lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <7df124a050824050278c34c8b@mail.gmail.com>
Date: Wed Aug 24 13:03:00 2005
From: michael.hale at gmail.com (Michael Hale)
Subject: Port 8041 Syn flood

If you're able to, set up netcat (nc -l -p 8041 > logfile.exe) on the
destination machine(s) and wait for the next attempt. It should allow
the TCP connection to complete and you'll see what happens after the
SYN.

On 8/24/05, Rajesh <rvarada@...il.com> wrote:
> Jackson McKinley wrote:
> 
> >Dshield is showing a down swing..  have you got packet captures?
> >
> >http://isc.sans.org/port_details.php?port=8041&repax=1&tarax=2&srcax=2&percent=N&days=70
> >
> >
> >
> I haven't found much co-relation between what dshield usually shows and
> the traffic that we get. It is very possible that these packets are
> specifically targetted against our servers. I was trying to make sure
> that this is not a known attack vector or a developing attack path.
> 
> Glad to know that no one else is seeing this problem.
> 
> What I am getting is a lot of SYN packets to port 8041. Nothing else yet.
> 0000  00 00 xx xx xx xx 00 xx xx xx xx xx 00 45 00   ...v.... f%.p..E.
> 0010  00 30 1a 6c 40 00 76 06  8c dc xx xx xx xx xx xx   .0.l@.v. .......S
> 0020  xx xx 06 36 1f 69 cb 1f  34 9f 00 00 00 00 70 02   )..6.i.. 4.....p.
> 0030  40 00 c0 41 00 00 02 04  05 b4 01 01 04 02         @..A.... ......
> 
> 
> Thanks
> Rajesh
> 
> >On Tue, Aug 23, 2005 at 09:39:39AM +0530, Rajesh wrote:
> >
> >
> >>Hi All,
> >>
> >>Is anyone else seeing a very large increase of SYN packets coming to
> >>port 8041 over the last couple of days. It is coming from different
> >>addresses to most of my machines in separate networks. I couldn't find
> >>information about any services that use port 8041 yet. So for now I am
> >>assuming that this is just a SYN flood. Can anyone else shed some more
> >>light into this?
> >>
> >>Thanks
> >>Rajesh
> >>
> >>
> >>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ