Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Large-scale (spoofed?) tftp scan from 216.154.203.169
From: "jakob donivan" <loonux () rediffmail com>
Date: 15 Jul 2004 17:45:25 -0000

We are presently witnessing a seemingly large number of addresses in
the 66.* network address range receiving tfp GET requests from
216.154.203.169.  The requests are all similar to the following:

07/15-08:33:58.586343 216.154.203.169:41820 -> 66.xx.xx.xx:69
UDP TTL:237 TOS:0x0 ID:29801 IpLen:20 DgmLen:54
Len: 26
00 01 2F 2E 2E 2F 65 74 63 2F 70 61 73 73 77 64  ../../etc/passwd
00 6E 65 74 61 73 63 69 69 00                    .netascii.

The source address resolves back to:

MyNetWatchman, LLC EDEL-203-168-29 (NET-216-154-203-168-1)
                                  216.154.203.168 - 216.154.203.175

Given the nature of the scan I suspect that the source address is spoofed.

L

  By Date           By Thread  

Current thread:
  • Large-scale (spoofed?) tftp scan from 216.154.203.169 jakob donivan (Jul 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]