Full Disclosure mailing list archives

Re: Port 8041 Syn flood


From: Michael Hale <michael.hale () gmail com>
Date: Wed, 24 Aug 2005 08:02:48 -0400

If you're able to, set up netcat (nc -l -p 8041 > logfile.exe) on the
destination machine(s) and wait for the next attempt. It should allow
the TCP connection to complete and you'll see what happens after the
SYN.

On 8/24/05, Rajesh <rvarada () gmail com> wrote:
Jackson McKinley wrote:

Dshield is showing a down swing..  have you got packet captures?

http://isc.sans.org/port_details.php?port=8041&repax=1&tarax=2&srcax=2&percent=N&days=70



I haven't found much co-relation between what dshield usually shows and
the traffic that we get. It is very possible that these packets are
specifically targetted against our servers. I was trying to make sure
that this is not a known attack vector or a developing attack path.

Glad to know that no one else is seeing this problem.

What I am getting is a lot of SYN packets to port 8041. Nothing else yet.
0000  00 00 xx xx xx xx 00 xx xx xx xx xx 00 45 00   ...v.... f%.p..E.
0010  00 30 1a 6c 40 00 76 06  8c dc xx xx xx xx xx xx   .0.l@.v. .......S
0020  xx xx 06 36 1f 69 cb 1f  34 9f 00 00 00 00 70 02   )..6.i.. 4.....p.
0030  40 00 c0 41 00 00 02 04  05 b4 01 01 04 02         @..A.... ......


Thanks
Rajesh

On Tue, Aug 23, 2005 at 09:39:39AM +0530, Rajesh wrote:


Hi All,

Is anyone else seeing a very large increase of SYN packets coming to
port 8041 over the last couple of days. It is coming from different
addresses to most of my machines in separate networks. I couldn't find
information about any services that use port 8041 yet. So for now I am
assuming that this is just a SYN flood. Can anyone else shed some more
light into this?

Thanks
Rajesh



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Current thread: