Security Incidents mailing list archives
Strange scan behavior
From: Daniel Martin <dtmartin24 () HOME COM>
Date: Mon, 8 Jan 2001 17:59:55 -0500
I have noticed a few people connect to some open tcp port on my machine and then send the three bytes 05 01 02 - this first happened on December 4th of last year on port 80, but has happened twice since on port 27374 (yes, I have a subseven honeypot). Is this some tcp stack vulnerability? I ask because it just seems odd that it would be sent to port 80, unless it was either a webserver or general tcp vulnerability, and there's not much sense in sending a webserver vulnerability to port 27374. If it helps, the person who sent this weird request to my webserver also sent the two bytes 04 01 on a different connection immediately prior to this one.
Current thread:
- Strange scan behavior Daniel Martin (Jan 08)