SYN/ACK probe attempt to TCP 3072?

[SIU Credit Union IS Dept <isdept () cecc net>]

(Curt Wilson)

Here is something I don't normally see, any advice/comments?

Mar 06 04:30:57 [192.149.115.1] %PIX-6-106015: Deny TCP (no
connection) from 204.178.125.65/25
to 192.168.x.x/3072 flags SYN ACK  on interface outside

Remote system belongs to an Internet chess club.
Connection appears to originate from an SMTP port on the remote
side, attempts to connect to TCP port 3072, with SYN ACK flags.
The SYN ACK flags, in normal operation, indicate that this is a
reply to a connection origination. So, if this were legit traffic, it
would indicate that the our extranet system initiated the sending of
an email to this remote system. However, if this were the case,
the PIX firewall would have an entry in it’s state table that allowed
the connection back through.Since there is no way that I know of
to trick the PIX state table, I suspect that this is a  crafted packet
designed to fool access control mechanisms with the combination
of port 25 and the SYN ACK flags.  I have been unable to find
reference to port 3072 however, so it is unclear what the attacker
may have been after. It’s also  possible that some type
of network problem redirected this connection.  Remote host is a
BSD box and appears to have many open ports and could very well
be compromised. I left a message with the site to notify them of
this possibility.


Mar 06 04:30:57 [192.149.115.1] %PIX-6-106015: Deny TCP (no
connection) from 204.178.125.65/25
to 192.168.x.x/3072 flags SYN ACK  on interface outside

Curt Wilson,
Network Administrator, SIUCU
Consultant, Netw3 Consulting