Security Incidents mailing list archives
Re: scans on ports 3072 and 1024, why?
From: Jonas Luster <loki () SMURFTARGET NET>
Date: Sat, 30 Dec 2000 12:18:18 -0800
++ 29/12/00 09:53 -0800 - Aaron Schultz:
We are still interested in any other reports of activity regarding the DALnet servers.
A quick glance over our combined firewall logs shows coincidences with attacks towards IRCNet and EFNet Servers. Generally a ton of RSTs hits us everytime X-Org attacks EFNet or IRCNet, quickly followed by DALNet sending RSTs. My humble guess would be that this is another (ab-)use of kickem.c which iterates through a list of EF,DAL and IRCnet-Servers once started and spoofs adresses taken from NETBLK-EC[1-91-9]-1, NETBLK-EC[1-91-9]-1-GC, NETBLK-DSLNET-[.*]-[.*] and a few others. kickem is - to the best of my knowledge - not fully distributed-enabled and does not feature an automatic distribution-routine, though I've seen it being distributed as a mod to th0rn. jonas -- Jonas M. Luster, JD -- Straylight Freelance Security Services, San Jose
Current thread:
- scans on ports 3072 and 1024, why? Conor McGrath (Dec 28)
- Re: scans on ports 3072 and 1024, why? Sean Brown (Dec 29)
- Re: scans on ports 3072 and 1024, why? Ryan W. Maple (Dec 30)
- Re: scans on ports 3072 and 1024, why? Ulrich Eckhardt (Dec 29)
- <Possible follow-ups>
- Re: scans on ports 3072 and 1024, why? Bill Royds (Dec 28)
- Re: scans on ports 3072 and 1024, why? Conor McGrath (Dec 28)
- Re: scans on ports 3072 and 1024, why? Aaron Schultz (Dec 29)
- Re: scans on ports 3072 and 1024, why? Aaron Schultz (Dec 30)
- Re: scans on ports 3072 and 1024, why? Jonas Luster (Dec 30)
- Re: scans on ports 3072 and 1024, why? Conor McGrath (Dec 28)
- Re: scans on ports 3072 and 1024, why? Sean Brown (Dec 29)