Re: Very Strange Attack

["Osvaldo J. Filho" <osvaldojaneri () UOL COM BR>]

        Hello,
        I don't think so. Nmap fingerprint uses a closed and a open
port to guess the remote OS. Looks like he got hit just on this port
(18245).

        Keep an eye that this is a cycle, with predictable actions (~ 5
packets in and out, everytime) with three hours of difference between the
first 3 cycles, and less than a half hour on the last cycle and the fixed
sport and dport. Maybe he wasn't happy with the results.

        Note the IP address (66.50.* and 63.91.*). Both are from Puerto
Rico Telephone Company. Luis, I recommend you contact them
(nameserv () PRTC NET) for details of what this really is.

Cordialmente,
---
Osvaldo J. Filho
Unix Security Specialist/Consultant
<osvaldojaneri () uol com br>
---
On Wed, 7 Feb 2001, Fernando Cardoso wrote:

> It sounds like some sort of OS fingerprinting like the one nmap
> implements. It just send weird packets with all kind of invalid
> combinations of flags and options and tries to figure out what kind of
> OS is running by analizing the replies.
>
> Just my $0.02
>
> Fernando
>
> --
> Fernando Cardoso - Security Consultant       WhatEverNet Computing, S.A.
> Phone : +351 21 7994200                      Praca de Alvalade, 6 - Piso
> 6
> Fax   : +351 21 7994242                      1700-036 Lisboa - Portugal
> email : fernando.cardoso () whatevernet com     http://www.whatevernet.com/
>
> _____________________________________________________________________