system check message question
Ben Beeson
beesond001 at hawaii.rr.com
Tue May 1 03:23:33 PDT 2001
Jay,
I have no idea... All I know is that it looked funny in my logs, so I
ran 'dig' on the IP address and got back nothing... I had never seen that IP
address or anything similar to it, so I thought I'd ask. Maybe it's related to
the posts on CERT about increased scans lately...
Thanks and good luck with your nap,
Ben
On Mon, 30 Apr 2001, you wrote:
> what i don't understand is where would spoofing 1.2.3.4 get you
> unless you were either using loose source routing or sniffing
> traffic on the same wire and could see an ack go out?
> that one entry doesn't look like an attempt at a DDOS. unless
> they were using the nmap decoy option, but then you'd be seeing
> other scans on that port by different IPs...
>
> am i thinking about this too much?
> time for a nap.
>
> =jay
>
> On Mon, 30 Apr 2001, Jeffrey Wong wrote:
>
> > There have been alot of reports of people seeing the exact same thing over
> > the last two weeks. I havn't really heard much about it besides that its
> > been seen though. It seems to (so far) be just a passive scan with no
> > accompaning attacks, although I'd assume that if you do have Back Orifice
> > installed . . . 1.2.3.4 is just one of the more commonly spoofed IP's.
> > In fact its used as an example IP in alot of different places. I guess
> > these new script kiddies either have no imagination, or no idea that they
> > can change it ;)
> >
> > Jeff Wong
> >
> > On Mon, 30 Apr 2001, Ben Beeson wrote:
> >
> > > Aloha all,
> > >
> > > The below line appeared in my /var/log/messages file and I am curious
> > > about it. I think port 31337 is for Back Orifice, a windows attack that I
> > > should be relatively immune from. However, that said, I am curious how the IP
> > > address 1.2.3.4 materialized. I am not sure that this is a 'legal' address.
> > > 'dig' returns nothing..... Has anyone else seen this???
> > >
> > > Thanks,
> > >
> > > Ben
> > >
> > >
> > > Security Violations
> > > =-=-=-=-=-=-=-=-=-=
> > > Apr 29 16:50:39 kernel: Packet log: input DENY eth0 PROTO=17 1.2.3.4:1024 24.94.83.89:31337 L=81 S=0x00 I=20326 F=0x0000 T=111 (#8)
> > >
> > > ---
> > > You are currently subscribed to luau as: jmwong at math.ed.hawaii.edu
> > > To unsubscribe send a blank email to $subst('Email.Unsub')
> > >
> >
> >
> > ---
> > You are currently subscribed to luau as: jay at musubi.org
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
>
>
> ---
> You are currently subscribed to luau as: beesond001 at hawaii.rr.com
> To unsubscribe send a blank email to $subst('Email.Unsub')
More information about the LUAU
mailing list