Date: Tue, 18 Jul 2006 19:31:27 +0200 From: lupe@lupe-christoph.de (Lupe Christoph) To: Clemens Renner <claim@rinux.net> Cc: freebsd-security@freebsd.org Subject: Re: Port scan from Apache? Message-ID: <20060718173127.GD13549@lupe-christoph.de> In-Reply-To: <44BD0846.6060405@rinux.net> References: <44BD0846.6060405@rinux.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday, 2006-07-18 at 18:11:50 +0200, Clemens Renner wrote:
> [Root]system-alert-00016: Port scan! From $my-server-ip:80 to
> $their-server-ip:8254, proto TCP (zone Untrust, int ethernet1). Occurred
> 1 times.
With IPFilter, I often see "dangling FINs" in the log. These occur when
the TCP connection has been shut down but an additional FIN is still
travelling. IPFilter will have abandoned the state for the connection,
so for it these FIN are not associated to a connection.
Since the message they gave you is of the "Danger, Will Robinson" kind,
this could be the case. They can't prove it wrong.
To me, this is a case of stupid until proven intelligent.
HTH,
Lupe Christoph
PS: I thought a port scan means somebody is probing many ports. How can
one packet be considered a port scan?!?
--
| You know we're sitting on four million pounds of fuel, one nuclear |
| weapon and a thing that has 270,000 moving parts built by the lowest |
| bidder. Makes you feel good, doesn't it? |
| Rockhound in "Armageddon", 1998, about the Space Shuttle |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060718173127.GD13549>