Re: Another odd scan...
From: Jose Nazario (jose@monkey.org)Date: 07/13/02
- Previous message: Wolf, Glenn: "RE: Another odd scan..."
- In reply to: Adam Young: "Another odd scan..."
- Next in thread: Muhammad Faisal Rauf Danka: "Re: Another odd scan..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 12 Jul 2002 18:23:17 -0400 (EDT) From: Jose Nazario <jose@monkey.org> To: Adam Young <adam@vbfx.com>
On Thu, 11 Jul 2002, Adam Young wrote:
> I got this for about 2 minutes, every 20 seconds or so, I just
> thought it especially weird with "CWR ECE SYN", looking as to what the
> meaning of this is.
ECE: explicit congestion echo
CWR: RFC2481 says "congestion window reduced"
here's a whois dig for that:
http://www.geektools.com/cgi-bin/proxy.cgi?query=80.97.3.255&targetnic=auto
as for the port (77/TCP) being connected to, the saint tutorial suggests
its a well known and used backdoor for the rpc.yppasswdd service on
solaris:
http://www.wwdsi.com/demo/saint_tutorials/Vulnerability_Exploits.html
hope that helps.
___________________________
jose nazario, ph.d. jose@monkey.org
http://www.monkey.org/~jose/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Wolf, Glenn: "RE: Another odd scan..."
- In reply to: Adam Young: "Another odd scan..."
- Next in thread: Muhammad Faisal Rauf Danka: "Re: Another odd scan..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
