[Snort-users] Strange scan
Corne van Strien
strien at ...4609...
Mon Jan 21 06:26:08 EST 2002
I guess this might several things:
Trying to access a rsh daemon using IP spoofing and ISN value guessing, see
a DOS attack meant for vulnerable RSH daemons.
An example of such a vulnerability:
Corne van Strien.
----- Original Message -----
From: "Michael Schwartzkopff" <misch at ...4627...>
To: <snort-users at lists.sourceforge.net>
Sent: Monday, January 21, 2002 1:30 PM
Subject: [Snort-users] Strange scan
> I get some strange scans for some weeks now. The scans would not stop so I
> decided to investigate it further and did set up some tcpdump. Please see
> file attached. Can please someone help me to explain the aim of this scan
> There are some strange things in this scan:
> 1) The scan originates from a private IP Adress, but it is a TCP SYN scan.
> the scanner wants an answer, but this should be difficult using a private
> source address in the internet.
> 2) When he wants to get the answer he should be located somewhere close to
> our net to catch the answer of our system. But the TTL of 241 tells me the
> is most propably 14 hops (255 - 241) away. That soome to be far for an
> to a private IP address.
> 3) Can somebody explain what OS is running with that characteristics ?
> Thanks for any help.
> Dr. Michael Schwartzkopff
> Multinet GmbH
> Bretonischer Ring 7
> 85630 Grasbrunn
> Tel: (+49 89) 456 911 50
> Fax: (+49 89) 456 911 21
More information about the Snort-users