Hello all, An attacker had connected 3 times to the ftp service of an already compromised honeypot 10.6.1.4 (Redhat 6.2) and then disconnected. After this he had send many packets of the form below. The honeypot did not respond to this packets at all. Note that tcp length is zero, and the starting point of data is not known. Some tcpdump implementations or a few related utilities (like ipsumdump) won't work correctly with this packet. But I can't really figure out what he is trying to do. 04/20-19:23:37.025924 xxx.xxx.xxx.xxx:80 -> 10.6.1.4:80 TCP TTL:240 TOS:0x80 ID:7977 IpLen:20 DgmLen:64 ******** Seq: 0x9A020000 Ack: 0x0 Win: 0xD204 TcpLen: 0 00 00 00 00 00 00 00 00 00 00 00 00 AF 9A 1C 8C ................ D9 6E FC 16 0A 2E 00 00 . Any ideas?? Thanks! Costas ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 08:26:08 PDT