Security Incidents mailing list archives
Re: increased attacks on port 2599
From: gminick <gminick () underground org pl>
Date: Tue, 26 Nov 2002 00:57:14 +0100
On Sat, Nov 23, 2002 at 05:41:12PM -0500, Esler, Joel -- Sytex Contractor wrote:
well I don't have whole captures of the packets.
In case of SYN packets payload isn't important. Those SYN packets were the first step in three-way handshake. Of course, even if it was a part of - for example - SYN scan and a full connection was never meant to be done it still isn't "an attack".
But something was trying to connect to TCP port 2599. I don't know what that is.
OK, I understand you're just curious, but IMHO being interested in all SYN packets your server has respond to it's too paranoic approach. Nowadays nets are full of various robots, worms, automated tools and crawlers that are searching for data, informations valuable in bussines, statistics and so on. Also people are making mistakes leaving their misconfigured applications running all night, maybe it's just some enthusiast of networking that is testing his software, and he typed some random IP, and it was yours IP. It's important to trace new blackhat trends and new worms (or just bugs used by them), but, to do that you need to react on "incidents" like this by starting servers on ports someone's trying to connect to (then you need to recognize protocol used, and play with it, but it costs. It costs a lot of work and time). Co, IMHO, currently we can say, that what you've observed it wasn't attack. It was to early to confirm about a probe of intrusion. Bye :) -- [ ] gminick (at) underground.org.pl http://gminick.linuxsecurity.pl/ [ ] [ "Po prostu lubie poranna samotnosc, bo wtedy kawa smakuje najlepiej." ] ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: [CERT] Re: Compromised FBSD/Apache, (continued)
- Re: [CERT] Re: Compromised FBSD/Apache ePAc (Nov 25)
- Re: Compromised FBSD/Apache Adam Sampson (Nov 25)
- Re: Compromised FBSD/Apache Skip Carter (Nov 25)
- Re: Compromised FBSD/Apache Charles Blackburn (Nov 25)
- Re: Compromised FBSD/Apache Hernan Otero (Nov 20)
- Re: Compromised FBSD/Apache D.C. van Moolenbroek (Nov 21)
- increased attacks on port 2599 Esler, Joel -- Sytex Contractor (Nov 22)
- Re: increased attacks on port 2599 H C (Nov 25)
- RE: increased attacks on port 2599 Esler, Joel -- Sytex Contractor (Nov 25)
- RE: increased attacks on port 2599 H C (Nov 25)
- Re: increased attacks on port 2599 gminick (Nov 25)