On 27 Aug 2002, Russell Fulton wrote: > On Tue, 2002-08-27 at 03:54, Yonatan Bokovza wrote: > > > -----Original Message----- > > > From: Jackie [mailto:JackieJat_private] > > > Sent: Saturday, August 24, 2002 02:57 > > > To: incidentsat_private > > > Subject: What's going on here? > > > > > > > > > ZoneAlarm reported this burst, all from port 80 on a reserved IP > > > block. What the honk's going on? > > > > > > > > > FWIN,2002/08/23,18:47:42 -4:00 > > > GMT,10.60.1.102:80,xxx.xx.96.7:9176,TCP (flags:S) > > > FWIN,2002/08/23,18:47:42 -4:00 > > > GMT,10.10.2.105:80,xxx.xx.96.7:13682,TCP (flags:S) > > > > Someone is scanning a victim that's in reserved address-space, > > giving your address as decoy. I noticed similar light weight "scans" on a customer network. Part of them were sites trying to push data to the client after the client stopped their session. (long live those aggressive banner pushers.) I was not able to get a detailed trace for further investigation. Hugo. -- All email send to me is bound to the rules described on my homepage. hvdkooijat_private http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 28 2002 - 10:27:23 PDT