RE: XXXX frequent check output (fwd)

From: Lamont Granquist (lamontgat_private)
Date: Wed Feb 10 1999 - 12:05:22 PST

Next message: Patrick Oonk: "Sun Security Bulletin #00185 (fwd)"

Previous message: Patrick Oonk: "Sun Security Bulletin #00183 (fwd)"
Maybe in reply to: arkat_private: "XXXX frequent check output (fwd)"
Next in thread: Igor Plavcak: "RE: XXXX frequent check output (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

FIN|SYN scans are looking for a FIN|SYN|ACK from Linux, possibly as a form
of host ID[2].  This was discussed on BUGTRAQ previously[1,2,3] and
apparently the app "linuxportz" does this kind of thing[3], although it
used a source port of 0 rather than 65535.
 
[1] http://www.netspace.org/cgi-bin/wa?A2=ind9807B&L=bugtraq&D=0&P=352
[2] http://www.netspace.org/cgi-bin/wa?A2=ind9807B&L=bugtraq&P=R2441
[3] http://www.netspace.org/cgi-bin/wa?A2=ind9807B&L=bugtraq&D=0&P=5043

On Wed, 10 Feb 1999, Brown, Mark wrote:
> Hmm -- someone's idea of a stealth-scan of port 143, looking for IMAP
> daemons to come back to and try a buffer overflow on?  I see about three to
> four IMAP exploit attempts on my network a week, most either immediately
> hitting port 143 without checking, or preceeded by a scan (TCP connect).
> I've been running NFR for about a week to see if anyone was stealth-scanning
> for IMAP, but haven't seen it in the wild yet.  New script out there for the
> kiddies to play with?
> 
> -----Original Message-----
> From: arkat_private [mailto:arkat_private]
> Sent: Wednesday, February 10, 1999 2:29 AM
> To: nmap-hackersat_private
> Cc: bugtraqat_private
> Subject: XXXX frequent check output (fwd)
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> nuqneH,
> 
> Does anybody know what does it all mean? Looks like a new scan for me..
> How is it expected to work?
> imap as destination, weird source port and flags..
> 
> No other "strange" packets arrived as OS type checkers do.
> 
> 
> - -- Begin forwarded message ---
> XXXX frequent check output for period since Feb 10 10:11 to Feb 10 11:10
> 
> Security Warnings summary
> =-=-=-=-=-=-=-=-=-=-=-=-=
> Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on
> x.y.z.17:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN>
> Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on
> x.y.z.25:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN>
> Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on
> x.y.z.29:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN>
> Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on
> x.y.z.27:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN>

Next message: Patrick Oonk: "Sun Security Bulletin #00185 (fwd)"
Previous message: Patrick Oonk: "Sun Security Bulletin #00183 (fwd)"
Maybe in reply to: arkat_private: "XXXX frequent check output (fwd)"
Next in thread: Igor Plavcak: "RE: XXXX frequent check output (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:28 PDT