[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Large-scale (spoofed?) tftp scan from 216.154.203.169

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] Large-scale (spoofed?) tftp scan from 216.154.203.169
From: "jakob donivan" <loonux@xxxxxxxxxxxxxx>
Date: 15 Jul 2004 17:45:25 -0000

We are presently witnessing a seemingly large number of addresses in
the 66.* network address range receiving tfp GET requests from
216.154.203.169.  The requests are all similar to the following:

07/15-08:33:58.586343 216.154.203.169:41820 -> 66.xx.xx.xx:69
UDP TTL:237 TOS:0x0 ID:29801 IpLen:20 DgmLen:54
Len: 26
00 01 2F 2E 2E 2F 65 74 63 2F 70 61 73 73 77 64  ../../etc/passwd
00 6E 65 74 61 73 63 69 69 00                    .netascii.

The source address resolves back to:

MyNetWatchman, LLC EDEL-203-168-29 (NET-216-154-203-168-1)
                                  216.154.203.168 - 216.154.203.175

Given the nature of the scan I suspect that the source address is spoofed.

L

Prev by Date: [Full-Disclosure] RE: exploits due to buggy validation
Next by Date: RE: [Full-Disclosure] Mystery phone lines, something is hiding an d answ ering.
Previous by thread: [Full-Disclosure] RE: exploits due to buggy validation
Next by thread: RE: [Full-Disclosure] Mystery phone lines, something is hiding an d answ ering.
Index(es):
- Date
- Thread