On Fri, May 10, 2002 at 10:40:19AM -0500, pbsarnacat_private wrote: > Starting on May 8 and continuing on through today, my firewall has been > picking up malformed TCP packets. The PIX complains about bad header > lengths, but the flag combinations that are showing up are extremely > strange. The source IP addresses are varied, and the destination IPs are > all NAT'd client workstations... not servers. The interesting thing is that > a majority of the scans are originating from port 6346, which snort.org > informs me is the gnutella server port. I've verified that at least two of > the clients that these packets were directed to were running various > file-sharing clients. Is this some sort of new scanning tool that runs over > the Gnutella network? Anyone have any thoughts? > > (See attached file: 5-10-02-scans.txt) I saw a small number of these a couple of days ago, on ports other than the ones that you saw. I chalked it up to random data corruption, since it has not repeated since. -- - mdz ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri May 10 2002 - 10:00:45 PDT