Is someone trying to bring down UK Satellites??
Has anyone in the UK logged a port 1644 spoofed address today ?
Or does anyone know what the port 1644 would be use for ?
Basically my firewall picked up a very odd log today at 15:10 GMT from a spoofed address with a payload of some sort. It's targeted at a Satellite data acquisition system service, using a blind man attack and faked ACK and Seq id number.
Here's the log:
Jan 31 15:10:43 xxxx kernel: ** FAKE CLASS C** IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00
SRC=192.168.1.50 DST=xx.xx.xx.xx LEN=499 TOS=0x00 PREC=0x00 TTL=48 ID=8106 DF PROTO=TCP SPT=80 DPT=1644 WINDOW=16060 RES=0x00 ACK PSH URGP=0
(I've removed my ip and mac addresses, rest is real)
It says that the ip address 192.168.1.50 sent a packet to my external nic card's ip address with an ACK push flag "i.e already connected now receive my data" with a payload of 499 bytes "that's high" from a source port of 80 "i.e most firewalls allow httpd back".
It looks like someone is trying to get past a basic firewall with a payload of some sort to the "saiseh" service.
Can anyone shed some more light on what this service is?
/raz
|