greets incidents list, for the past couple of days i`ve noticed a methodical probe from a source to my server on port 524. I`m aware this is something to do with Netware however i`m not quite sure of their purpose. the machine sends syns to port 524 but for some reason even though this port is not open my machine does not send a rst. then after 6 syns it sends two packets with both ack and rst set with the payload "cko". This same sequence happens every 15 minutes... Has anyone seen this before or have any idea what the point of it is ? Snort Dump below. thanks fragga 06/28-11:46:01.721557 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E 195.147.191.186:5448 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:1473 IpLen:20 DgmLen:48 DF ******S* Seq: 0x3A18F81C Ack: 0x0 Win: 0x2000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK 06/28-11:46:04.625473 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E 195.147.191.186:5448 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:10433 IpLen:20 DgmLen:48 DF ******S* Seq: 0x3A18F81C Ack: 0x0 Win: 0x2000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK 06/28-11:46:10.632395 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E 195.147.191.186:5448 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:21953 IpLen:20 DgmLen:48 DF ******S* Seq: 0x3A18F81C Ack: 0x0 Win: 0x2000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK 06/28-11:46:31.166756 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E 195.147.191.186:5384 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:50547 IpLen:20 DgmLen:48 DF ******S* Seq: 0xFDFF551E Ack: 0x0 Win: 0x2000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK 06/28-11:46:34.113389 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E 195.147.191.186:5384 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:51059 IpLen:20 DgmLen:48 DF ******S* Seq: 0xFDFF551E Ack: 0x0 Win: 0x2000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK 06/28-11:46:40.113640 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E 195.147.191.186:5384 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:56691 IpLen:20 DgmLen:48 DF ******S* Seq: 0xFDFF551E Ack: 0x0 Win: 0x2000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK 06/28-11:53:40.473109 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3C 195.147.191.186:5448 -> my.ip.add.ress:524 TCP TTL:16 TOS:0x0 ID:0 IpLen:20 DgmLen:43 ***A*R** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20 63 6B 6F cko 06/28-11:54:10.478336 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3C 195.147.191.186:5384 -> my.ip.add.ress:524 TCP TTL:16 TOS:0x0 ID:0 IpLen:20 DgmLen:43 ***A*R** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20 63 6B 6F cko ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jun 28 2002 - 09:41:43 PDT