, so hacker sends a portscan from H, B, and C to A. The effect of this is that the analyst at A doesn't know which is the real portscanner (or in this case scanner for port 53). What B and C see are the responses of the initial SYN sent to A, since A will be responding to both H, B, and C thinking that they're legit TCP initiation requests. HTH. Anyone else have any ideas? Mike Cloppert > -----Original Message----- > From: Richard Arends [mailto:richardat_private] > Sent: Friday, January 11, 2002 1:47 PM > To: Jerry Perser > Cc: incidentsat_private > Subject: Re: New DNS connection with SYN ACK > > > On 11 Jan 2002, Jerry Perser wrote: > > > Here are the 19 ip addresses: > > > > 128.121.10.146 128.242.105.34 > > 129.250.244.10 193.148.15.128 194.205.125.26 194.213.64.150 > > 202.139.133.129 203.194.166.182 203.81.45.254 216.220.39.42 > > 216.33.35.214 > > 216.34.68.2 216.35.167.58 62.23.80.2 62.26.119.34 > > 64.14.200.154 64.37.200.46 64.56.174.186 64.78.235.14 > > I'm getting scans for port 53 from the same ip's ! > > Greetings, > > Richard. > > ---- > An OS is like swiss cheese, the bigger it is, the more holes you get! > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jan 14 2002 - 09:25:11 PST