Re: Port scan from Apache?
- From: lupe@xxxxxxxxxxxxxxxxx (Lupe Christoph)
- Date: Tue, 18 Jul 2006 19:31:27 +0200
On Tuesday, 2006-07-18 at 18:11:50 +0200, Clemens Renner wrote:
[Root]system-alert-00016: Port scan! From $my-server-ip:80 to
$their-server-ip:8254, proto TCP (zone Untrust, int ethernet1). Occurred
1 times.
With IPFilter, I often see "dangling FINs" in the log. These occur when
the TCP connection has been shut down but an additional FIN is still
travelling. IPFilter will have abandoned the state for the connection,
so for it these FIN are not associated to a connection.
Since the message they gave you is of the "Danger, Will Robinson" kind,
this could be the case. They can't prove it wrong.
To me, this is a case of stupid until proven intelligent.
HTH,
Lupe Christoph
PS: I thought a port scan means somebody is probing many ports. How can
one packet be considered a port scan?!?
--
| You know we're sitting on four million pounds of fuel, one nuclear |
| weapon and a thing that has 270,000 moving parts built by the lowest |
| bidder. Makes you feel good, doesn't it? |
| Rockhound in "Armageddon", 1998, about the Space Shuttle |
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- References:
- Port scan from Apache?
- From: Clemens Renner
- Port scan from Apache?
- Prev by Date: Re: Port scan from Apache?
- Next by Date: Re: Port scan from Apache?
- Previous by thread: Re: Port scan from Apache?
- Next by thread: Re: Port scan from Apache?
- Index(es):
Relevant Pages
|
|
