Date: 17 May 1999 23:45:18 +0200 From: Dag-Erling Smorgrav <des@flood.ping.uio.no> To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Interesting Attack Message-ID: <xzpr9ofqsk1.fsf@localhost.ping.uio.no> In-Reply-To: Cy Schubert's message of "Mon, 17 May 1999 14:01:54 -0700" References: <199905172101.OAA29759@passer.osg.gov.bc.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Cy Schubert <cschuber@uumail.gov.bc.ca> writes: > I'm seeing a number of packets from sites around the Internet to > port 1096. What service lives on port 1096? Has anyone seen this > before? None. I think somebody's trying to bounce packets off your machine to another box by spoofing the source address, *or* somebody has been sending spoofed packets with your IP as source address to some other boxen. Look at the source ports: 23 (telnet), 139 (NetBIOS), 6667 (IRC)... I checked the IP addresses which appear with port 6667, and they're all IRC servers. You wouldn't expect connections to *originate* from port 6667 on these boxen; I think somebody sent them SYN packets made up to look as if they came from you, and they replied. In any case, I don't think you're the target; you're just an innocent passer-by which they picked to pin the blame on (from the POV of the target sites, it looks as if *you* ran a port scan on them - or would if your firewall hadn't dropped those packets). DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpr9ofqsk1.fsf>