[Dshield] odd scan any ideas?
david.vincent at mightyoaks.com
Fri Jun 20 21:34:02 GMT 2003
is this from a residential isp? or a work-related connection?
if residential then does the isp require you to register the MAC address
with them before granting an IP? someone who doesn't know better may have
hooked a box up to their broadband modem without registering the MAC addy.
their machine would then not get an IP and then may default to this
if its business-related, it may be the same sort of thing. wracking my
brain for another reason for this sort of thing comes up with nothing right
> -----Original Message-----
> From: Mark Warner [mailto:warner at neb.com]
> Sent: June 19, 2003 1:03 PM
> To: General DShield Discussion List
> Subject: RE: [Dshield] odd scan any ideas?
> the log was generated by my firewall (Gauntlet 6.0) and i
> would say the
> same but the < if=eri1 >shows that it is outside the wall.
> That is my
> At 08:20 AM 6/19/2003 -0700, you wrote:
> >looks like a microsoft machine which couldn't reach a DHCP
> server, looking
> >for other machines. when windows boxes aren't statically
> configured and
> >don't have a DHCP server, they default to grabbing a random
> ip form the
> >169.254.x.y subnet with a mask of 255.255.0.0.
> >this looks like a broadcast to that subnet in an effort to find other
> >where was this log? what gathered this info?
> > > -----Original Message-----
> > > From: Mark Warner [mailto:warner at neb.com]
> > > Sent: June 19, 2003 7:36 AM
> > > To: 'General DShield Discussion List'
> > > Subject: [Dshield] odd scan any ideas?
> > >
> > >
> > > My logs have shown this for a few days now...
> > > Any ideas as to how or what?
> > >
> > > Jun 18 11:23:54 seq.neb.com gfw: [ID 702911 kern.info]
> > > securityalert: udp
> > > if=eri1 from 169.254.35.111:52429 to 169.254.255.255 on
> > > unserved port 137
> > > Mark
> > > Mark Warner
> > > TelCom/Network Manager
> > > New England BioLabs Inc.
> > > 32 Tozer Rd
> > > Beverly MA
> > > 01915
> > > 978.927.5054 Ext. 407 Office
> > > 978.921.1350 Fax
> > > warner at neb.com
> > >
> > > _______________________________________________
> > > list mailing list
> > > list at dshield.org
> > > To change your subscription options (or unsubscribe), see:
> > > http://www.dshield.org/mailman/listinfo/list
> > >
> >list mailing list
> >list at dshield.org
> >To change your subscription options (or unsubscribe), see:
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
More information about the list