Hi,
> uhmm... SYN and FIN both set in the same packet? I'm pretty
> sure that is not a valid combination for tcp, so malformed packet ->
most
> likely hack attack..
Very common probe to see who is running a pop2 server, then if they get
an ACK check the server for an exploit with ipop2d which was shipped as
part of the imap package with Red Hat 4.x and Red Hat 5.x. I've also
seen very slow (every 9+ hours) incremental scans to this port
incrementing the IP in the subnet by one each time, rumour has it they
are scanning for a back-doored version of a fast RPC scanner known as
'b00ger' which adds an entry in your inetd.conf for a 'bOOger-rpc'
service on port tcp/109.
Regards,
Dermot
--
Systems & Network Administrator
The Irish Times New Media Division
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
