Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Mike Batchelor (mikebattmcs.net)
Date: Wed May 16 2001 - 17:50:42 CDT
> > Does anyone have any idea what would cause a scan to originate from port
> > on an IRIX based server and destined for users on incrementing ports
> > starting in the 1000 range and continuing, in cases, to 4000 range.
> the attacker might be expecting that your ACL / packetfilter
> all packets originating from 53 UDP (DNS-lookups). This is often the case
> on insecure packet-filter installations.
It could also be the result of improper filters on JK's gateway. If he is
permitting outgoing packets to 53/UDP for DNS, but forgot to allow the
incoming replies from 53/UDP to pass back to his clients, then he would see
alerts just like the ones he posted. When the client's resolver library
fails to see a reply and retransmits the query, the client port number
increments (on most platforms).
> > 2000/09/14,09:21:48 -5:00 GMT,
> > Server.IP.Address:53,Client.IP.Address:1038,UDP
> With kind regards,
> Maarten Van Horenbeeck
> OS2 & Unix System Administrator