-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thanks for the info. I've only recently undertaken security ops for my
company so I was unaware of the Blaster DNS configuration. I was a
carefree Java programmer when Blaster was a big deal... those were the
days. :-)
I find it slightly odd that we've been tracking our traffic for 2 months
now and I'm only now seeing these packets. Even Mr. Hanson's
description makes it sound like this would normally be a local net
thing, based on his suggestion to track the MAC back to the offending
machine.
Anyway, it does seem like the Blaster thing is the logical answer. I'll
report the bogus traffic to my ISP like Mr. Slora suggested and not
worry about it.
Frank Knobbe wrote:
|
| That is the question that will never die. It was just asked beginning of
| August again. You could search the archives, but for convenience I
| attached the same reply I've been making every couple of months. Perhaps
| it's time to wrap this into an auto-responder...
|
| ---8<---
|
| From: Dan Hanson <dhanson@securityfocus.com>
| To: incidents@securityfocus.com
| Subject: Administrivia: Are you seeing portscans from source 127.0.0.1
source port 80?
| Date: Tue, 28 Oct 2003 08:59:56 -0700 (MST)
|
|
...
| Solution: track back the packets by MAC address to find the infected
| machine. Turn of NS resolution of windowsupdate.com to 127.0.0.1.
|
| Hope that helps
|
| D
|
|
- --
Thank you,
Kirby Angell
Get notified anytime your website goes down!
http://www.alertra.com
key: 9004F4C0
fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBXB7I21unUZAE9MARAuwfAJ9+u3U+8k+GxNO32ocJOYkaL9Q0lgCfUomb
PhY9NWa88J5QZHVTEQ0vg24=
=arPO
-----END PGP SIGNATURE-----
