zero tcp offset packets sent to a honeypot

["Costas Karafasoulis" <karafas () mail ariadne-t gr>]

Hello all,


An attacker had connected 3 times to the ftp service of an
already compromised honeypot 10.6.1.4 (Redhat 6.2) and then
disconnected.  After this
he had send many packets of the form below. The honeypot did not respond
to this packets at all.

Note that tcp length is zero, and the starting point of data is not
known. Some tcpdump implementations or a few related utilities (like
ipsumdump) won't work correctly with this packet. But I can't really
figure out what he is trying to do.


04/20-19:23:37.025924 xxx.xxx.xxx.xxx:80 -> 10.6.1.4:80
TCP TTL:240 TOS:0x80 ID:7977 IpLen:20 DgmLen:64
******** Seq: 0x9A020000  Ack: 0x0  Win: 0xD204  TcpLen: 0
00 00 00 00 00 00 00 00 00 00 00 00 AF 9A 1C 8C  ................
D9 6E FC 16 0A 2E 00 00                          .

Any ideas??

Thanks!

Costas


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com