Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Interesting Logs to port 8941

From: Ryan Yagatich <ryany () pantek com>
Date: Wed, 9 Oct 2002 08:33:19 -0400 (EDT)
Hi,
        Today I've noticed some interesting activity on my dialup 
connection, particularly that to port 8941 via TCP. Here is such example 
data:


<LOG>
        <TIME> Oct  7 10:57:45 </TIME>
        <IN> ppp0 </IN>
        <OUT> </OUT>
        <MAC> </MAC>
        <SRC> 130.156.129.254 </SRC>
        <DST> 216.144.8.150 </DST>
        <LEN> 48 </LEN>
        <TOS> 0x00 </TOS>
        <PREC> 0x00 </PREC>
        <TTL> 108 </TTL>
        <ID> 39816 </ID>
        <FLAGS> DF SYN </FLAGS>
        <PROTO> TCP </PROTO>
        <SPT> 3446 </SPT>
        <DPT> 8941 </DPT>
        <WINDOW> 16384 </WINDOW>
        <RES> 0x00 </RES>
        <URGP> 0 </URGP>
</LOG>

Here's what I've found out:
        1) There are 3 packets being sent (SYN + DF)
        2) The intervals are always the same:
                3 seconds between packets 1-2
                6 seconds between packets 2-3
        3) All have length of 48 (since just the SYN)
        

I really have no information about it other than what is listed above and 
that the timeframe is as follows:
        Start: 10.07.2002 @ 10:57:45 EST
        End:   10.07.2002 @ 17:55:56 EST
There are 210 access attempts with 68 unique hosts 
        these 3 hosts only had 1 packet sent a piece:
                66.7.139.165 
                62.30.142.89 
                172.153.168.26

the logs that were taken from such traffic can be found at the following 
URL:
        http://www.pantek.com/~ryany/log
they are the following:
        rejected.log (42447 bytes)
                -> all of the records of the attempted connections
        tcpdump.out (216 bytes)
                -> 3 packets from a particular connection that i was 
                   able to trap         

If anyone has either seen any of this before, or has a clue of what it is, 
please let me know, especially since i don't have much to go by (haven't 
setup netcat to listen on that port yet). All times are EST.

Thanks,
Ryan Yagatich  <support () pantek com>
        Pantek, Incorporated
 (877) LINUX-FIX - (440) 519-1802
===================================
DE C6 02 66 7C AB 95 9E 97 1F B0 BC
8C 9F 8A 28 BE 0A A3 93 95 70 EF 12
===================================
 A fool must now and then be right
           by chance.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: