Just a passing thought, but could the seemingly random floppy activity be related to the Indexing Service?
Daniel ----- Original Message ----- From: "Martijn Dunnebier" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 11, 2002 6:20 AM Subject: RE: Strange Connections > John, > > I've seen the same on my Win2K server, but when the floppy seek occurs I did > not see any open connection to the outside. If I put a floppy in the drive > it stops seeking it. So my guess is that Windows internally seeks the floppy > for one reason or the other. I've searched th MS Knowledge Base on this but > found no issues that are related to this behaviour. So I don't know what is > causing the floppy drive to be seeked. Maybe someone else has the answer for > that question? > > Regards Martijn. > C-it B.V. > www.c-it.nl > > -----Original Message----- > From: John D from Best Price Cruises [mailto:[EMAIL PROTECTED]] > Sent: dinsdag 9 juli 2002 23:28 > To: Security-Basics Mail List > Subject: Strange Connections > > > Okay, This is sort of a two part question: > > 1. A while ago, my Win2k server here at the office had its floppy drive > crank up (like when you try and access the drive with no disk in it). There > was nothing running that would have needed the floppy drive. Anyways, just > because I was curious I ran netstat and saw a bung of connections from > prisoner.iana.org that I have never seen before. I did a search on Google > and found only a few references to the address, most dealing with potential > hackers using a spoofed ip (none of the people making the posts seemed very > knowledgable and they contained very little info). Anyone ever seen any > abuse by this address, have any idea why it would connect to my server, or > why the disk drive cranked up? (If I am just crazy, thinking that the > prisoner.iana.org thing and the disk drive have anything to do with each > other please feel free to smack me)... > > 2. I am running a SMC Barricade broadband router... does anyone know of any > vulinabilities that would allow an attacker to port scan through the routers > firewall to the internal network? (possibly firewalk?) I can't seem to find > any specific info for the SMC and the problem still exists (or so says > snort) after upgrading the firmware. > > Thanks in advance for the help guys, > > John D > Best Price Cruises
