If you're able to, set up netcat (nc -l -p 8041 > logfile.exe) on the destination machine(s) and wait for the next attempt. It should allow the TCP connection to complete and you'll see what happens after the SYN.
On 8/24/05, Rajesh <[EMAIL PROTECTED]> wrote: > Jackson McKinley wrote: > > >Dshield is showing a down swing.. have you got packet captures? > > > >http://isc.sans.org/port_details.php?port=8041&repax=1&tarax=2&srcax=2&percent=N&days=70 > > > > > > > I haven't found much co-relation between what dshield usually shows and > the traffic that we get. It is very possible that these packets are > specifically targetted against our servers. I was trying to make sure > that this is not a known attack vector or a developing attack path. > > Glad to know that no one else is seeing this problem. > > What I am getting is a lot of SYN packets to port 8041. Nothing else yet. > 0000 00 00 xx xx xx xx 00 xx xx xx xx xx 00 45 00 ...v.... f%.p..E. > 0010 00 30 1a 6c 40 00 76 06 8c dc xx xx xx xx xx xx [EMAIL PROTECTED] > .......S > 0020 xx xx 06 36 1f 69 cb 1f 34 9f 00 00 00 00 70 02 )..6.i.. 4.....p. > 0030 40 00 c0 41 00 00 02 04 05 b4 01 01 04 02 @..A.... ...... > > > Thanks > Rajesh > > >On Tue, Aug 23, 2005 at 09:39:39AM +0530, Rajesh wrote: > > > > > >>Hi All, > >> > >>Is anyone else seeing a very large increase of SYN packets coming to > >>port 8041 over the last couple of days. It is coming from different > >>addresses to most of my machines in separate networks. I couldn't find > >>information about any services that use port 8041 yet. So for now I am > >>assuming that this is just a SYN flood. Can anyone else shed some more > >>light into this? > >> > >>Thanks > >>Rajesh > >> > >> > >> > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
