unexplained port 524 probes payload "cko"

From: Fragga (fraggaat_private)
Date: Fri Jun 28 2002 - 04:39:15 PDT

Next message: Ben Boulanger: "Re: 33 character encrypted passwords in /etc/shadow"

Previous message: Kit: "RE: win2k server issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

greets incidents list,

for the past couple of days i`ve noticed a methodical probe from a source to
my server on port 524. I`m aware this is something to do with Netware
however i`m not quite sure of their purpose. the machine sends syns to port
524 but for some reason even though this port is not open my machine does
not send a rst. then after 6 syns it sends two packets with both ack and rst
set with the payload "cko". This same sequence happens every 15 minutes...

Has anyone seen this before or have any idea what the point of it is ? Snort
Dump below.

thanks

fragga

06/28-11:46:01.721557 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E
195.147.191.186:5448 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:1473
IpLen:20 DgmLen:48 DF
******S* Seq: 0x3A18F81C  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

06/28-11:46:04.625473 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E
195.147.191.186:5448 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:10433
IpLen:20 DgmLen:48 DF
******S* Seq: 0x3A18F81C  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

06/28-11:46:10.632395 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E
195.147.191.186:5448 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:21953
IpLen:20 DgmLen:48 DF
******S* Seq: 0x3A18F81C  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

06/28-11:46:31.166756 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E
195.147.191.186:5384 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:50547
IpLen:20 DgmLen:48 DF
******S* Seq: 0xFDFF551E  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

06/28-11:46:34.113389 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E
195.147.191.186:5384 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:51059
IpLen:20 DgmLen:48 DF
******S* Seq: 0xFDFF551E  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

06/28-11:46:40.113640 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E
195.147.191.186:5384 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:56691
IpLen:20 DgmLen:48 DF
******S* Seq: 0xFDFF551E  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

06/28-11:53:40.473109 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3C
195.147.191.186:5448 -> my.ip.add.ress:524 TCP TTL:16 TOS:0x0 ID:0 IpLen:20
DgmLen:43
***A*R** Seq: 0x0  Ack: 0x0  Win: 0x0  TcpLen: 20
63 6B 6F                                         cko

06/28-11:54:10.478336 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3C
195.147.191.186:5384 -> my.ip.add.ress:524 TCP TTL:16 TOS:0x0 ID:0 IpLen:20
DgmLen:43
***A*R** Seq: 0x0  Ack: 0x0  Win: 0x0  TcpLen: 20
63 6B 6F                                         cko


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ben Boulanger: "Re: 33 character encrypted passwords in /etc/shadow"
Previous message: Kit: "RE: win2k server issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 28 2002 - 09:41:43 PDT