NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2002-06

From: Fragga (fraggafragga.co.uk)
Date: Fri Jun 28 2002 - 06:39:15 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

greets incidents list,

for the past couple of days i`ve noticed a methodical probe from a source to
my server on port 524. I`m aware this is something to do with Netware
however i`m not quite sure of their purpose. the machine sends syns to port
524 but for some reason even though this port is not open my machine does
not send a rst. then after 6 syns it sends two packets with both ack and rst
set with the payload "cko". This same sequence happens every 15 minutes...

Has anyone seen this before or have any idea what the point of it is ? Snort
Dump below.

thanks

fragga

06/28-11:46:01.721557 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E
195.147.191.186:5448 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:1473
IpLen:20 DgmLen:48 DF
******S* Seq: 0x3A18F81C Ack: 0x0 Win: 0x2000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

06/28-11:46:04.625473 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E
195.147.191.186:5448 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:10433
IpLen:20 DgmLen:48 DF
******S* Seq: 0x3A18F81C Ack: 0x0 Win: 0x2000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

06/28-11:46:10.632395 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E
195.147.191.186:5448 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:21953
IpLen:20 DgmLen:48 DF
******S* Seq: 0x3A18F81C Ack: 0x0 Win: 0x2000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

06/28-11:46:31.166756 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E
195.147.191.186:5384 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:50547
IpLen:20 DgmLen:48 DF
******S* Seq: 0xFDFF551E Ack: 0x0 Win: 0x2000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

06/28-11:46:34.113389 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E
195.147.191.186:5384 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:51059
IpLen:20 DgmLen:48 DF
******S* Seq: 0xFDFF551E Ack: 0x0 Win: 0x2000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

06/28-11:46:40.113640 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E
195.147.191.186:5384 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:56691
IpLen:20 DgmLen:48 DF
******S* Seq: 0xFDFF551E Ack: 0x0 Win: 0x2000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

06/28-11:53:40.473109 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3C
195.147.191.186:5448 -> my.ip.add.ress:524 TCP TTL:16 TOS:0x0 ID:0 IpLen:20
DgmLen:43
***A*R** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20
63 6B 6F cko

06/28-11:54:10.478336 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3C
195.147.191.186:5384 -> my.ip.add.ress:524 TCP TTL:16 TOS:0x0 ID:0 IpLen:20
DgmLen:43
***A*R** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20
63 6B 6F cko

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]