[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] attackalert Unknown Type

Subject: Re: [cobalt-security] attackalert Unknown Type
From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
Date: Thu, 24 Jan 2002 23:03:16 +0000 (GMT)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

> Date: Thu, 24 Jan 2002 23:40:23 +0100
> From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>

> > Flags: SYN: 1 FIN: 1 ACK: 0 PSH: 0 URG: 0 RST: 0
> 
> What is unusual here is that both the ACK and the FIN flags
> were set. This never happens during a regular TCP/IP
> connection. 

Almost; never say "never". :-)

Check out RFC 1644 for info on T/TCP.

> So someone was most likely sending manually crafted packets
> your way, or using some kind of security auditing tool.

Perhaps, but see my previous post.  I don't know if ESRO actually
uses T/TCP or how common it is... it may well have been a valid,
yet misdirected, packet.  If it's the only one, I'd lean
toward it being legit.

But excessive concern _is_ safer than insufficient concern. :-)


Eddy

Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
--

Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.  Do NOT
send mail to <blacklist@xxxxxxxxx>, or you are likely to be blocked.

References:
- Re: [cobalt-security] attackalert Unknown Type
  - From: Michael Stauber

Prev by Date: Re: [cobalt-security] attackalert Unknown Type
Next by Date: Re: [cobalt-security] attackalert Unknown Type
Previous by thread: Re: [cobalt-security] attackalert Unknown Type
Next by thread: Re: [cobalt-security] attackalert Unknown Type

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index