[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Mon, Nov 3, 2008 at 11:07 AM, Simon Robert <simon.robert@xxxxxxxxxxxxxxxxxxxxxx> wrote: > On Mon, 2008-11-03 at 10:29 +0000, Steph Foster wrote: >> Good point Kevin, >> >> If the offending scans came from a private IP addy like 192.168.x.x >> then its likely a hacker piggybacking your Wlan >> >> Steph >> >> >> 2008/11/3 Kevin Tunison <ktunison@xxxxxxxxx>: >> > On Sat, Nov 1, 2008 at 12:39 PM, Simon WD Robert >> > <simon.robert@xxxxxxxxxxxxx> wrote: >> >> Hi >> >> >> >> I have had a number of warnings from my router. All the messages have >> >> the same format, a bunch TCP packets, all from the same IP (different IP >> >> for each warning message) followed by a UDP packet from a nother IP. Any >> >> ideas what's being attempted? >> >> >> >> I'm not particularly worried, I've run a port scan and everything is >> >> stealthed and unresponsive, but I'd like to know. >> >> >> >> Simon >> >> -- >> >> info@xxxxxxxxxxxxxxxxxxxxxx >> >> www.oldhouse-cottage.co.uk >> >> >> >> >> > >> > The first thought that comes to mind is that may be an attempt to >> > exploit the fairly recent DNS vulnerabilities. You could suss that by >> > the ports the packet are aimed at. Like Steph says, it is fairly >> > common. I'm curious if this came in over wireless or the ISP network? > > > This is typical > > TCP Packet - Source:4.79.142.206 Destination:81.141.50.1 - [PORT SCAN] > That IP address (somewhere in california) has been used before in the past 6 months for this type of activity (so says a search anyways). Possibly a zombie. Does your reporting show the port number in the warnings for the packets? getting only 10 hits would indicate a generic scan for a specific vulnerability (well that plus the fact other people on the net have complained of this IP makes it either recycled to another zombie, or somebody incredibly careless) regards, KevinT -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html