[Dshield] odd scan any ideas?

David Vincent david.vincent at mightyoaks.com
Thu Jun 19 15:20:49 GMT 2003


looks like a microsoft machine which couldn't reach a DHCP server, looking
for other machines.  when windows boxes aren't statically configured and
don't have a DHCP server, they default to grabbing a random ip form the
169.254.x.y subnet with a mask of 255.255.0.0.

this looks like a broadcast to that subnet in an effort to find other
machines.

where was this log?  what gathered this info?

-d



> -----Original Message-----
> From: Mark Warner [mailto:warner at neb.com]
> Sent: June 19, 2003 7:36 AM
> To: 'General DShield Discussion List'
> Subject: [Dshield] odd scan any ideas?
> 
> 
> My logs have shown this for a few days now...
> Any ideas as to how or what?
> 
> Jun 18 11:23:54 seq.neb.com gfw: [ID 702911 kern.info] 
> securityalert: udp 
> if=eri1 from 169.254.35.111:52429 to 169.254.255.255 on 
> unserved port 137
> Mark
> Mark Warner
> TelCom/Network Manager
> New England BioLabs Inc.
> 32 Tozer Rd
> Beverly MA
> 01915
> 978.927.5054 Ext. 407 Office
> 978.921.1350 Fax
> warner at neb.com
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 




More information about the list mailing list