OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: IWAY - Ivo Dijkhuis dykhuis.nl (dykhuis.nl)
Date: Mon Apr 02 2001 - 16:32:34 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I've also seen this in my Snort logs.
    I looked around and found this information:
    http://lists.gnac.net/firewalls/mhonarc/firewalls.200011/msg00184.html

    So, it seems to be harmless ...

    -IRD-

    Chuck Kendzierski wrote:

    > Jim,
    >
    > Have not seen the combination of flags described nor do I think they occurred naturally. I remember seeing something a while back about this. Check out the email snippet below. Note the source and destination ports. Sound familiar?
    >
    > Chuck Kendzierski
    >
    > Subject: TCP/21536 attack?
    > From: "Gary Maltzen" <maltzenmm.com>
    > Date: Tue, 14 Nov 2000 10:53:37 -0600
    > To: "Firewalls List" <firewallslists.gnac.net>
    > References: <B32F2F854D4CD311898B00508B444F7F0292BF5Aabz-irg-exs01.uk.saic.com>
    >
    > --------------------------------------------------------------------------------
    >
    > Is there a list more appropriate for 'what the heck is this' posts?
    >
    > It's not in /etc/services
    > It's not in Graham http://www.robertgraham.com/pubs/firewall-seen.html
    > It's not in Simovits http://www.simovits.com/nyheter9902.html
    > It's not in TLSecurity http://www.tlsecurity.com/trojanh.htm
    > It's not in advICE http://advice.networkice.com/advice/Exploits/Ports/
    >
    > Interestingly enough it's from tcp/18245 each time...
    >
    > From Poland
    > Nov 12 11:59 CDT tcp 212.160.25.170(18245) -> 209.134.156.113(21536), 1
    > packet
    > Nov 12 16:05 CDT tcp 212.160.25.123(18245) -> 209.134.156.113(21536), 1
    > packet
    > Nov 12 16:11 CDT tcp 212.160.25.123(18245) -> 209.134.156.113(21536), 6
    > packets
    > Nov 12 16:13 CDT tcp 212.160.25.123(18245) -> 209.134.156.113(21536), 1
    > packet
    > Nov 12 16:13 CDT tcp 212.160.25.123(18245) -> 209.134.156.113(21536), 1
    > packet
    > From Canada
    > Nov 13 19:33 CDT tcp 209.213.239.60(18245) -> 209.134.156.113(21536), 1
    > packet
    > From Sweden
    > Nov 14 03:57 CDT tcp 213.204.132.194(18245) -> 209.134.156.113(21536), 1
    > packet
    > Nov 14 03:57 CDT tcp 213.204.132.194(18245) -> 209.134.156.113(21536), 3
    > packets
    > Nov 14 03:58 CDT tcp 213.204.132.194(18245) -> 209.134.156.113(21536), 1
    > packet
    >
    > Any clues?
    > -TIA
    > Gary
    >
    > -----Original Message-----
    > From: Jim Franzen jim.franzenVOGON.SE
    > Sent: Mon, 2 Apr 2001 17:29:29 +0200
    > To: FOCUS-IDSSECURITYFOCUS.COM
    > Subject: Strange Snort raport.
    >
    > Hi all.
    >
    > Snort picked up this earyler today:
    >
    > Apr 2 15:40:29 212.105.28.137:18245 -> x.x.x.x:21536 NOACK **U*PRS*
    > Apr 2 15:40:35 212.105.28.137:1533 -> x.x.x.x:443 SYN ******S*
    > Apr 2 15:40:51 212.105.28.137:18245 -> x.x.x.x:21536 INVALIDACK *2UA*R*F RESERVEDBITS
    > Apr 2 15:40:56 212.105.28.137:18245 -> x.x.x.x:21536 INVALIDACK *2UA**S* RESERVEDBITS
    > Apr 2 15:40:56 212.105.28.137:0 -> x.x.x.x:0 NULL ********
    >
    > Anyone who can cast some light on this for me?
    > Is this a known attack or just jibberish?
    >
    > Thnx
    >
    > /Jim
    >
    > VOGON AB
    > Smidesvägen 7, Box 1301, S-172 26 SUNDBYBERG, Sweden
    > Phone: +46-8-627 48 02 Celluar: +46-709-26 86 89 Fax: +46-8-627 48 99
    > email: jimvogon.se site: www.vogon.se
    > cellmail: jim.mobilvogon.se
    >
    > ___________________________________________________________________________
    > Visit http://www.visto.com/info, your free web-based communications center.
    > Visto.com. Life on the Dot.