Re: [SLUG] IpCop logs

From: Brian Coyle (brian@linuxwidows.com)
Date: Sat Jun 05 2004 - 21:44:21 EDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 05 June 2004 21:11, Bob File wrote:

> Date: 06/05 15:58:24 Name: BAD TRAFFIC loopback traffic
> Priority: 2 Type: Potentially Bad Traffic
> IP info: 127.0.0.1:80 -> 209.165.13.125:1444

See: http://cert.uni-stuttgart.de/archive/intrusions/2003/08/msg00209.html

> What am I seeing here?

Probably infected Windows machines. Although, there has been some
talk of scans using a spoofed loopback source address of late...

> a misconfig somewhere or a compromised firewall?

Nope, welcome to the wild, wild, Internet.... ;)

Snort did it's job telling you about this and IPCop did it's job
by dropping the packet on the floor.

HTH!

- --
Security is simply a speed bump, not a road block.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Brian Coyle, GCIA http://www.giac.org/GCIA.php

iD8DBQFAwnb1ER3MuHUncBsRAs/BAJ0Ry9SE+C2SHmPAGaikCc8JiSvydgCfY6/h
KlyKrPxoG2uEc4VrIWwBrgU=
=0He4
-----END PGP SIGNATURE-----

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:10:54 EDT