Security Incidents mailing list archives

Strange probe

From: stuart () SILICONDEFENSE COM (Stuart Staniford-Chen)
Date: Fri, 24 Mar 2000 11:47:51 +0000


Can anyone suggest an explanation for the following trace?

The source IP is an ISP in Holland, and the destination IP is on our
monitored network.  Both IPs are fixed in the following trace (Y is
always the same and X is always the same).  This was the only activity
we recorded from that source IP that day.

Port 80 was open on the destination box, port 37 (time) and port 13
(daytime) were not.

Stuart.

 Mar 22 11:18:56 Y:2419 -> X:80 SYN **S*****
 Mar 22 11:18:56 Y:2420 -> X:80 NOACK **S**P**
 Mar 22 11:19:00 Y:2423 -> X:80 SYN **S*****
 Mar 22 11:19:00 Y:2427 -> X:80 SYN **S*****
 Mar 22 11:19:31 Y:2434 -> X:37 SYN **S*****
 Mar 22 11:19:31 Y:2434 -> X:37 NOACK **S**P**
 Mar 22 11:19:34 Y:2435 -> X:37 SYN **S*****
 Mar 22 11:19:34 Y:2435 -> X:37 NOACK **S**P**
 Mar 22 11:19:37 Y:2436 -> X:37 SYN **S*****
 Mar 22 11:19:38 Y:2437 -> X:13 SYN **S*****
 Mar 22 11:19:38 Y:2437 -> X:13 NOACK **S**P**
 Mar 22 11:19:41 Y:2438 -> X:13 SYN **S*****
 Mar 22 11:19:44 Y:2439 -> X:13 SYN **S*****


--
Stuart Staniford-Chen --- President --- Silicon Defense
                   stuart () silicondefense com
(707) 822-4588                     (707) 826-7571 (FAX)

Current thread:

Odd UPD scan David Meissner (Mar 15)
- Re: Odd UPD scan Bill Pennington (Mar 16)
  - Re: Odd UPD scan Graeme Fowler (Mar 20)
- Re: Odd UPD scan Grzegorz Janoszka (Mar 17)
- <Possible follow-ups>
- Re: Odd UPD scan Randy Mclean (Mar 17)
- Re: Odd UPD scan Rainer Weikusat (Mar 17)
- Re: Odd UPD scan Bill Pennington (Mar 20)
  - Re: Odd UPD scan Pavel Kankovsky (Mar 21)
  - NetBIOS info Robert Graham (Mar 21)
    - Re: NetBIOS info Bill Pennington (Mar 22)
    - Strange probe Stuart Staniford-Chen (Mar 24)
    - Re: NetBIOS info Robert Graham (Mar 27)
    - Syn scans to 4045 Joey McAlerney (Mar 27)