<a href="http://g.adspeed.net/ad.php?do=clk&zid=14678&wd=728&ht=90&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=14678&wd=728&ht=90&pair=as" alt="i" width="728" height="90"/></a>

Nmap Security Scanner

Docs
Security Lists

Full Disclosure

More
Security Tools

Packet crafters

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

edgeos

Security Incidents: Re: very strange scan patterns

Re: very strange scan patterns

From: Ejovi Nuwere <ejovi_at_EJOVI.NET>
Date: Wed, 7 Jun 2000 10:02:30 -0400

Most routers/firewalls will prevent spoofing of internal addresses coming
from an external interface. Since if seems to be coming from two or
three specific machines I wouldn't rule out the idea of those machines
having been comprised.

What do the probing machines have in common? Same os? Same switch?

e.

> It looks like a probe (perhaps using nmap with the -sS option
> to spoof the source address) - port 23 gets noticed sinced it's obviously
> wrappered. Unless it is some sort of host "bouncing/reflecting" from the
> real attacker
> to hosts "ourdomain" back to hosts to magpie and kefti.
> Can anyone explain this apparent activity or know the signature for this
> attack?
> Thanks
> Joe
>
Received on Jun 08 2000

This message: [ Message body ]
Next message: nmorgowicz_at_RALCOIND.COM: "hacked @home with logs and info.."
Previous message: Jürgen Bauer: "port 65535 and protocol 171 !?"
In reply to: Joe H: "very strange scan patterns"
Next in thread: nmorgowicz_at_RALCOIND.COM: "hacked @home with logs and info.."

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]

edgeos