Re: [cobalt-users] stream_getlen entry in log - question

[flash22@xxxxxxx]

On Fri, 20 Apr 2001, Diana Brake wrote:

> Apr 20 09:51:40 myserver named[5785]: stream_getlen([0.252.255.127].0): 
> Connection timed out

> But, my question is this, does anyone know what kind of information the 
> server gives out even when it has rejected the request, ..(connection times 

It gave out the fact that you are running a nameserver ;)
Otherwise you would have refused the connection....there are probably
valid requests you didn't see because bind only logs errors...

They may have asked it for version number, and seeing it wasn't hackable,
just disconnected and left...or you might be seeing the results of a
sloppy portscan...

Or perhaps it's nothign more than a lousy connection somewhere....

> out).? Another way...what does someone gain by doing this?

Given the right response, you probably would have been hacked -/

> The curious thing in all the info I found was that this little "poke" is 
> often _not_ logged at all so I'm doubly curious now that I've seen it. As 
> an aside, I was also poked in port 7 this morning..which is also a first 
> for me. That IP was different than either of the two above. And, the two 
> above appear to be invalid (spoofed?) anyway.

Probably a port scan using UDP , and tiny packets....causes a lot of weird
things in the logs, as the packets don't have anything in them, the
purpose is to get the machine to send back a complaint about the port
being unavailable which tells the other guy what ports you listen on and
which you don't...

ps: port 7 and other very low ports are a popular place to hide backdoor
shells because they are assumed to be normal services (eg echo) so admins
often don't notice them when scanning their own machine if they aren't
really famaliar with their machine...

gsh