Nmap Announce mailing list archives
RE: XXXX frequent check output (fwd)
From: Lamont Granquist <lamontg () raven genome washington edu>
Date: Wed, 10 Feb 1999 12:05:22 -0800
FIN|SYN scans are looking for a FIN|SYN|ACK from Linux, possibly as a form of host ID[2]. This was discussed on BUGTRAQ previously[1,2,3] and apparently the app "linuxportz" does this kind of thing[3], although it used a source port of 0 rather than 65535. [1] http://www.netspace.org/cgi-bin/wa?A2=ind9807B&L=bugtraq&D=0&P=352 [2] http://www.netspace.org/cgi-bin/wa?A2=ind9807B&L=bugtraq&P=R2441 [3] http://www.netspace.org/cgi-bin/wa?A2=ind9807B&L=bugtraq&D=0&P=5043 On Wed, 10 Feb 1999, Brown, Mark wrote:
Hmm -- someone's idea of a stealth-scan of port 143, looking for IMAP daemons to come back to and try a buffer overflow on? I see about three to four IMAP exploit attempts on my network a week, most either immediately hitting port 143 without checking, or preceeded by a scan (TCP connect). I've been running NFR for about a week to see if anyone was stealth-scanning for IMAP, but haven't seen it in the wild yet. New script out there for the kiddies to play with? -----Original Message----- From: ark () eltex ru [mailto:ark () eltex ru] Sent: Wednesday, February 10, 1999 2:29 AM To: nmap-hackers () insecure org Cc: bugtraq () netspace org Subject: XXXX frequent check output (fwd) -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Does anybody know what does it all mean? Looks like a new scan for me.. How is it expected to work? imap as destination, weird source port and flags.. No other "strange" packets arrived as OS type checkers do. - -- Begin forwarded message --- XXXX frequent check output for period since Feb 10 10:11 to Feb 10 11:10 Security Warnings summary =-=-=-=-=-=-=-=-=-=-=-=-= Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on x.y.z.17:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN> Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on x.y.z.25:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN> Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on x.y.z.29:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN> Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on x.y.z.27:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN>
Current thread:
- XXXX frequent check output (fwd) ark (Feb 10)
- Re: XXXX frequent check output (fwd) Sebastian (Feb 10)
- RE: XXXX frequent check output (fwd) Dragos Ruiu (Feb 10)
- <Possible follow-ups>
- RE: XXXX frequent check output (fwd) Brown, Mark (Feb 10)
- RE: XXXX frequent check output (fwd) Lamont Granquist (Feb 10)
- RE: XXXX frequent check output (fwd) Igor Plavcak (Feb 10)