VNC 'scans' with windows size of 55808

Published: 2007-05-01. Last Updated: 2007-05-01 19:28:07 UTC
by donald smith (Version: 1)
0 comment(s)
One of our readers wrote in with the following:
"Over the last couple days I've noticed a different type of 5900/TCP (VNC?) portscan/attack.
Port 5900 scans are not new, but this one is triggering a TCP Window size 55808 filter on our IPS.
The filter is patterned after:
Reference: CERT Incident http://www.cert.org/current/archive/2003/06/25/archive.html
Most of the source hosts are EDU's in the US and Taiwan."

So if you don't already have an IDS signature that looks for windows size of 55808 you may wish to add one.
If you do and you notice this I suspect its a bot probably sdbot but would like confirmation.
Keywords:
0 comment(s)

Comments


Diary Archives