Security Incidents mailing list archives
(2) Port 98 scans
From: Mike Lewinski <mike () ROCKYNET COM>
Date: Tue, 19 Sep 2000 21:33:19 -0600
Snort picked up a scan on port 98 across our company's netblock, which I remembered was Linuxconf from a thread here recently. I notified the ARIN contact for the netblock, but my mail bounced. In such situations I always take care that I'm not sending a message to a possibly compromised host (in this case it was a registered nameserver so I was doubly careful). Now the odd part is that the very same host hit my home IP address on the same port just an hour after I sent my first report. I'm using a very different provider on a different IP scheme, so it's hard to believe this was coincidence. I looked at the headers of the original bounce and it made it to the right place, but was returned due to an internal loop. I'm really wondering if I tipped off the intruders somehow and they saw my home IP in the header of the message I sent, but I really don't see how. I did follow-up with UUnet security, and haven't yet gotten a bounce back from postmaster@[ip-of-broken-MTA] when I forwarded to that addy... Mike
Current thread:
- (2) Port 98 scans Mike Lewinski (Sep 20)