Security Incidents mailing list archives
syn+fin = stupid?
From: marvin () NSS NU
Date: Sat, 29 Jul 2000 11:57:14 +0200
I just noticed that a box in korea (210.223.100.97) checked port 21 and port 53 one day. He/she checked port 21 twice (approx. 2 hours apart) and port 53 three times (also approx. 2 hours apart). Both were closed all day, and have never been open on that IP, ever. I just have one question: Why syn+fin? Isn't syn+fin something that will NEVER turn up in legit traffic? It sticks out like nothing else (well, few other things anyway).
Current thread:
- syn+fin = stupid? marvin (Jul 29)
- Re: syn+fin = stupid? James Stevenson (Jul 31)
- Re: syn+fin = stupid? Bill Owens (Jul 31)
- Re: syn+fin = stupid? spaceork (Jul 31)
- Re: syn+fin = stupid? Denis Ducamp (Jul 31)
- <Possible follow-ups>
- Re: syn+fin = stupid? marvin (Jul 31)
- Re: syn+fin = stupid? J. Oquendo (Jul 31)
- Re: syn+fin = stupid? Derek Becker (Jul 31)