FIN|SYN scans are looking for a FIN|SYN|ACK from Linux, possibly as a form of host ID[2]. This was discussed on BUGTRAQ previously[1,2,3] and apparently the app "linuxportz" does this kind of thing[3], although it used a source port of 0 rather than 65535. [1] http://www.netspace.org/cgi-bin/wa?A2=ind9807B&L=bugtraq&D=0&P=352 [2] http://www.netspace.org/cgi-bin/wa?A2=ind9807B&L=bugtraq&P=R2441 [3] http://www.netspace.org/cgi-bin/wa?A2=ind9807B&L=bugtraq&D=0&P=5043 On Wed, 10 Feb 1999, Brown, Mark wrote: > Hmm -- someone's idea of a stealth-scan of port 143, looking for IMAP > daemons to come back to and try a buffer overflow on? I see about three to > four IMAP exploit attempts on my network a week, most either immediately > hitting port 143 without checking, or preceeded by a scan (TCP connect). > I've been running NFR for about a week to see if anyone was stealth-scanning > for IMAP, but haven't seen it in the wild yet. New script out there for the > kiddies to play with? > > -----Original Message----- > From: arkat_private [mailto:arkat_private] > Sent: Wednesday, February 10, 1999 2:29 AM > To: nmap-hackersat_private > Cc: bugtraqat_private > Subject: XXXX frequent check output (fwd) > > > -----BEGIN PGP SIGNED MESSAGE----- > > nuqneH, > > Does anybody know what does it all mean? Looks like a new scan for me.. > How is it expected to work? > imap as destination, weird source port and flags.. > > No other "strange" packets arrived as OS type checkers do. > > > - -- Begin forwarded message --- > XXXX frequent check output for period since Feb 10 10:11 to Feb 10 11:10 > > Security Warnings summary > =-=-=-=-=-=-=-=-=-=-=-=-= > Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on > x.y.z.17:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN> > Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on > x.y.z.25:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN> > Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on > x.y.z.29:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN> > Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on > x.y.z.27:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:28 PDT