Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

VNC 'scans' with windows size of 55808

Published: 2007-05-01
Last Updated: 2007-05-01 19:28:07 UTC
by donald smith (Version: 1)
0 comment(s)
One of our readers wrote in with the following:
"Over the last couple days I've noticed a different type of 5900/TCP (VNC?) portscan/attack.
Port 5900 scans are not new, but this one is triggering a TCP Window size 55808 filter on our IPS.
The filter is patterned after:
Reference: CERT Incident http://www.cert.org/current/archive/2003/06/25/archive.html
Most of the source hosts are EDU's in the US and Taiwan."

So if you don't already have an IDS signature that looks for windows size of 55808 you may wish to add one.
If you do and you notice this I suspect its a bot probably sdbot but would like confirmation.
Keywords:
0 comment(s)
Diary Archives