Security Incidents mailing list archives

RE: TCP probe on port 35540 from port 1

From: "Kester, Kelly" <KesterK () scott disa mil>
Date: Thu, 26 Jul 2001 11:52:45 -0500


                Yep, I sure have from the exact IP with an RST-ACK flag for
every entry. In fact, I have this activity from other AOL IPs and a Korean
IP as well. All activity is from source port 1 with a high destination port,
but not always the same. For example, a group of 15 entries might originate
from port 1 and go to destination port 28333, whereas another group will
still originate from port 1, but will go to destination port 48869. This
activity is crossing over 4 days right now and towards numerous,
non-associated destination IPs. I'm thinking a possible DoS or network
mapping. 
                Anyone have any insight into this? I've been reading up on
pulsing zombies, new DoS, Stacheldraht, shaft, etc., and cannot come up with
an exact or best bet to the cause. Help if you can......k2


                                -----Original Message-----
                                From:   Paul Gear
[mailto:paulgear () bigfoot com]
                                Sent:   Wednesday, July 25, 2001 4:23 PM
                                To:     SecurityFocus Incidents List
                                Subject:        TCP probe on port 35540 from
port 1

                                Anyone seen a probe like this lately?

                                Jul 23 11:45:53 ### kernel: Packet log:
input DENY ppp0 PROTO=6
                                172.185.150.94:1 ###:35540 L=40 S=0x00
                                I=2815 F=0x0000 T=35 (#66)

                                This was the only packet of its type, and
there didn't seem to be
                                anything else happening at the time.  The
source address looks up to
                                ACB9965E.ipt.aol.com.

                                As there is no SYN flag, it seems this is
from some sort of
                                cracking/security tool, but i'm not sure
what.  The source port of
                                tcpmux is curious.

                                Paul
                                http://paulgear.webhop.net



        
----------------------------------------------------------------------------
                                This list is provided by the SecurityFocus
ARIS analyzer service.
                                For more information on this free incident
handling, management 
                                and tracking system please see:
http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

TCP probe on port 35540 from port 1 Paul Gear (Jul 25)
- <Possible follow-ups>
- RE: TCP probe on port 35540 from port 1 Kester, Kelly (Jul 26)