Valdis.KletnieksVT.EDU

• Next message: Ben Laws: "Re: ftpd: the advisory version"
• Previous message: David Jahne: "Re: scan log and subsequent response from the host's ISP"
• In reply to: Harlan S. Barney, Jr.: "Simultaneous Attacks"
• Next in thread: Ed Padin: "Re: Simultaneous Attacks"
• Reply: Valdis Kletnieks: "Re: Simultaneous Attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 07 Jul 2000 00:27:04 EDT, "Harlan S. Barney, Jr." <hsbarneyNYCAP.RR.COM> said:
> 59, 2000-07-06 23:59:50, 2003103, NetBus port probe, 64.232.4.242, ,
> 24.161.11.47, , port=12345&name=NetBus, 6, A
> 59, 2000-07-06 23:59:50, 2003103, NetBus port probe, 23.23.23.23, ,
> 24.161.11.47, , port=12345&name=NetBus, 6, A
> 59, 2000-07-06 23:59:50, 2003103, NetBus port probe, 24.24.24.24,
> tmp1-3218.twcny.rr.com, 24.161.11.47, , port=12345&name=NetBus, 6, A

The 23. and 24. probes are almost certainly decoys. This may be an 'nmap'
scan trying to determine your IP sequence number algorithm - using bogus
packets to increment the initial sequence number. You may wish to verify
whether your software is configured to report on probes to other ports
as well - it could be you're only reporting on "interesting" ports (like
snmp, netbus, yadda yadda yadda) and you missed the other connections.

Of course, I may be totally full of it too - it *is* 5:30PM on Friday and time
for the weekend. ;)

--
				Valdis Kletnieks
				Operating Systems Analyst
				Virginia Tech

• application/pgp-signature attachment: stored

• Next message: Ben Laws: "Re: ftpd: the advisory version"
• Previous message: David Jahne: "Re: scan log and subsequent response from the host's ISP"
• In reply to: Harlan S. Barney, Jr.: "Simultaneous Attacks"
• Next in thread: Ed Padin: "Re: Simultaneous Attacks"
• Reply: Valdis Kletnieks: "Re: Simultaneous Attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]