Security Incidents mailing list archives

Re: Another odd scan...

From: Jose Nazario <jose () monkey org>
Date: Fri, 12 Jul 2002 18:23:17 -0400 (EDT)

On Thu, 11 Jul 2002, Adam Young wrote:

      I got this for about 2 minutes, every 20 seconds or so, I just
thought it especially weird with "CWR ECE SYN", looking as to what the
meaning of this is.


ECE: explicit congestion echo
CWR: RFC2481 says "congestion window reduced"

here's a whois dig for that:

http://www.geektools.com/cgi-bin/proxy.cgi?query=80.97.3.255&targetnic=auto

as for the port (77/TCP) being connected to, the saint tutorial suggests
its a well known and used backdoor for the rpc.yppasswdd service on
solaris:

http://www.wwdsi.com/demo/saint_tutorials/Vulnerability_Exploits.html

hope that helps.

___________________________
jose nazario, ph.d.                     jose () monkey org
                                        http://www.monkey.org/~jose/




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Another odd scan... Adam Young (Jul 12)
- Re: Another odd scan... Jose Nazario (Jul 12)
- <Possible follow-ups>
- RE: Another odd scan... Wolf, Glenn (Jul 12)
- Re: Another odd scan... Muhammad Faisal Rauf Danka (Jul 13)