[Snort-users] Shaft?

Matt Yackley Matt.Yackley at ...5858...
Sat Aug 24 06:27:02 EDT 2002

drjung, this came up on the 21st on the incidents.org mailing list.  Four
people from that list that I know of all had the :13000 scan on the 21st, I
did not receive the one from the 22nd.

Check out this thread from the mailing list:


-----Original Message-----
From: J. Craig Woods [mailto:drjung at ...5405...]
Sent: Friday, August 23, 2002 9:19 PM
To: Snort
Subject: [Snort-users] Shaft?

No, not the movie. The trojan. I was wondering if anyone on the list has
run into the log entry:

Aug 21 16:32:47 lincoln snort: [1:241:2] DDOS shaft synflood
[Classification: Attempted Denial of Service] [Priority: 2]: {TCP} -> X.X.X.X:13000
Aug 22 04:39:18 lincoln snort: [1:241:2] DDOS shaft synflood
[Classification: Attempted Denial of Service] [Priority: 2]: {TCP} -> X.X.X.X:6000

I have left in the source ip because it is important in understanding
this alert. A simple whois will show this ip to be in the RIPE netblock.
It also has no reverse dns configured. Yes, it might very well be
spoofed or a false positive. 

I have checked out all of my security on my server, and things look
intact, and I can not find any penetration. I was hoping someone might
have some thoughts on this alert or maybe you can point me in the right
direction. Of course, neither of these ports are open to the internet. I
have ipchains logging for attempts on port 6000(X), and it clearly shows
a DENY on that one. No logging on 13000 but it is filtered (strange port
to be probing, yes?)

Thanks for any assistance,

J. Craig Woods
UNIX Network/System Administration
Character is built upon the debris of despair --Emerson

More information about the Snort-users mailing list