> Date: Thu, 24 Jan 2002 22:05:38 +0100 > From: "Kai r. s., euroweb as" <[EMAIL PROTECTED]>
> I got this warning but portsentry says it is a Unknown Type, is there > someone who can tell me some more what kind of attack this is or not. > Log: > Jan 24 20:41:58 www portsentry[12371]: attackalert: Unknown Type: Packet > Flags: SYN: 1 FIN: 1 ACK: 0 PSH: 0 URG: 0 RST: 0 from host: > ppp86-128-59-62.dialup.zonnet.nl/62.59.128.86 to TCP port: 259 Looking at my /etc/services, I see "efficient short remote operations" for 259/TCP. SYN+FIN is a somewhat unusual combination of TCP flags. Unusual, but valid. Something called T/TCP (transactional TCP) uses it, but it's not commonplace. www.esro.org describes the protocol. I've not looked through thoroughly, but it appears as if it might use T/TCP. I'd have to dig further... > Please do not waste much time resolving this message for me, it�s not all > that important. But it would be nice to now what kind of ammo these people > are using. :) Could be a stray packet. Could be a probe. If it's an isolated incident, I'd not worry too much. If you see other questionable packets, somebody might be portscanning you. Considering that it seems to be an isolated incident for something that might be legitimate (just ran astray), my gut feel is that there's a good chance it's legitimate. Nonetheless, I'd keep an eye on the logs. It doesn't hurt to be paranoid. And it's not like you're saying "help, I'm getting packets on 113/TCP", either. ;-) > Tanks, > > > Kai Schantz > euroweb, no Eddy Brotsman & Dreger, Inc. - EverQuick Internet Division Phone: +1 (316) 794-8922 Wichita/(Inter)national Phone: +1 (785) 865-5885 Lawrence -- Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <[EMAIL PROTECTED]>, or you are likely to be blocked. _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
