Date: Sun, 13 Jun 1999 12:29:50 -0500 From: "Ed P." <secure@r0ck.com> To: Jay Nelson <jdn@acp.qiv.com> Cc: security@FreeBSD.ORG Subject: Fwd: [linux-security] Re: Port 7 scan Message-ID: <99061312495500.02641@MOLTEN.R0CK.COM>
next in thread | raw e-mail | index | archive | help
-------- - It seems that on Thu, 10 Jun 1999 Richard Day said....=20 ---------- Subject: [linux-security] Re: Port 7 scan Date: Wed, 9 Jun 1999 23:36:03 -0700 (PDT) From: Richard Day <rich@Resonate.com> Juha, The "scans" you are seeing are in response to a DNS lookup being initiate= d from your site for ad.doubleclick.net. More then likely it is a web browser some were in your site, or more then likely many that initiate th= e lookup. The content that the browser is requesting is available from many sites of DoubleClicks at many different locations on the Internet. The connect back to your DNS server is to find which of these sites is best for you in terms of latency. This information, along with the current loa= d on the servers at each site is used to determine which IP to return to yo= u so that you go to the fastest site. The "scans" will not happen with out = a request from your side. The information that is received is cached for a period and reused to reduce the total amount of connections. In most situations the group of connections back to your machine will be utilized by many out bound requests from your end. Hope this clears up your questions, drop me an email if not. rich =09~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =09Richard Day Technical Support Manager =09Resonate, Inc. =09385 Moffett Park Drive =09Suite 205 =09Sunnyvale, CA 94089 =09Main 408 548.5500 =09Direct =09 408 548.5648 =09Fax =09 408 548.5679 =09Support 408 548.5600 =09~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On Thu, 10 Jun 1999, Juha Virtanen wrote: > From: EW1 Coral J. Cook <ccook@nosc.mil> 9.6.1999 21:10: >=20 >=20 > >Over the last several day, we've been getting pretty regular scans fro= m a > >non-existant host on our port 7. Any idea what they are looking for/wh= at are > >some of vulnerabilites with echo? >=20 >=20 > I've seen the same and I issued incident tickets on major US service > providers. >=20 > I got the following information quoted below: >=20 > > From: Ng, Alex [SMTP:ang@doubleclick.net] > > Sent: Monday, June 07, 1999 11:05 AM > > Subject: RE: Probable attack from your domain > > > > Dear Sir, > > > > We are currently using the product GlobalDispatch from Resonate Inc. > > for our Wide Area > > Data Distribution. Please see letter below for a detail explaination= on > > this product. Thanks. > > > > Sincerely, > > > > Alex Ng > > > > > > -------------------- > > > > Hello Sir, > > > > Alex at Doubleclick asked us to work with you regarding this ticket. > > > > We have reason to believe that the reports you've received regarding > > these three machines being compromised is a misunderstanding as a res= ult > > of our enterprise traffic management software: Global Dispatch. Glob= al > > Dispatch is a WAN-based scheduler that makes it easy to place content > > close to geographically dispersed users and and intelligently directs > > requests > > to the best-suited Point of Presence (POP). > > > > In the course of determining the best suited POP, Global Dispatch pre= forms > > a > > latency measurement. This latency measurement is done by making a > > connection > > to the client DNS server on TCP port 7 and then dropping the connecti= on. > > After > > the latency measurement has been done, the latency values are cached,= and > > the > > IP of the most responsive POP is returned to the requesting machine. > > > > I hope this help clear up the confusion. We are looking into other wa= ys to > > preform this latency mesurment, and hope we have not caused you any > > inconvenience. > > > > -- > > Resonate Technical Support <support@resonate.com> > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Richard Day Call Center Manager > > > > Resonate, Inc. > > 465 Fairchild Drive > > Suite 115 > > Mountain View, CA 94040 > > > > Main Phone 650 967.6500 > > Fax 650 967.6561 > > Support Line 650 967.4800 > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > >=20 >=20 > Regards, > Juha >=20 >=20 >=20 --=20 ---------------------------------------------------------------------- Please refer to the information about this list as well as general information about Linux security at http://www.aoy.com/Linux/Security. ---------------------------------------------------------------------- ---///-///-///-/-//----///-///-/////--Ed Porter secure @ r0ck.com --/---/-/-/---///-----/---/-/-/-/-/--1306 P R 820 Mingus TX 76463 -/---///-///-/-//-//-///-///-/---/--254.968.5199 Fax 254.968.6504 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?99061312495500.02641>