|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Resolution on source IP address 169.254.* source addresses
From: Ben Laws (ben
ION.AS.UTEXAS.EDU)Date: Thu Apr 13 2000 - 19:17:42 CDT
- Next message: Ex Machina: "Re: sadmind hack?"
- Previous message: Maniac .: "Weird Ports on NT box"
- In reply to: Jeffrey D. Carter: "Resolution on source IP address 169.254.* source addresses"
- Reply: Ben Laws: "Re: Resolution on source IP address 169.254.* source addresses"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
"Jeffrey D. Carter" wrote:
>
> My message a couple of weeks ago about Port 137 scanning activity had a
> related oddity in the traces: several of the scans, rather than simply
> being a sequence of 3 packets from a single source, appearred to be
> interleaved series of packets from 2 sources, one of the a
> 169.254.* address.
>
Thanks for your followup, I was curious... I've been
seeing similar activity here. The difference is
this activity hits a number of hosts on our subnet
rather than a single host. I usually see a couple
scans of this type daily, many times from home nets
and their ilk. About half the time, 169.254.x.x and
other reserved addresses are intermixed as in this
example.
Apr 12 03:20:10 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.99:137
Apr 12 03:20:10 host snort: SMB Name Wildcard:
169.254.222.20:137 -> x.x.x.99:137
Apr 12 03:20:10 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.99:137
Apr 12 03:20:12 host snort: SMB Name Wildcard:
169.254.222.20:137 -> x.x.x.99:137
Apr 12 03:20:12 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.99:137
Apr 12 03:21:17 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.104:137
Apr 12 03:21:18 host snort: SMB Name Wildcard:
169.254.222.20:137 -> x.x.x.104:137
Apr 12 03:21:18 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.104:137
Apr 12 03:21:20 host snort: SMB Name Wildcard:
169.254.222.20:137 -> x.x.x.104:137
Apr 12 03:21:20 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.104:137
Apr 12 03:23:02 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.112:137
Apr 12 03:23:44 host snort: SMB Name Wildcard:
169.254.222.20:137 -> x.x.x.115:137
Apr 12 03:26:03 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.122:137
Apr 12 03:27:15 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.124:137
Apr 12 03:27:16 host snort: SMB Name Wildcard:
169.254.222.20:137 -> x.x.x.124:137
Apr 12 03:27:16 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.124:137
Apr 12 03:27:18 host snort: SMB Name Wildcard:
169.254.222.20:137 -> x.x.x.124:137
Apr 12 03:27:18 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.124:137
Apr 12 03:27:40 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.126:137
b
- Next message: Ex Machina: "Re: sadmind hack?"
- Previous message: Maniac .: "Weird Ports on NT box"
- In reply to: Jeffrey D. Carter: "Resolution on source IP address 169.254.* source addresses"
- Reply: Ben Laws: "Re: Resolution on source IP address 169.254.* source addresses"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]