system check message question

Ben Beeson beesond001 at hawaii.rr.com
Tue May 1 03:23:33 PDT 2001 

Jay,

	I have no idea...  All I know is that it looked funny in my logs, so I
ran 'dig' on the IP address and got back nothing...  I had never seen that IP
address or anything similar to it, so I thought I'd ask.  Maybe it's related to
the posts on CERT about increased scans lately...

Thanks and good luck with your nap,

Ben 

On Mon, 30 Apr 2001, you wrote:
> what i don't understand is where would spoofing 1.2.3.4 get you
> unless you were either using loose source routing or sniffing
> traffic on the same wire and could see an ack go out?
> that one entry doesn't look like an attempt at a DDOS.  unless
> they were using the nmap decoy option, but then you'd be seeing
> other scans on that port by different IPs...
> 
> am i thinking about this too much?
> time for a nap.
> 
> =jay
> 
> On Mon, 30 Apr 2001, Jeffrey Wong wrote:
> 
> > There have been alot of reports of people seeing the exact same thing over
> > the last two weeks.  I havn't really heard much about it besides that its
> > been seen though.  It seems to (so far) be just a passive scan with no
> > accompaning attacks, although I'd assume that if you do have Back Orifice
> > installed . . .  1.2.3.4 is just one of the more commonly spoofed IP's.
> > In fact its used as an example IP in alot of different places.  I guess
> > these new script kiddies either have no imagination, or no idea that they
> > can change it ;)
> >
> > Jeff Wong
> >
> > On Mon, 30 Apr 2001, Ben Beeson wrote:
> >
> > > Aloha all,
> > >
> > > 	The below line appeared in my /var/log/messages file and I am curious
> > > about it.  I think port 31337 is for Back Orifice, a windows attack that I
> > > should be relatively immune from.  However, that said, I am curious how the IP
> > > address 1.2.3.4 materialized.  I am not sure that this is a 'legal' address.
> > > 'dig' returns nothing.....  Has anyone else seen this???
> > >
> > > Thanks,
> > >
> > > Ben
> > >
> > >
> > > Security Violations
> > > =-=-=-=-=-=-=-=-=-=
> > > Apr 29 16:50:39 kernel: Packet log: input DENY eth0 PROTO=17 1.2.3.4:1024 24.94.83.89:31337 L=81 S=0x00 I=20326 F=0x0000 T=111 (#8)
> > >
> > > ---
> > > You are currently subscribed to luau as: jmwong at math.ed.hawaii.edu
> > > To unsubscribe send a blank email to $subst('Email.Unsub')
> > >
> >
> >
> > ---
> > You are currently subscribed to luau as: jay at musubi.org
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> 
> 
> ---
> You are currently subscribed to luau as: beesond001 at hawaii.rr.com
> To unsubscribe send a blank email to $subst('Email.Unsub')

More information about the LUAU mailing list