Curley Mr Eric P wrote: > Could it be a scan for reconnaissance purposes. Is it a type of > OS-fingerprinting. Some remote exploits are done that way: first do the exploit, but use a bogus src address, as you don't want to be traced, and don't expect a reply anyway. If the exploit starts an xterm, you'll get feedback about success status anyhow. If it adds a user login or opens a backdoor, that's tested from somewhere else. Did you have any other unusual traffic, but with legitimate src address this time? It might be attempts to verify the exploit. I assume that the firewall stopped the packets -- if not, you might want to check for unsual connections from inside your net to somewhere outside it -- such as X connections, for instance. The best way to check is, of course, to inspect the actual packets to see if they seem legit or not. -- Anders Thulin Anders.X.Thulinat_private 040-661 50 63 Telia ProSoft AB, Carlsgatan 6, SE-201 20 Malmö, Sweden
This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 07:51:38 PDT