Security Incidents mailing list archives
Re: Very Strange Attack
From: "Osvaldo J. Filho" <osvaldojaneri () UOL COM BR>
Date: Wed, 7 Feb 2001 17:29:57 -0200
Hello, I don't think so. Nmap fingerprint uses a closed and a open port to guess the remote OS. Looks like he got hit just on this port (18245). Keep an eye that this is a cycle, with predictable actions (~ 5 packets in and out, everytime) with three hours of difference between the first 3 cycles, and less than a half hour on the last cycle and the fixed sport and dport. Maybe he wasn't happy with the results. Note the IP address (66.50.* and 63.91.*). Both are from Puerto Rico Telephone Company. Luis, I recommend you contact them (nameserv () PRTC NET) for details of what this really is. Cordialmente, --- Osvaldo J. Filho Unix Security Specialist/Consultant <osvaldojaneri () uol com br> --- On Wed, 7 Feb 2001, Fernando Cardoso wrote:
It sounds like some sort of OS fingerprinting like the one nmap implements. It just send weird packets with all kind of invalid combinations of flags and options and tries to figure out what kind of OS is running by analizing the replies. Just my $0.02 Fernando -- Fernando Cardoso - Security Consultant WhatEverNet Computing, S.A. Phone : +351 21 7994200 Praca de Alvalade, 6 - Piso 6 Fax : +351 21 7994242 1700-036 Lisboa - Portugal email : fernando.cardoso () whatevernet com http://www.whatevernet.com/ _____________________________________________________________________
Current thread:
- Very Strange Attack Mendoza, Luis (Feb 07)
- Re: Very Strange Attack Osvaldo J. Filho (Feb 07)
- Re: Very Strange Attack Fernando Cardoso (Feb 07)
- Re: Very Strange Attack Osvaldo J. Filho (Feb 07)
- Re: Very Strange Attack Fernando Cardoso (Feb 07)
- <Possible follow-ups>
- Re: Very Strange Attack Benninghoff, John (Feb 07)
- Re: Very Strange Attack Fulton L. Preston Jr. (Feb 07)
- Re: Very Strange Attack Fulton L. Preston Jr. (Feb 09)
- Re: Very Strange Attack Mendoza, Luis (Feb 10)
- Re: Very Strange Attack Osvaldo J. Filho (Feb 07)