On Tue, 2002-08-27 at 03:54, Yonatan Bokovza wrote: > > -----Original Message----- > > From: Jackie [mailto:JackieJat_private] > > Sent: Saturday, August 24, 2002 02:57 > > To: incidentsat_private > > Subject: What's going on here? > > > > > > ZoneAlarm reported this burst, all from port 80 on a reserved IP > > block. What the honk's going on? > > > > > > FWIN,2002/08/23,18:47:42 -4:00 > > GMT,10.60.1.102:80,xxx.xx.96.7:9176,TCP (flags:S) > > FWIN,2002/08/23,18:47:42 -4:00 > > GMT,10.10.2.105:80,xxx.xx.96.7:13682,TCP (flags:S) > > Someone is scanning a victim that's in reserved address-space, > giving your address as decoy. > Ummm... I don't think so, in that case the flags would be SA not S. These appear to be SYN packets sent from port 80 to random port numbers. -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand "It aint necessarily so" - Gershwin ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 27 2002 - 10:44:25 PDT