Re: What is this?
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.security.firewalls archive

Re: What is this?

From: Anders <andersajja@hotmail.com>
Date: Sat Sep 24 2005 - 21:09:13 CEST



Moe Trin wrote:


> In the Usenet newsgroup comp.security.firewalls, in article


> <dg8Ze.146939$dP1.503932@newsc.telia.net>, Anders wrote:


> 


> 


>>What is this?


>>Is it the SPAMMER forget to make use of his proxie?


> 


> 


> SPAM is a product of the Hormel company - I think you mean spam.


>



Eh, sorry for my miss spelling I try to make use of my Swedish/English 


lexicon as much as I can.



> 


snip


> 


>>  Tid     Kedja  GrSnitt   Prot.   Källa         Källport  Dest. Dst port


>>09:37:34   INPUT   eth1    UDP     64.94.45.18     10816   my IP   33438


>>09:37:29   INPUT   eth1    UDP     64.94.45.18     10816   my IP   33438


>>09:37:19   INPUT   eth1    UDP     64.94.45.18     10816   my IP   33438


>>09:37:19   INPUT   eth1    UDP     64.94.45.26     10816   my IP   33440


>>09:37:14   INPUT   eth1    UDP     64.94.45.18     10816   my IP   33438


> 


> 


> man traceroute and look at the -p option.



  "base UDP port number used in probes (default is 33434)"



  So this mean that "64.94.45.18 (fcp-4.chg.pnap.net)/64.94.45.26 


(fcp-6.chg.pnap.net)" just done a traceroute on me?



> I must not that it's pushing the odds to see the same source port used


> on two different hosts.



It's pushing me too. ;-)



> Also, if that is traceroute, the TTL should be at zero or one, and Atlanta


> is four or six


> hops away.  Without looking at the tcpdump to see what is in the headers, I


> can't say much more, but I'd also be looking at a '-D' option of nmap as a


> possible cause.


> 



I think I will block 64.94.0.0 - 64.95.255.255 any way even if they are 


decoys.



> 


>>OrgName:    Internap Network Services


>>OrgID:      PNAP


>>Address:    250 Williams Street


>>Address:    Suite E100


>>City:       Atlanta


>>StateProv:  GA


>>PostalCode: 30303


>>Country:    US


>>


>>NetRange:   64.94.0.0 - 64.95.255.255


> 


> 


> Search the news groups 'news.admin.net-abuse.*' particularly 'blocklisting'


> and 'sightings' - these guys don't have the cleanest reputation.


> 


>         Old guy



"blocklisting" there was only around 1200 heads I downloded 500 of them 


and com up with nothing.


"sightings" there was over 170,000 heads I downloded 500 of them with 


the same result.



I think I go for the traceroute becuse it happend at almost the same 


time and I haven´t seen it again in my log.'



Thank you for taking the time and too force me too downlode and read man 


traceroute and man nmap.



regards Anders.


Received on Thu Sep 29 20:10:44 2005