From owner-freebsd-questions Tue Mar 28 14:17: 9 2000 Delivered-To: freebsd-questions@freebsd.org Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11]) by hub.freebsd.org (Postfix) with SMTP id B80EF37B7DC; Tue, 28 Mar 2000 14:17:01 -0800 (PST) (envelope-from dwmalone@maths.tcd.ie) Received: from walton.maths.tcd.ie by salmon.maths.tcd.ie with SMTP id ; 28 Mar 2000 23:16:59 +0100 (BST) Date: Tue, 28 Mar 2000 23:16:57 +0100 From: David Malone To: Jeff Hamilton Cc: freebsd-questions@freebsd.org, freebsd-stable@freebsd.org Subject: Re: /etc/hosts.allow Message-ID: <20000328231657.A9744@walton.maths.tcd.ie> References: <20000328212418.44269.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20000328212418.44269.qmail@hotmail.com>; from hjeffrey@hotmail.com on Tue, Mar 28, 2000 at 01:24:18PM -0800 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Mar 28, 2000 at 01:24:18PM -0800, Jeff Hamilton wrote: > >My guess is that the portmapper is getting a tcp connection, which the > >remote end closes almost immediately. Then when the wrapping code goes > >to to dup the discriptor which is supposed to be connected it finds it > >is unconnected. > > Could this possibly be an indicator of a port scan or other exploit attempt? > Is there anyway to trace the IP address that originated the connection? If my guess was right, there is a good chance it could be a portscan. Tracing the IP address is probably a bit harder. I'll experiment at home and see if I can reproduce this. David. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message