On Thu, 11 Jul 2002, Adam Young wrote: > I got this for about 2 minutes, every 20 seconds or so, I just > thought it especially weird with "CWR ECE SYN", looking as to what the > meaning of this is. ECE: explicit congestion echo CWR: RFC2481 says "congestion window reduced" here's a whois dig for that: http://www.geektools.com/cgi-bin/proxy.cgi?query=80.97.3.255&targetnic=auto as for the port (77/TCP) being connected to, the saint tutorial suggests its a well known and used backdoor for the rpc.yppasswdd service on solaris: http://www.wwdsi.com/demo/saint_tutorials/Vulnerability_Exploits.html hope that helps. ___________________________ jose nazario, ph.d. joseat_private http://www.monkey.org/~jose/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jul 12 2002 - 16:42:46 PDT