For about the last 2 weeks I've been getting attempted connections to tcp/5248 on one of my machines. So far I count 19 different sources from varying blocks dating back to June 19. This hasn't shown up in other firewall logs on our network, so it doesn't appear to be a scan. Window sizes are all either 1400 or 1024. Source ports are all either 13568 or 80. TTLs vary from 43 to 55. This server only does DNS. I have some full packet captures available if anyone is interested. Thanks, Brian Collins Sys Admin Newnan Utilities ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Jun 27 2003 - 20:34:40 PDT