[Dshield] odd scan any ideas?

Mark Warner warner at neb.com
Thu Jun 19 20:03:21 GMT 2003


the log was generated by my firewall (Gauntlet 6.0) and i would say the 
same but the < if=eri1 >shows that it is outside the wall.  That is my 
confusion.

At 08:20 AM 6/19/2003 -0700, you wrote:
>looks like a microsoft machine which couldn't reach a DHCP server, looking
>for other machines.  when windows boxes aren't statically configured and
>don't have a DHCP server, they default to grabbing a random ip form the
>169.254.x.y subnet with a mask of 255.255.0.0.
>
>this looks like a broadcast to that subnet in an effort to find other
>machines.
>
>where was this log?  what gathered this info?
>
>-d
>
>
>
> > -----Original Message-----
> > From: Mark Warner [mailto:warner at neb.com]
> > Sent: June 19, 2003 7:36 AM
> > To: 'General DShield Discussion List'
> > Subject: [Dshield] odd scan any ideas?
> >
> >
> > My logs have shown this for a few days now...
> > Any ideas as to how or what?
> >
> > Jun 18 11:23:54 seq.neb.com gfw: [ID 702911 kern.info]
> > securityalert: udp
> > if=eri1 from 169.254.35.111:52429 to 169.254.255.255 on
> > unserved port 137
> > Mark
> > Mark Warner
> > TelCom/Network Manager
> > New England BioLabs Inc.
> > 32 Tozer Rd
> > Beverly MA
> > 01915
> > 978.927.5054 Ext. 407 Office
> > 978.921.1350 Fax
> > warner at neb.com
> >
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> >
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list






More information about the list mailing list