Yep, I sure have from the exact IP with an RST-ACK flag for every entry. In fact, I have this activity from other AOL IPs and a Korean IP as well. All activity is from source port 1 with a high destination port, but not always the same. For example, a group of 15 entries might originate from port 1 and go to destination port 28333, whereas another group will still originate from port 1, but will go to destination port 48869. This activity is crossing over 4 days right now and towards numerous, non-associated destination IPs. I'm thinking a possible DoS or network mapping. Anyone have any insight into this? I've been reading up on pulsing zombies, new DoS, Stacheldraht, shaft, etc., and cannot come up with an exact or best bet to the cause. Help if you can......k2 -----Original Message----- From: Paul Gear [mailto:paulgearat_private] Sent: Wednesday, July 25, 2001 4:23 PM To: SecurityFocus Incidents List Subject: TCP probe on port 35540 from port 1 Anyone seen a probe like this lately? Jul 23 11:45:53 ### kernel: Packet log: input DENY ppp0 PROTO=6 172.185.150.94:1 ###:35540 L=40 S=0x00 I=2815 F=0x0000 T=35 (#66) This was the only packet of its type, and there didn't seem to be anything else happening at the time. The source address looks up to ACB9965E.ipt.aol.com. As there is no SYN flag, it seems this is from some sort of cracking/security tool, but i'm not sure what. The source port of tcpmux is curious. Paul http://paulgear.webhop.net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 11:57:05 PDT