SATAN scan before release?

[Larry Doolittle]

Billy Barron (bi...@utdallas.edu) wrote:
: no...@wfu.edu (Noel Hunter) writes:

: >Our logs show that we were scanned by SATAN the day before it was
: >released. Anyone else observe this? Anyone want to comment on whether
: >we can expect this with future releases of SATAN?
: >
: The FTP sites had it one dya prior to the rest of the world.

The Big Boys (CERT, HP, ...) had it for some time before release
for internal testing, it's possible some of their probes spread
beyond their intended sites.

- Larry Doolittle ldoo...@cebaf.gov

[Billy Barron]

no...@wfu.edu (Noel Hunter) writes:

>Our logs show that we were scanned by SATAN the day before it was
>released. Anyone else observe this? Anyone want to comment on whether
>we can expect this with future releases of SATAN?
>
The FTP sites had it one dya prior to the rest of the world.

--
Billy Barron, Network Services Manager, Univ of Texas at Dallas
bi...@utdallas.edu

[Noel Hunter]

Our logs show that we were scanned by SATAN the day before it was
released. Anyone else observe this? Anyone want to comment on whether
we can expect this with future releases of SATAN?

--
* Noel Hunter, Academic Systems Administrator, Wake Forest University *
* email: no...@wfu.edu telephone: (910) 759-5812 fax: (910) 759-6074 *
* <A HREF=http://www.wfu.edu/~noel>Noel's Home Page</A> *

[Noel Hunter]

Larry Doolittle (doo...@recycle.cebaf.gov) wrote:

: Billy Barron (bi...@utdallas.edu) wrote:
: : no...@wfu.edu (Noel Hunter) writes:

: : >Our logs show that we were scanned by SATAN the day before it was

: : >released. Anyone else observe this? Anyone want to comment on whether
: : >we can expect this with future releases of SATAN?

: : >
: : The FTP sites had it one dya prior to the rest of the world.

: The Big Boys (CERT, HP, ...) had it for some time before release

: for internal testing, it's possible some of their probes spread
: beyond their intended sites.

Not likely. These probes originated from an unknown IP address. I would
assume any legitimate site would not be forging or otherwise disguising
their IP addresses before scanning.

[Alexander Harth]

Noel Hunter (no...@wfu.edu) wrote:
> : : >Our logs show that we were scanned by SATAN the day before it was
> : : >released. Anyone else observe this? Anyone want to comment on whether
> : : >we can expect this with future releases of SATAN?
> : : >
> : : The FTP sites had it one dya prior to the rest of the world.

> : The Big Boys (CERT, HP, ...) had it for some time before release
> : for internal testing, it's possible some of their probes spread
> : beyond their intended sites.

> Not likely. These probes originated from an unknown IP address. I would
> assume any legitimate site would not be forging or otherwise disguising
> their IP addresses before scanning.

I think it is really possible, that they took a machine out of their network
so they get no dependencies in some .rhosts and hosts.equiv for such a
machine or a fresh installed one it is likely that no nameservice knows it.

Alexander

[Noel Hunter]

Alexander Harth (ha...@kozlowski.seas.ucla.edu) wrote:
: I think it is really possible, that they took a machine out of their network

: so they get no dependencies in some .rhosts and hosts.equiv for such a
: machine or a fresh installed one it is likely that no nameservice knows it.

I see your point. This IP address was actually listed in the log files as
UNKNOWN, not just some unregistered. I'm not sure what causes that
designation, but assumed the resolver was really confused, and that some
sort of spoofing was going on. Does anyone know what causes log entries
for TCP based services to list UNKNOWN as the IP address of the client?
Do duplicate IP addresses cause this? Broadcast messages with invalid
headers?