Re: weird scans from port 80

From: Silviu Minut (silviu@orion.attbi.com)
Date: 01/20/03


From: Silviu Minut <silviu@orion.attbi.com>
Date: Sun, 19 Jan 2003 22:55:12 -0500


> As mentioned your address may have been used in a spoofed scan. Errr
> what are you running by the way?

RH7.3 heavily updated, kernel 2.4.18-18.7.x.

>
>>Jan 19 11:35:33 localhost kernel: NEW NOT SYN: IN=eth0 OUT=
>>MAC=00:01:03:ba:af:1 a:00:02:fc:84:7c:8c:08:00 SRC=209.223.208.36
>>DST=xx.yy.zz.ww LEN=40 TOS=0x00 PRE C=0x00 TTL=239 ID=696 PROTO=TCP
>>SPT=80 DPT=15669 WINDOW=33580 RES=0x00 ACK FIN U RGP=0
>
> The fin/ack is just the last step of graceful teardown. This is strange
> if this was spoofed as well you should have had other packets prior to
> this as well. Are you sure there are no preceeding packets to or
> fromthis 209.* addy?

No, this is the first one in all my logs from this address. I do not log
log replies to my own connections though, so this could have been part of
a previously established connection, although I have no idea who's behind
that address.