[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] attackalert Unknown Type

Subject: Re: [cobalt-security] attackalert Unknown Type
From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
Date: Thu, 24 Jan 2002 22:50:33 +0000 (GMT)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

> Date: Thu, 24 Jan 2002 22:05:38 +0100
> From: "Kai r. s., euroweb as" <kai@xxxxxxxxxx>

> I got this warning but portsentry says it is a Unknown Type, is there
> someone who can tell me some more what kind of attack this is or not.

> Log:
> Jan 24 20:41:58 www portsentry[12371]: attackalert: Unknown Type: Packet
> Flags: SYN: 1 FIN: 1 ACK: 0 PSH: 0 URG: 0 RST: 0 from host:
> ppp86-128-59-62.dialup.zonnet.nl/62.59.128.86 to TCP port: 259

Looking at my /etc/services, I see "efficient short remote
operations" for 259/TCP.

SYN+FIN is a somewhat unusual combination of TCP flags.  Unusual,
but valid.  Something called T/TCP (transactional TCP) uses it,
but it's not commonplace.

www.esro.org describes the protocol.  I've not looked through
thoroughly, but it appears as if it might use T/TCP.  I'd have to
dig further...

> Please do not waste much time resolving this message for me, it’s not all
> that important. But it would be nice to now what kind of ammo these people
> are using. :)

Could be a stray packet.  Could be a probe.  If it's an isolated
incident, I'd not worry too much.  If you see other questionable
packets, somebody might be portscanning you.

Considering that it seems to be an isolated incident for
something that might be legitimate (just ran astray), my gut feel
is that there's a good chance it's legitimate.

Nonetheless, I'd keep an eye on the logs.  It doesn't hurt to be
paranoid.  And it's not like you're saying "help, I'm getting
packets on 113/TCP", either. ;-)

> Tanks,
> 
> 
> Kai Schantz
> euroweb, no


Eddy

Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
--

Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.  Do NOT
send mail to <blacklist@xxxxxxxxx>, or you are likely to be blocked.

References:
- [cobalt-security] attackalert Unknown Type
  - From: Kai r. s., euroweb as

Prev by Date: Re: [cobalt-security] attackalert Unknown Type
Next by Date: Re: [cobalt-security] attackalert Unknown Type
Previous by thread: Re: [cobalt-security] attackalert Unknown Type
Next by thread: Re: [cobalt-security] attackalert Unknown Type

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index