Re: weird scans from port 80

From: Silviu Minut (silviu@orion.attbi.com)
Date: 01/20/03


From: Silviu Minut <silviu@orion.attbi.com>
Date: Sun, 19 Jan 2003 22:55:12 -0500


> As mentioned your address may have been used in a spoofed scan. Errr
> what are you running by the way?

RH7.3 heavily updated, kernel 2.4.18-18.7.x.

>
>>Jan 19 11:35:33 localhost kernel: NEW NOT SYN: IN=eth0 OUT=
>>MAC=00:01:03:ba:af:1 a:00:02:fc:84:7c:8c:08:00 SRC=209.223.208.36
>>DST=xx.yy.zz.ww LEN=40 TOS=0x00 PRE C=0x00 TTL=239 ID=696 PROTO=TCP
>>SPT=80 DPT=15669 WINDOW=33580 RES=0x00 ACK FIN U RGP=0
>
> The fin/ack is just the last step of graceful teardown. This is strange
> if this was spoofed as well you should have had other packets prior to
> this as well. Are you sure there are no preceeding packets to or
> fromthis 209.* addy?

No, this is the first one in all my logs from this address. I do not log
log replies to my own connections though, so this could have been part of
a previously established connection, although I have no idea who's behind
that address.



Relevant Pages

  • Re: ZONE_NORMAL memory exhausted by 4000 TCP sockets
    ... > By configuring ebtables and iptables, an application is running as TCP ... > The problem is the memory. ... > concurrent connections, I know the memory size of ZONE_NORMAL would be ... but other things may consume ram on your kernel. ...
    (Linux-Kernel)
  • Re: [bug] stuck localhost TCP connections, v2.6.26-rc3+
    ... Active Internet connections ... randconfig kernel configs that all produced such failures. ... TCP cubic registered ...
    (Linux-Kernel)
  • Re: combining internet connections
    ... > I was wondering if I can use both connections... ... Julian Anastasov's routing patches found here: ... If you are patching your kernel, you may also want to add some functionality ...
    (Fedora)
  • Re: Linux and DB2
    ... Where can I get more informations about the mentioned IRC Server or the ... File Descriptor" hard limit in the kernel ?? ... >> connections are possible at the same time. ... Vous êtes donc prié de nous informer immédiatement de cette ...
    (Focus-Linux)
  • Re: SQL 7.0 sp4 - hotfixed and broken
    ... Pause the server: net pause server ... > 2003-01-30 15:04:33.16 kernel The maximum limit for ... > connections has been reached. ...
    (microsoft.public.sqlserver.security)