Re: increased attacks on port 2599

[gminick <gminick () underground org pl>]

On Sat, Nov 23, 2002 at 05:41:12PM -0500, Esler, Joel -- Sytex Contractor wrote:
> well I don't have whole captures of the packets.
In case of SYN packets payload isn't important. Those SYN packets
were the first step in three-way handshake. Of course, even if it
was a part of - for example - SYN scan and a full connection was 
never meant to be done it still isn't "an attack".

>  But something was trying
> to connect to TCP port 2599.  I don't know what that is.
OK, I understand you're just curious, but IMHO being interested in
all SYN packets your server has respond to it's too paranoic approach. 
Nowadays nets are full of various robots, worms, automated tools and 
crawlers that are searching for data, informations valuable in bussines, 
statistics and so on.
Also people are making mistakes leaving their misconfigured applications 
running all night, maybe it's just some enthusiast of networking
that is testing his software, and he typed some random IP, and it
was yours IP. 
It's important to trace new blackhat trends and new worms (or just
bugs used by them), but, to do that you need to react on "incidents"
like this by starting servers on ports someone's trying to connect to
(then you need to recognize protocol used, and play with it, but
it costs. It costs a lot of work and time).
Co, IMHO, currently we can say, that what you've observed it wasn't
attack. It was to early to confirm about a probe of intrusion.

Bye :)

-- 
[ ] gminick (at) underground.org.pl  http://gminick.linuxsecurity.pl/ [ ]
[ "Po prostu lubie poranna samotnosc, bo wtedy kawa smakuje najlepiej." ]


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com