RE: TCP probe on port 35540 from port 1

From: Kester, Kelly (KesterKat_private)
Date: Thu Jul 26 2001 - 09:52:45 PDT

Next message: Chris Hobbs: "Re: MISC Large ICMP Packet"

Previous message: Alfred Huger: "Subject: New Policy for the Incidents mailing list"
Maybe in reply to: Paul Gear: "TCP probe on port 35540 from port 1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

		Yep, I sure have from the exact IP with an RST-ACK flag for
every entry. In fact, I have this activity from other AOL IPs and a Korean
IP as well. All activity is from source port 1 with a high destination port,
but not always the same. For example, a group of 15 entries might originate
from port 1 and go to destination port 28333, whereas another group will
still originate from port 1, but will go to destination port 48869. This
activity is crossing over 4 days right now and towards numerous,
non-associated destination IPs. I'm thinking a possible DoS or network
mapping. 
		Anyone have any insight into this? I've been reading up on
pulsing zombies, new DoS, Stacheldraht, shaft, etc., and cannot come up with
an exact or best bet to the cause. Help if you can......k2


				-----Original Message-----
				From:	Paul Gear
[mailto:paulgearat_private]
				Sent:	Wednesday, July 25, 2001 4:23 PM
				To:	SecurityFocus Incidents List
				Subject:	TCP probe on port 35540 from
port 1

				Anyone seen a probe like this lately?

				Jul 23 11:45:53 ### kernel: Packet log:
input DENY ppp0 PROTO=6
				172.185.150.94:1 ###:35540 L=40 S=0x00
				I=2815 F=0x0000 T=35 (#66)

				This was the only packet of its type, and
there didn't seem to be
				anything else happening at the time.  The
source address looks up to
				ACB9965E.ipt.aol.com.

				As there is no SYN flag, it seems this is
from some sort of
				cracking/security tool, but i'm not sure
what.  The source port of
				tcpmux is curious.

				Paul
				http://paulgear.webhop.net



	
----------------------------------------------------------------------------
				This list is provided by the SecurityFocus
ARIS analyzer service.
				For more information on this free incident
handling, management 
				and tracking system please see:
http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Chris Hobbs: "Re: MISC Large ICMP Packet"
Previous message: Alfred Huger: "Subject: New Policy for the Incidents mailing list"
Maybe in reply to: Paul Gear: "TCP probe on port 35540 from port 1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 11:57:05 PDT