From owner-freebsd-security Mon May 17 14:45:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 9E25614E10 for ; Mon, 17 May 1999 14:45:27 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id XAA60012; Mon, 17 May 1999 23:45:19 +0200 (CEST) (envelope-from des) To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: Interesting Attack References: <199905172101.OAA29759@passer.osg.gov.bc.ca> From: Dag-Erling Smorgrav Date: 17 May 1999 23:45:18 +0200 In-Reply-To: Cy Schubert's message of "Mon, 17 May 1999 14:01:54 -0700" Message-ID: Lines: 24 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Cy Schubert writes: > I'm seeing a number of packets from sites around the Internet to > port 1096. What service lives on port 1096? Has anyone seen this > before? None. I think somebody's trying to bounce packets off your machine to another box by spoofing the source address, *or* somebody has been sending spoofed packets with your IP as source address to some other boxen. Look at the source ports: 23 (telnet), 139 (NetBIOS), 6667 (IRC)... I checked the IP addresses which appear with port 6667, and they're all IRC servers. You wouldn't expect connections to *originate* from port 6667 on these boxen; I think somebody sent them SYN packets made up to look as if they came from you, and they replied. In any case, I don't think you're the target; you're just an innocent passer-by which they picked to pin the blame on (from the POV of the target sites, it looks as if *you* ran a port scan on them - or would if your firewall hadn't dropped those packets). DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message