TCP probe on port 35540 from port 1

From: Paul Gear (paulgearat_private)
Date: Wed Jul 25 2001 - 14:22:50 PDT

Next message: Jon Zobrist: "Re: IIS Directory traversal vulnerability"

Previous message: Gary Flynn: "Re: Tracking SirCam"
Next in thread: Kester, Kelly: "RE: TCP probe on port 35540 from port 1"
Reply: Kester, Kelly: "RE: TCP probe on port 35540 from port 1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Anyone seen a probe like this lately?

Jul 23 11:45:53 ### kernel: Packet log: input DENY ppp0 PROTO=6
172.185.150.94:1 ###:35540 L=40 S=0x00
I=2815 F=0x0000 T=35 (#66)

This was the only packet of its type, and there didn't seem to be
anything else happening at the time.  The source address looks up to
ACB9965E.ipt.aol.com.

As there is no SYN flag, it seems this is from some sort of
cracking/security tool, but i'm not sure what.  The source port of
tcpmux is curious.

Paul
http://paulgear.webhop.net



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jon Zobrist: "Re: IIS Directory traversal vulnerability"
Previous message: Gary Flynn: "Re: Tracking SirCam"
Next in thread: Kester, Kelly: "RE: TCP probe on port 35540 from port 1"
Reply: Kester, Kelly: "RE: TCP probe on port 35540 from port 1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 15:32:54 PDT