From owner-freebsd-security Wed Jun 13 12:45:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from anchor-post-34.mail.demon.net (anchor-post-34.mail.demon.net [194.217.242.92]) by hub.freebsd.org (Postfix) with ESMTP id D81C537B401 for ; Wed, 13 Jun 2001 12:45:50 -0700 (PDT) (envelope-from dmg@procopia.com) Received: from shootthemlater.demon.co.uk ([194.222.93.84] helo=cerebus.parse.net) by anchor-post-34.mail.demon.net with esmtp (Exim 2.12 #1) id 15AGaK-000M2B-0Y; Wed, 13 Jun 2001 20:45:48 +0100 Received: from wbra0013.cognos.com ([10.0.0.3] helo=procopia.com) by cerebus.parse.net with esmtp (Exim 3.16 #1) id 15AGZz-0008hN-00; Wed, 13 Jun 2001 20:45:27 +0100 Message-ID: <3B27C352.2FDA5007@procopia.com> Date: Wed, 13 Jun 2001 20:47:30 +0100 From: David Goddard X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Alex Holst Cc: freebsd-security@freebsd.org Subject: Re: Odd source IP for a scan X-Priority: 4 (Low) References: <3B27AACB.D8BC13F@procopia.com> <20010613203329.A13593@area51.dk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Alex Holst wrote: > What's spoofed? Whoever owns 66.22.30.76 has told their DNS server to return > "host.domain.com" when asked for a hostname. > Query about 66.22.30.76 for record types PTR > Name: host.domain.com > Address: 66.22.30.76 Doh. Right - didn't occur to me. Should have done a whois first I guess. Looks like these guys have that for the entire netblock. My assumption was that host.domain.com really did exist and its IP was chosen to be the default in some tool. Better mail them and let them know they have a possible problem :-) Thanks (and sorry for the b/w wastage), Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message