lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040715174525.20751.qmail@webmail17.rediffmail.com>
From: loonux at rediffmail.com (jakob donivan)
Subject: Large-scale (spoofed?) tftp scan from 216.154.203.169

An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040715/edaa243b/attachment.html
-------------- next part --------------
We are presently witnessing a seemingly large number of addresses in
the 66.* network address range receiving tfp GET requests from
216.154.203.169.  The requests are all similar to the following:

07/15-08:33:58.586343 216.154.203.169:41820 -> 66.xx.xx.xx:69
UDP TTL:237 TOS:0x0 ID:29801 IpLen:20 DgmLen:54
Len: 26
00 01 2F 2E 2E 2F 65 74 63 2F 70 61 73 73 77 64  ../../etc/passwd
00 6E 65 74 61 73 63 69 69 00                    .netascii.

The source address resolves back to:

MyNetWatchman, LLC EDEL-203-168-29 (NET-216-154-203-168-1)
                                  216.154.203.168 - 216.154.203.175

Given the nature of the scan I suspect that the source address is spoofed.

L

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ