| Home | Register | Members | Search | Links |
 |
| Thread Tools | Display Modes |
|
Guest
Posts: n/a
|
I've just reviewed some of my recent packet logs, and I notice a change
in the recent wave of ssh scanning. (See http://isc.sans.org/diary.php?date=2004-07-28 for background.) Usually the scanner just tries to connect as a lame generic user and guess the password. Starting about a week or so ago, the packets go like so.... Them  ort > Me:ssh - syn (sequence #)Me:ssh > Them ort - syn,ackThem ort > Me:ssh - syn (sequence # + 300)Me:ssh > Them ort - syn,ackThem ort > Me:ssh - ack.... and the rest as usual. "Them" is sending a second syn from the same source port, but with an initial sequence number incremented by 300, and starting the handshake over again. Question: Is there any reason to behave this way? That is, is there some reason (like some vulnerability) to just restart the handshake on the identical connection? (Side issue: It's been a while since I've read RFCs, but I was a little surprised that my server didn't even blink at the oddity. I would expect a rst or something. What's _supposed_ to happen?) I suspect the answer is that the scripter has just introduced a bug into his scanner as he plays with the code to add features. Nevertheless, does anyone know definitively? |
|
|
|
|||
|
|
| |
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| iptables / recent regarding port 113 | E. Pluribus | Linux Networking | 1 | 06-02-2008 08:10 PM |
| any recent research in wireless ATM? | noone | Wireless Internet | 5 | 12-05-2006 06:25 PM |
| NTL Broadband recent issues | AMO | Broadband | 5 | 09-29-2004 05:32 PM |
| Zen poor in recent days? | Phil | Broadband | 5 | 05-20-2004 11:30 AM |
| Recent Pipex service | Kath | Broadband | 36 | 02-23-2004 01:16 PM |
Linear Mode
