Snort mailing list archives
Re: Strange scan
From: "Corne van Strien" <strien () atilas nl>
Date: Mon, 21 Jan 2002 15:25:53 +0100
Hi, I guess this might several things: Trying to access a rsh daemon using IP spoofing and ISN value guessing, see http://www.ebcvg.com/files/library/hacking/ip_spoofing.txt a DOS attack meant for vulnerable RSH daemons. An example of such a vulnerability: http://www.securitytracker.com/alerts/2001/Dec/1002930.html Kind regards, Corne van Strien. ----- Original Message ----- From: "Michael Schwartzkopff" <misch () mail multinet de> To: <snort-users () lists sourceforge net> Sent: Monday, January 21, 2002 1:30 PM Subject: [Snort-users] Strange scan
Hi, I get some strange scans for some weeks now. The scans would not stop so I decided to investigate it further and did set up some tcpdump. Please see
the
file attached. Can please someone help me to explain the aim of this scan
?
There are some strange things in this scan: 1) The scan originates from a private IP Adress, but it is a TCP SYN scan.
So
the scanner wants an answer, but this should be difficult using a private source address in the internet. 2) When he wants to get the answer he should be located somewhere close to our net to catch the answer of our system. But the TTL of 241 tells me the
he
is most propably 14 hops (255 - 241) away. That soome to be far for an
answer
to a private IP address. 3) Can somebody explain what OS is running with that characteristics ? Thanks for any help. -- Dr. Michael Schwartzkopff Multinet GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 50 Fax: (+49 89) 456 911 21
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Strange scan Michael Schwartzkopff (Jan 21)
- Re: Strange scan Corne van Strien (Jan 21)