CERT® Incident Note IN-98-05The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.
Probes with Spoofed IP AddressesWednesday, November 24, 1998
The CERT Coordination Center has received several reports that intruders are using spoofed IP addresses to conduct scans similar to those discussed in
At first, these probes appeared to be ordinary IMAP scans. After further investigation, most of these sites determined that another compromised host on the same network was the true origin of the IMAP scan. It's possible that the intruder was able to run a network sniffer to capture the results of these probes.
If IMAP (or other) probes are reported to originate from hosts at your site, it may not be sufficient to disconnect the apparent origin from the network. We encourage you to inspect other hosts on the same local area network, especially if you continue to receive reports of intruder activity involving your systems.
You may find our Intruder Detection Checklist to be a useful guide in checking your systems for signs of compromise. This document is available from our ftp server at
This document will help you to methodically check your systems for signs of compromise and offers pointers to other resources and suggestions on how to proceed in the event of a compromise.
Another approach to determine the true origin of spoofed probes is to install network monitoring software which can capture the packets actually traversing the network. Some network monitoring software logs may include the hardware (ethernet) address of the true origin of the probes. This information may enable you to determine which system is generating the spoofed probes by comparing the hardware address with those of other systems on the local area network.
While probes fitting this profile have thus far originated only from port 65535, it's possible that spoofed probes could come from other ports.
If you believe that your systems have been compromised and used to launch probes fitting this description, we encourage you to report the activity to the CERT/CC. In particular, we are interested in receiving copies of any intruder tools that have been used to generate spoofed probes or to capture the results.
This document is available from: http://www.cert.org/incident_notes/IN-98-05.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 1998 Carnegie Mellon University.