[Dshield] odd scan any ideas?

Korhonen Juuso juuso.korhonen at camline.fi
Fri Jun 20 06:11:06 GMT 2003


What about this:

"The Trojan scans random ports on random machines, each time sending an
initial SYN packet. One of the few identifiable characteristics of the
program is a window size of 55808 on each of the packets it transmits.

******It also spoofs the originating IP address on all of the packets,
making them look as if they're coming from machines in unallocated name
space.***** "

http://www.eweek.com/article2/0,3959,1130765,00.asp
 
Best regards
 
Juuso

-----Original Message-----
From: Mark Warner [mailto:warner at neb.com] 
Sent: 19. kesäkuuta 2003 23:03
To: General DShield Discussion List
Subject: RE: [Dshield] odd scan any ideas?


the log was generated by my firewall (Gauntlet 6.0) and i would say the 
same but the < if=eri1 >shows that it is outside the wall.  That is my 
confusion.

At 08:20 AM 6/19/2003 -0700, you wrote:
>looks like a microsoft machine which couldn't reach a DHCP server, 
>looking for other machines.  when windows boxes aren't statically 
>configured and don't have a DHCP server, they default to grabbing a 
>random ip form the 169.254.x.y subnet with a mask of 255.255.0.0.
>
>this looks like a broadcast to that subnet in an effort to find other 
>machines.
>
>where was this log?  what gathered this info?
>
>-d
>
>
>
> > -----Original Message-----
> > From: Mark Warner [mailto:warner at neb.com]
> > Sent: June 19, 2003 7:36 AM
> > To: 'General DShield Discussion List'
> > Subject: [Dshield] odd scan any ideas?
> >
> >
> > My logs have shown this for a few days now...
> > Any ideas as to how or what?
> >
> > Jun 18 11:23:54 seq.neb.com gfw: [ID 702911 kern.info]
> > securityalert: udp
> > if=eri1 from 169.254.35.111:52429 to 169.254.255.255 on unserved 
> > port 137 Mark
> > Mark Warner
> > TelCom/Network Manager
> > New England BioLabs Inc.
> > 32 Tozer Rd
> > Beverly MA
> > 01915
> > 978.927.5054 Ext. 407 Office
> > 978.921.1350 Fax
> > warner at neb.com
> >
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see: 
> > http://www.dshield.org/mailman/listinfo/list
> >
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see:
>http://www.dshield.org/mailman/listinfo/list



_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
****************************************************************************
This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
****************************************************************************




More information about the list mailing list