Tracing where it started

• Previous message (by thread): Tracing where it started
• Next message (by thread): Tracing where it started
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 25 January 2003 22:30, Charles Sprickman wrote:
> On Sat, 25 Jan 2003, Brian Coyle wrote:
> > I have a similar packet (but only one) from the same host (time is ntp
> > sync'd EST).
> >
> > Jan 20 12:55:47 firewall kernel: Packet log: input - ppp0 PROTO=17
> > 67.8.33.179:1 65.83.153.253:1434 L=29 S=0x00 I=20300 F=0x0000 T=110 (#23)
>
> That's a busy machine apparently:
>
> Jan 19 01:13:16 gw ipmon[32123]: 01:13:15.993484 ed0 @0:20 b 67.8.33.179,1
> -> 66.92.x.x,1434 PR udp len 20 29  IN
>
> (also EST, NTP synced)
>

Additional correlations are being reported over on the 
intrusions at incidents.org list...

http://www.sans.org/intrusions/

- -- 
42
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Brian Coyle, GCIA                         http://www.giac.org/GCIA.php

iD8DBQE+M1x6ER3MuHUncBsRAhiUAJ4+8RCpTicU4VWZzkXlR8grUjOBrQCfZHP9
VzmEQod+qeXiL50M/llrZvA=
=LuxR
-----END PGP SIGNATURE-----

• Previous message (by thread): Tracing where it started
• Next message (by thread): Tracing where it started
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]