[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040715174525.20751.qmail@webmail17.rediffmail.com>
From: loonux at rediffmail.com (jakob donivan)
Subject: Large-scale (spoofed?) tftp scan from 216.154.203.169
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040715/edaa243b/attachment.html
-------------- next part --------------
We are presently witnessing a seemingly large number of addresses in
the 66.* network address range receiving tfp GET requests from
216.154.203.169. The requests are all similar to the following:
07/15-08:33:58.586343 216.154.203.169:41820 -> 66.xx.xx.xx:69
UDP TTL:237 TOS:0x0 ID:29801 IpLen:20 DgmLen:54
Len: 26
00 01 2F 2E 2E 2F 65 74 63 2F 70 61 73 73 77 64 ../../etc/passwd
00 6E 65 74 61 73 63 69 69 00 .netascii.
The source address resolves back to:
MyNetWatchman, LLC EDEL-203-168-29 (NET-216-154-203-168-1)
216.154.203.168 - 216.154.203.175
Given the nature of the scan I suspect that the source address is spoofed.
L
Powered by blists - more mailing lists