Security Incidents mailing list archives
Re: Scanning from a "intruder.rs88.net"?
From: Jonathan Bloomquist <jsbloom () adelphia net>
Date: Sun, 27 May 2001 16:32:46 -0400
On Monday 28 May 2001 11:15, James Friesen wrote:
This is simply MS services trying to do name searches using WINS resolution. Disable NetBIOS if you want to eliminate these messages. It woule be nice if these packets could turn themselves off past the router.
Huh? My firewall was also scanned by intruder.rs88.net (208.50.149.200) and I was not trying to perform any kind of WINS resolution. NetBIOS has no home on my network, either. The only port open on my firewall is 22. Maybe M[r/s]. intruder is scanning for ssh servers?
:> -----Original Message----- :> From: Simos Xenitellis [mailto:simos () pc96 ma rhbnc ac uk] :> Sent: Sunday, May 27, 2001 4:39 PM :> To: Jason Lewis :> Cc: INCIDENTS () securityfocus com :> Subject: RE: Scanning from a "intruder.rs88.net"? :> :> On Sun, 27 May 2001, Jason Lewis wrote: :> > What is running on the machine these logs came from? Web, DNS, FTP? :> > :> > Microsoft boxes attempt to connect via NetBIOS or do WINS :> :> lookups on servers :> :> > they are trying to use services on. A windows box will try :> :> to connect on :> :> > port 137 if it is trying to access your web server. I dump :> :> all that traffic :> :> > at my border router. :> :> It is not a WWW server. :> It appears to have ports 22 and 80 firewalled. :> :> simos
Current thread:
- Scanning from a "intruder.rs88.net"? Simos Xenitellis (May 26)
- RE: Scanning from a "intruder.rs88.net"? Jason Lewis (May 27)
- RE: Scanning from a "intruder.rs88.net"? Simos Xenitellis (May 28)
- RE: Scanning from a "intruder.rs88.net"? James Friesen (May 28)
- Re: Scanning from a "intruder.rs88.net"? Jonathan Bloomquist (May 28)
- RE: Scanning from a "intruder.rs88.net"? Jason Lewis (May 28)
- RE: Scanning from a "intruder.rs88.net"? Simos Xenitellis (May 28)
- RE: Scanning from a "intruder.rs88.net"? Jason Lewis (May 27)