RE: What's going on here?

From: Russell Fulton (r.fultonat_private)
Date: Mon Aug 26 2002 - 19:57:38 PDT

  • Next message: Gary R. Porter: "Anyone seen this?"

    On Tue, 2002-08-27 at 03:54, Yonatan Bokovza wrote:
    > > -----Original Message-----
    > > From: Jackie [mailto:JackieJat_private]
    > > Sent: Saturday, August 24, 2002 02:57
    > > To: incidentsat_private
    > > Subject: What's going on here?
    > > 
    > > 
    > > ZoneAlarm reported this burst, all from port 80 on a reserved IP
    > > block. What the honk's going on?
    > > 
    > > 
    > > FWIN,2002/08/23,18:47:42 -4:00 
    > > GMT,10.60.1.102:80,xxx.xx.96.7:9176,TCP (flags:S)
    > > FWIN,2002/08/23,18:47:42 -4:00 
    > > GMT,10.10.2.105:80,xxx.xx.96.7:13682,TCP (flags:S)
    > 
    > Someone is scanning a victim that's in reserved address-space,
    > giving your address as decoy.
    > 
    
    Ummm... I don't think so, in that case the flags would be SA not S. 
    These appear to be SYN packets sent from port 80 to random port numbers.
    
    -- 
    Russell Fulton, Computer and Network Security Officer
    The University of Auckland,  New Zealand
    
    "It aint necessarily so"  - Gershwin
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Aug 27 2002 - 10:44:25 PDT