I have been seeing a lot of these too (5-7 per day). Snort identifies them as "BACKDOOR Q access". The only difference that I see is that the TOS is 0x00 in my logs. I usually see these as a scan across my IP range, instead of being targeted at a certain machine. Mike Patchen IT Technician City of Chaska >>> Patrick Oonk <patrickat_private> 06/28/01 09:27AM >>> Hi, I have been seeing syn packets from src 255.255.255.255:31337 to random ip-numbers port 515 in our nets for months. Does anyone kow what could cause this? The packets are coming from outside our network. tcpdump: 15:55:10.669625 255.255.255.255.31337 > 213.156.28.202.printer: S 100:100(0) win 512 [tos 0x20] [ttl 1] 4520 0028 f2b0 0000 0106 d499 ffff ffff d59c 1cca 7a69 0203 0000 0064 0000 0000 5002 0200 3eac 0000 0000 0000 0000 Snort: 06/28-16:18:51.995065 255.255.255.255:31337 -> 213.156.9.61:515 TCP TTL:1 TOS:0x20 ID:62128 IpLen:20 DgmLen:40 ******S* Seq: 0x64 Ack: 0x0 Win: 0x200 TcpLen: 20 . .p. . -- Patrick Oonk - PO1-6BONE - E: patrickat_private - www.pine.nl/~patrick Pine Internet - PAT31337-RIPE - Hushmail: p.oonkat_private T: +31-70-3111010 - F: +31-70-3111011 - http://security.nl PGPID 155C3934 fp DD29 1787 8F49 51B8 4FDF 2F64 A65C 42AE 155C 3934 Excuse of the day: The UPS is on strike. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 19:53:40 PDT