Security Incidents mailing list archives

Advice sought

From: Mike Alexander <mike.alexander () MAIL MORAY GOV UK>
Date: Mon, 26 Feb 2001 14:52:43 -0000

Dear all,

I've noticed in our firewall logs a number of entries that are getting
dropped.  These seem to be occurring every couple of minutes, and are to a
couple of our addresses only.

The IP of this device is 63.238.98.16, and it is always trying port 3967.  I
did a 'tcpdump' on the firewall, with the result as follows (our host is
x.x.x.24):

---
14:32:30.441991 0:c0:5:3:19:59 0:c0:95:e0:9c:b4 ip 60: 63.238.98.16.http >
x.x.x.24.3967: F 4005189898:4005189898(0) ack 2941449939 win 17520 (DF) (ttl
238, id 22199)
---

Can anyone tell me what's going on here?  From what I can see, it's trying
to poll one or two of our machines, but I've no idea why.

Any help much appreciated.

Regards,

Mike

"The surest sign that intelligent life exists elsewhere in
 the universe is that it has never tried to contact us"

Current thread:

Advice sought Mike Alexander (Feb 26)
- Re: Advice sought Russell Fulton (Feb 27)
  - Re: Advice sought John Lampe (Feb 27)
    - Re: Advice sought Ryan Russell (Feb 27)
    - Re: Advice sought John Lampe (Feb 28)