Security Incidents mailing list archives
Re: Spoofed scans
From: Gideon Lenkey <glenkey () infotech-nj com>
Date: Sun, 6 Jan 2002 20:57:49 -0500 (EST)
Richard, I have noticed an increase in port 53 scanning activity and TCP port 22 as well. In the absence of all other evidence, I suspect that there is either a new bind exploit in the wild (or a rumor of one) or port 80 vulnerabilities are reaching a lull and the hackers are simply playing the odds. Bind arguably being the next most common service to exploit. I'm keeping a very close eye on my HIDS at this point! As for the spoofed scans, you really can't determine who the scanner truly is. The scan might not even be directly coming from any of the IPs you detected. If he's using a spoofing technique like monitoring the TCP relies of a quiet machine for an increase in relative sequence numbers (ala hping), he's pretty much untraceable. --Gideon On Sun, 6 Jan 2002, Richard Arends wrote: /* Hello, /* /* Last couple of weeks i'm getting more and more spoofed scans on my /* firewall. All scans are icmp or port 53 (domain). Mostly 'they' first send /* a few icmp packets and then a scan for port 53 trying to do a reverse /* lookup for my ip. /* /* Are there more seeing this type off scans and is there a way to substract /* the real scanner (ip) from the list ip's ??? /* /* Greetings, /* /* Richard. /* /* ---- /* An OS is like swiss cheese, the bigger it is, the more holes you get! /* /* /* ---------------------------------------------------------------------------- /* This list is provided by the SecurityFocus ARIS analyzer service. /* For more information on this free incident handling, management /* and tracking system please see: http://aris.securityfocus.com /* ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Spoofed scans Richard Arends (Jan 06)
- Re: Spoofed scans James (Jan 06)
- RE: Spoofed scans Philip Wagenaar (Jan 07)
- Re: Spoofed scans James (Jan 07)
- Re: Spoofed scans Will Aoki (Jan 07)
- RE: Spoofed scans Bojan Zdrnja (Jan 07)
- RE: Spoofed scans Philip Wagenaar (Jan 07)
- Re: Spoofed scans Gideon Lenkey (Jan 07)
- Re: Spoofed scans Crist J. Clark (Jan 07)
- Re: Spoofed scans Richard Arends (Jan 07)
- RE: Spoofed scans Paul M. Tiedemann (Jan 08)
- Re: Spoofed scans Dave Ryan (Jan 08)
- RE: Spoofed scans Gideon Lenkey (Jan 08)
- <Possible follow-ups>
- RE: Spoofed scans Joshua Wright (Jan 09)
- RE: Spoofed scans Jose Nazario (Jan 09)
- Re: Spoofed scans James (Jan 06)