Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

unexplained port 524 probes payload "cko"

From: "Fragga" <fragga () fragga co uk>
Date: Fri, 28 Jun 2002 06:39:15 -0500
greets incidents list,

for the past couple of days i`ve noticed a methodical probe from a source to
my server on port 524. I`m aware this is something to do with Netware
however i`m not quite sure of their purpose. the machine sends syns to port
524 but for some reason even though this port is not open my machine does
not send a rst. then after 6 syns it sends two packets with both ack and rst
set with the payload "cko". This same sequence happens every 15 minutes...

Has anyone seen this before or have any idea what the point of it is ? Snort
Dump below.

thanks

fragga

06/28-11:46:01.721557 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E
195.147.191.186:5448 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:1473
IpLen:20 DgmLen:48 DF
******S* Seq: 0x3A18F81C  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

06/28-11:46:04.625473 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E
195.147.191.186:5448 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:10433
IpLen:20 DgmLen:48 DF
******S* Seq: 0x3A18F81C  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

06/28-11:46:10.632395 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E
195.147.191.186:5448 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:21953
IpLen:20 DgmLen:48 DF
******S* Seq: 0x3A18F81C  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

06/28-11:46:31.166756 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E
195.147.191.186:5384 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:50547
IpLen:20 DgmLen:48 DF
******S* Seq: 0xFDFF551E  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

06/28-11:46:34.113389 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E
195.147.191.186:5384 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:51059
IpLen:20 DgmLen:48 DF
******S* Seq: 0xFDFF551E  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

06/28-11:46:40.113640 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3E
195.147.191.186:5384 -> my.ip.add.ress:524 TCP TTL:112 TOS:0x0 ID:56691
IpLen:20 DgmLen:48 DF
******S* Seq: 0xFDFF551E  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

06/28-11:53:40.473109 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3C
195.147.191.186:5448 -> my.ip.add.ress:524 TCP TTL:16 TOS:0x0 ID:0 IpLen:20
DgmLen:43
***A*R** Seq: 0x0  Ack: 0x0  Win: 0x0  TcpLen: 20
63 6B 6F                                         cko

06/28-11:54:10.478336 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x3C
195.147.191.186:5384 -> my.ip.add.ress:524 TCP TTL:16 TOS:0x0 ID:0 IpLen:20
DgmLen:43
***A*R** Seq: 0x0  Ack: 0x0  Win: 0x0  TcpLen: 20
63 6B 6F                                         cko


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: