RE: TCP probe on port 35540 from port 1

From: Kester, Kelly (KesterKat_private)
Date: Thu Jul 26 2001 - 09:52:45 PDT

  • Next message: Chris Hobbs: "Re: MISC Large ICMP Packet"

    		Yep, I sure have from the exact IP with an RST-ACK flag for
    every entry. In fact, I have this activity from other AOL IPs and a Korean
    IP as well. All activity is from source port 1 with a high destination port,
    but not always the same. For example, a group of 15 entries might originate
    from port 1 and go to destination port 28333, whereas another group will
    still originate from port 1, but will go to destination port 48869. This
    activity is crossing over 4 days right now and towards numerous,
    non-associated destination IPs. I'm thinking a possible DoS or network
    mapping. 
    		Anyone have any insight into this? I've been reading up on
    pulsing zombies, new DoS, Stacheldraht, shaft, etc., and cannot come up with
    an exact or best bet to the cause. Help if you can......k2
    
    
    				-----Original Message-----
    				From:	Paul Gear
    [mailto:paulgearat_private]
    				Sent:	Wednesday, July 25, 2001 4:23 PM
    				To:	SecurityFocus Incidents List
    				Subject:	TCP probe on port 35540 from
    port 1
    
    				Anyone seen a probe like this lately?
    
    				Jul 23 11:45:53 ### kernel: Packet log:
    input DENY ppp0 PROTO=6
    				172.185.150.94:1 ###:35540 L=40 S=0x00
    				I=2815 F=0x0000 T=35 (#66)
    
    				This was the only packet of its type, and
    there didn't seem to be
    				anything else happening at the time.  The
    source address looks up to
    				ACB9965E.ipt.aol.com.
    
    				As there is no SYN flag, it seems this is
    from some sort of
    				cracking/security tool, but i'm not sure
    what.  The source port of
    				tcpmux is curious.
    
    				Paul
    				http://paulgear.webhop.net
    
    
    
    	
    ----------------------------------------------------------------------------
    				This list is provided by the SecurityFocus
    ARIS analyzer service.
    				For more information on this free incident
    handling, management 
    				and tracking system please see:
    http://aris.securityfocus.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 11:57:05 PDT